Abstract
This paper provides detailed assessment of observance on the Basel Core Principles for Effective Banking Supervision. The current assessment took place during a period of continuing development and transition. It is based on the assessors’ understanding of the current state of the supervisory approach, but also incorporates, where relevant, the available information about changes expected in the near future. Stress testing has become a critical supervisory tool that encourages firms and supervisors to adopt a more forward-looking view on the strength of their balance sheets and resilience to shocks. The emphasis on stress testing has encouraged firms to strengthen their internal analytical and risk-management capabilities.
Introduction4
26. This assessment of the current state of the implementation of the BCP in the U.K. was conducted during November 3–19, 2015. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which are addressed in the broader FSAP exercise.
27. An assessment of the effectiveness of banking supervision involves a review of the legal framework as well as a detailed examination of the policies and practices of the institutions responsible for banking regulation and supervision.
A. Information and Methodology Used for the Assessment
28. The U.K. authorities agreed to be assessed according to the revised BCPs issued by the Basel Committee for Banking Supervision (BCBS) in September 2012. The assessment was thus performed using a different methodological basis as compared with the previous BCP assessment carried out in 2011. It is important to note, for completeness’ sake, that the two assessments will not be directly comparable: the revised BCPs have a heightened focus on corporate governance and risk management, their practice by supervised entities, and their assessment by the supervisory authority. The revised BCPs raise expectations in measuring the effectiveness of a supervisory framework (see box for more information on the revised BCPs).
29. The U.K. authorities chose to be assessed and rated against both the Essential Criteria (EC) and the Additional Criteria (AC) articulated in the BCP document. To assess compliance, the BCP methodology uses a set of essential and sometimes additional assessment criteria for each principle. The EC are usually the only elements on which to gauge full compliance with a Core Principle (CP). The ACs are recommended best practices against which the U.K. authorities have agreed to be assessed and rated. This option was not available to countries assessed prior to 2012 publication of the revised BCPs. The assessment of compliance with each CP is made on a qualitative basis to allow a judgment on whether the criteria are fulfilled in practice. Effective application of relevant laws and regulations is essential to provide indication that the criteria are met. A four-part grading system is used: compliant; largely compliant; materially noncompliant; and noncompliant. This grading system is explained below.
30. The assessment team reviewed the framework of laws, rules, and guidance and held extensive meetings with U.K. officials. The team conducted additional meetings with banking-sector participants and other stakeholders (auditors, associations, and other market observers). The authorities provided a comprehensive self-assessment of the BCPs, as well as detailed responses to additional questionnaires. In addition, the authorities facilitated access to a variety of supervisory documents and files, staff and systems.
31. The team appreciated the high level of cooperation, candor, and transparency that the authorities demonstrated throughout the review. The team extends its thanks to staff of the authorities, all of whom provided excellent cooperation and undertook considerable efforts to make available extensive documentation as well as access to staff with expertise on U.K. supervisory policies, procedures, and practices. Assessors appreciated, as well, the opportunity to meet with additional official staff with expertise related to the implementation of global regulatory changes under Basel III, its implementation in the EU through the Capital Requirements Directive (CRD) and Capital Requirements Regulation (CRR), and further national regulatory changes. Finally, the assessment team wishes to express its appreciation to the numerous market participants and observers who shared voluntarily their personal insight into the evolution of U.K. supervisory practices.
32. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science; in addition, the BCBS considers the BCPs to be minimum rather than absolute standards. To reach its conclusions regarding the compliance of the U.K. approach to banking supervision against the BCPs, the assessment team did exercise judgment. Nevertheless, the team sought to adhere to a common, agreed methodology that is consistent with assessments done of other countries subsequent to the 2012 release of the revised BCPs. Consequently, the assessment is intended to provide U.K. authorities with an internationally consistent measure of their compliance with the BCPs.
33. To determine the observation of each principle, the assessment has made use of five categories: compliant; largely compliant, materially noncompliant, noncompliant, and nonapplicable. An assessment of “compliant” is given when all EC and ACs are met without any significant deficiencies, including instances where the principle has been achieved by other means. A “largely compliant” assessment is given when there are only minor shortcomings that do not raise serious concerns about the authority’s ability to achieve the objective of the principle; moreover, there is clear intent to achieve full compliance with the principle within a prescribed period of time (for instance, the regulatory framework is agreed but has not yet been fully implemented). A principle is considered to be “materially noncompliant” in case of severe shortcomings, despite the existence of formal rules and procedures; furthermore, evidence suggests that supervision has clearly not been effective, that the practical implementation is weak, or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. A principle is assessed “noncompliant” if it is not substantially implemented, several ECs are not complied with, or supervision is manifestly ineffective. Finally, a category of “nonapplicable” is reserved for those cases that the criteria would not relate the country’s circumstances.
The 2012 Revised Basel Core Principles
The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learnt from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and Financial Stability Board (FSB) and take into account the importance now attached to the following considerations: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing and taking preemptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) efforts to foster robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure and transparency.
The revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. Supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also in terms of the risks they pose to the banking and the financial systems. In addition, supervisors are required to consider how the macroeconomic environment, business trends, and the build-up and concentration of risk inside and outside the banking sector may affect the risks to which individual banks are exposed. While the BCPs set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention.
The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which remained largely the same as what was contained in the prior version of the BCPs), and the introduction of 35 new essential criteria. For countries that choose to be assessed against the “additional criteria,” 16 additional criteria articulate “best practices” to comply with selected CPs.
While raising expectations for banking supervision, the BCP were drafted with the recognition that they must be applicable to a wide range of jurisdictions. The new methodology reinforces the concept of “proportionality,” both in terms of adjusting the expectations on supervisors and in terms of adjusting the standards that supervisors impose on banks depending on the circumstances. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems.
B. Institutional and Market Structure—Overview5
34. The Financial Services Act 2012 established a new framework for financial regulation in the United Kingdom. Responsibility for financial stability was given to the newly established FPC of the BoE: the BoE Act 1998, as amended by the Financial Services Act 2012, gives the FPC responsibility to identify, assess, monitor, and take action in relation to financial stability risk across the whole financial system. This includes addressing risks arising in the nonbank financial system (including institutions and markets). In support of this objective, the Act gives the FPC the power to make recommendations to Her Majesty’s Treasury (HMT) on regulated activities, as well as more general powers in respect of information gathering. Responsibility for the overall regulatory framework and the protection of the public finances rests with HMT and the Chancellor of the Exchequer.
35. Two new regulatory agencies have been established, replacing the FSA. The Financial Services Act 2012 transferred prudential regulation of deposit-takers,6 insurers and the largest investment firms to a new microprudential supervisor, the PRA, a subsidiary of the BoE. Responsibility for regulating conduct of business was given to the FCA, with the mandate and tools to protect consumers and market participants, including through the promotion of competition. The PRA and FCA started to operate in April 2013.
36. The BoE is the resolution authority responsible for preparing and responding to the failure of banks, building societies, certain investment firms and central counterparties in accordance with the U.K.’s special resolution regime. The BoE is also responsible for the regulation of systemically important firms supporting the clearing, payment and settlement infrastructure in the United Kingdom.
37. Most U.K. financial institutions are regulated in some form, although not all activities undertaken by these institutions are subject to regulation. Finance companies are subject to different regulation depending on whether they are owned by banks (PRA and FCA regulated), or nonbanks but provide residential mortgages or consumer credit (FCA regulated) or undertake business lending (for amounts exceeding GBP 25,000) or provide certain types of buy to let mortgages (unregulated). Securitization special purpose vehicles (SPVs) may be regulated depending on whether they are part of a banking group.
38. The FPC has a statutory power to make recommendations to HMT in relation to the boundaries between and within regulated and non-regulated sectors of the U.K. financial system (the ‘regulatory perimeter’). The FPC has committed to hold a discussion on the issue of the regulatory perimeter at least annually. In July 2015, the FPC considered channels through which stress in key parts of the nonbank financial system (including institutions and markets) could impact U.K. financial stability. Based on its current assessment, the FPC said that it did not see a case for recommending changes to the regulatory framework but would return to the issue on an annual basis, or sooner, if risks were identified.
39. The financial services Banking Reform Act (BRA) 2013 implemented the final ring-fencing recommendations of the independent commission on banking (ICB). The ICB recommended that retail banking should be separated from wholesale or investment banking, and that this should be achieved by ring-fencing, or separating, retail banking within a banking group in order to isolate banking activities where continuous provision of service is vital to the economy and to the customers of a bank. The BRA also implemented the recommendations made by the PCBS, appointed by parliament to consider how culture and standards in the banking sector could be improved. In particular the BRA put in place the legal framework for the “Senior Managers and Certification Regime” which strengthens the regulation of individuals who work in the U.K. banking sector. Finally, the BRA makes available to the BoE a stabilization option (the “bail-in option”) under part 1 of the BRA 2009.
40. Parliament passed a new BoE and Financial Service Act (though most of its provisions have not come into force yet). The Act sets out reforms to ensure that the BoE remains at the forefront of international best practice for transparency, accountability, and governance. The Act undertakes the following:
Maximize the synergies of having monetary policy, macroprudential policy and microprudential policy under the aegis of one institution by bringing the PRA within the BoE, ending its status as a subsidiary, and creating a new committee of the BoE to be known as the PRC. It will retain its independence in making rules, policies and supervisory decisions. The statutory objectives of the PRA, which underpin its forward-looking, judgment-based approach to supervision, will remain unchanged;
Reinforce the accountability of the PRC and the chief executive officer (CEO) for the BoE’s prudential regulation functions, and provide updated reporting requirements which will ensure supervision continues to operate with appropriate independence and resources;
Update resolution planning and crisis management arrangements between the Treasury and the BoE to reflect recent improvements to resolution planning for systemic financial institutions, and crisis management for institutions in distress. This includes a strengthened requirement for the BoE to provide the Treasury with information on risks to public funds, so that the system can better protect taxpayers and the wider economy from bank failures;
Improve the governance of the BoE by making its court of directors (‘the court’) a smaller, more focused unitary Board;
Place the new deputy governor for banking and markets in legislation, adding the position to the court of directors and the FPC;
Adjust the statutory basis of the FPC from a subcommittee of the court to a statutory committee of the BoE, in line with the MPC and the new PRC;
Bring the BoE within the purview of the National Audit Office (NAO), improving transparency and accountability for its use of resources;
Further strengthen coordination arrangements between the Treasury and the BoE in protecting taxpayers and the wider economy from bank failures; and
Extend the Senior Managers and Certification Regime to all financial services firms, and implement a fairer system by introducing a ‘duty of responsibility’ (superseding the previously proposed ‘reverse burden of proof’).
41. As a member of the EU, the United Kingdom adheres to the European ‘single Rulebook,’ whose backbone is represented by the 2013 CRD and Regulation (the ‘CRD IV package’). The CRD IV package was part of the response to the recent financial crisis and implements the Basel III capital and liquidity standards, as well as rules on corporate governance. The Regulation and Directive came into force from January 1, 2014, but gave member states (MS) time to transition to the final rules.
42. The CRD IV package is a ‘going concern’ framework. It aims to ensure that in normal times, banks are adequately capitalized to absorb losses, to pay their obligations in a stress and have adequate governance, systems and controls.
43. The 2014 Banking Recovery and Resolution Directive (BRRD) applies to non-viable banks. It introduced a harmonized set of resolution tools to ensure that when EU banks fail, that failure can be managed in a way which protects critical functions, limits contagion to other financial institutions and the wider economy, and avoids the need for taxpayer bail-out.
44. The 2014 Deposit Guarantee Scheme Directive (DGSD) is intended to harmonize deposit protection across the European Economic Area (EEA), and to ensure that robust, well-functioning schemes are in place. This will promote depositor confidence and support financial stability. It harmonizes deposit protection at EUR 100,000 per depositor per bank and also mandates protection for temporary high balances (e.g., during the sale or purchase of a house, or following a large insurance payment into a bank account). It requires MSs to ensure that ex ante funding equivalent to 0.8 percent of covered deposits is available. As it is intended to improve deposit protection and financial stability, and since a deposit guarantee scheme can be used in resolution, there is substantial interaction with the BRRD.
45. Total assets in the U.K. banking sector were almost 400 percent of nominal GDP in 2014, excluding derivative exposures and foreign assets and liabilities of foreign branches. There are over 900 banks, building societies and credit unions supervised by the PRA.7 Within the total of 900 there are 150 deposit-taking foreign branches and 98 deposit-taking foreign subsidiaries in the United Kingdom from 56 different countries. Foreign banks constitute around half of U.K. banking sector assets on a residency basis, with the combined assets of the largest ten foreign subsidiaries in the United Kingdom (including their non deposit-taking entities) totaling around GBP 2.75 trillion. Foreign branches account for around 30 percent of total U.K.-resident banking assets and around a third of U.K. interbank lending. Nearly a fifth of global banking activity is booked in the United Kingdom, and U.K.-resident banks’ foreign assets and liabilities account for over 350 percent of U.K. GDP.
46. Financial services is the United Kingdom’s most successful export industry, contributing a trade surplus of over GBP 59 billion in 2013 according to the Office for National Statistics (ONS). The United Kingdom is the most international banking centre in the world; foreign branches account for around 30 percent of total U.K.-resident banking assets.
47. The financial services industry employs over a million people across the length and breadth of the country. A million more are employed in complementary professional services. Two thirds of those two million jobs are outside London.
48. The U.K. financial sector has been hit, in the past years, by episodes of wrongdoing at major firms that gave rise to investigations, also under criminal laws, and that have seen several systemic banks subject to important fines.
49. Major U.K. banks have continued to improve capital and funding positions. They reported an average CET1 position above 12 percent and an aggregate leverage ratio over 4.7 percent at end–September 2015. In November 2012, the FPC recommended that the FSA “takes action to ensure that the capital of U.K. banks and building societies reflects a proper valuation of their assets, a realistic assessment of future conduct costs and prudent calculation of risk weights.” The FPC also recommended that “where such action reveals that capital buffers need to be strengthened to absorb losses and sustain credit availability in the event of stress, the FSA should ensure that firms either raise capital or take steps to restructure their business and balance sheets in ways that do not hinder lending to the real economy.” In March 2013, the FPC judged that the immediate objective should be to achieve a CET1 ratio, based on Basel III definitions and after the required adjustments, of at least 7 percent of risk-weighted assets (RWA) by end 2013. The improved capital position of banks also reflects, in part, the actions taken in response to the 2014 stress test of the major U.K. banks that captured some of the main risks judged by the FPC to be facing the system.
50. Stress tests are used primarily to assess the amount of capital that a bank might require in the event of an adverse shock. A critical precondition to make that assessment is that banks’ reported capital positions are stated accurately. AQRs help ensure this, both in terms of capital resources and capital requirements.
51. As a result of the interventions during the 2008–9 financial crisis, the government also has holdings in the Royal Bank of Scotland (RBS) and the Lloyds Banking Group. Disposals have begun, and at the end of August 2015 government holdings stood at just under 13 percent ownership in Lloyds, and 73 percent in RBS.
C. Preconditions for Effective Banking Supervision
Macroeconomic policies
52. The Government’s economic policy objective is to achieve strong, sustainable and balanced growth that is more evenly shared across the country and between industries. This objective recognizes that over a number of years preceding the financial crisis, economic growth in the U.K. was driven by unsustainable levels of private sector debt and rising public sector debt. This pattern of unbalanced growth and excessive debt helped to create exceptional economic challenges in the United Kingdom.
53. The BoE’s monetary policy objective is to deliver price stability—low inflation—and, subject to that, to support the government’s economic objectives including those for growth and employment. The BoE’s operations in the sterling money markets have two objectives, stemming from its monetary policy and financial stability responsibilities: to implement the MPC’s decisions in order to meet the inflation target (set by the government at 2 percent); and to reduce the cost of disruption to the liquidity and payment services supplied by banks to the U.K. economy.
The Government’s economic strategy consists of four key pillars:
a) monetary activism and credit easing, stimulating demand, maintaining price stability and supporting the flow of credit in the economy;
b) deficit reduction, returning the public finances to a sustainable position and ensuring that sound public finances and fiscal credibility underpin low long-term interest rates;
c) completing the reform of the financial system and improving the regulatory framework to reduce risks to the taxpayer and build the resilience of the system; and
d) a comprehensive package of structural reforms, rebalancing and strengthening the economy for the future, including a package of measures to support businesses to invest and export.
54. The Government’s comprehensive economic strategy is designed to protect the economy, to maintain market confidence in the United Kingdom and to lay the foundations for a stronger, more balanced economy in the future. Continuing to strengthen the financial system, so that it can support the wider economy, is a key element of this strategy.
Financial stability and macroprudential surveillance
55. The FPC was officially established on April 1, 2013.8 The committee is charged with a primary objective of identifying, monitoring and taking action to remove or reduce systemic risks with a view to protecting and enhancing the resilience of the U.K. financial system. The FPC has a secondary objective to support the economic policy of the government. The committee publishes a record of its formal policy meetings, and is responsible for the BoE’s bi-annual Financial Stability Report (FSR).
56. The FPC is a statutory subcommittee of the BoE’s Court. Its members are the governor; three of the deputy governors who are responsible for financial stability, prudential regulation, and monetary policy, respectively; the chief executive of the FCA; the BoE’s executive director for Financial Stability Strategy and Risk (FSSR); four external members appointed by the Chancellor; and a nonvoting member from HMT.
57. The FPC has responsibility for setting the countercyclical capital buffer (CCB) and powers of direction over sectoral capital requirements (SCRs), loan-to-value and debt-to-income limits in respect of owner-occupied lending, and in relation to leverage ratio tools. There is a statutory requirement for the FPC to prepare and maintain a general statement of policy for the powers of Direction it is given under legislation. These describe the tools, the likely impact of using them on financial stability and growth, and the circumstances in which the FPC might expect to use each tool. They also describe the core indicators the FPC will routinely review to help inform its judgments.
Public infrastructure
58. The United Kingdom has reputation for a robust and stable legal system, skilled workforce and fairly well-developed public infrastructure. It ranks high in the World Bank ‘Ease of Doing Business’ classification (6th at international level both in 2015 and 2016), with medium-high score for the strength of its insolvency framework, maximum score for depth of credit information and very high ranking (4th) for the protection of minority investors. Its payment, clearing and settlement systems are well regulated. Basic economic, financial and social statistics are publicly available.
Financial safety nets and crisis management
59. The Financial Services Compensation Scheme (FSCS) is the U.K.’s compensation fund of last resort for customers of authorized financial services firms. It covers business conducted by firms authorized by the PRA and FCA. European firms (authorized by their home state regulator) that operate in the United Kingdom may also be covered. It protects:
Deposits;
Insurance policies;
Insurance broking (for business on or after January 14, 2005), including connected travel insurance where the policy is sold alongside a holiday or other related travel (e.g., by travel firms and holiday providers) (for business on or after January 1, 2009);
Investment business; and
Home finance (for business on or after October 31, 2004).
60. The FSCS is independent of the government and the financial industry, and was set up under the Financial Services and Markets Act (FSMA) 2000, becoming operational on December 1, 2001 (although it still covers claims from before this date). It may pay compensation if a firm is unable, or likely to be unable, to pay claims against it. This is usually because it has stopped trading or has been declared in default. The FSCS does not charge individual consumers for using the service.
61. The key principle of financial crisis management is to make clear who is in charge of what, and when. The BoE and HMT have clear and separate responsibilities. The BoE has primary operational responsibility for financial crisis management. The Chancellor and HMT have sole responsibility for any decision involving public funds. When the BoE has formally notified the Treasury of a material risk to public funds, and either there is a serious threat to financial stability, or public funds are already committed by the Treasury to resolve or reduce such a serious threat and it would be in the public interest to do so, the Chancellor may use powers to direct the BoE.
62. The Financial Crisis Management Memorandum of Understanding (MoU) sets out who is in charge of what and when between HMT and the BoE (including the PRA) in a financial crisis. It has a particular focus on monitoring and managing potential risks to public funds.
63. A core aspect of the PRA’s approach is that it aims at ensuring preparedness for recovery or resolution of a failing firm. The PRA has the authority to set rules and supervisory requirements for financial holding companies (FHCs), mixed financial holding companies (MFHCs), mixed activity FHCs, banks, building societies, and PRA-designated investment firms.
The PRA’s rules require supervised entities to undertake the following:
To be better prepared for future financial stress through credible and robust recovery planning (identification of options to recover financial strength in stress situations);
To provide information (‘resolution packs’) to help the BoE in its role as the resolution authority; and
To ensure the feasibility of bailing-in creditors, in the case of cross-border firms, by adopting contractual recognition of bail-in.
Market discipline
64. In terms of market discipline, an extensive set of institutional investors are active in the United Kingdom, as are major rating agencies and analysts. Well-developed mechanisms support market discipline, including a system of regular disclosure by public companies. Required disclosures for banks have been materially enhanced through the additional annual disclosures based on Pillar 3 of the Basel III global regulatory framework.
65. Some banks make quarterly financial disclosures and some half-yearly. Regular financial statement disclosures related to market risk, liquidity risk and credit concentrations. The FPC of the BoE prepares and publishes a FSR twice per calendar year. The FSR sets out the FPC’s view of the outlook for U.K. financial stability, including its assessment of the resilience of the U.K. financial system and the current main risks to financial stability, and the action it is taking to remove or reduce those risks.
66. Since the financial crisis the United Kingdom has fundamentally reformed its financial sector and has pushed for international reforms to help end too-big-to fail and ensure effective market discipline. As outlined below, the United Kingdom has well established and mature markets which have effective mechanisms for ensuring market discipline.
67. The FRC sets governance guidelines for listed companies with premium listing through the U.K. Corporate Governance Code. High quality corporate governance helps to underpin long-term company performance. The U.K. Corporate Governance Code has been instrumental in spreading best Boardroom practice throughout the listed sector since it was first issued in 1992. It operates on the principle of ‘comply or explain.’ It sets out good practice covering issues such as Board composition and effectiveness, the role of Board committees, risk management, remuneration and relations with shareholders.9
68. In November 2012, the government published its response to the 17 specific recommendations of an independent review of U.K. equity markets.10 In particular, the report reviewed the mechanisms of control and accountability provided by the markets and the behavior of the agents in that process that affect the performance of U.K. businesses. It aimed to ensure that U.K. equity markets continue to benefit both companies and investors.
69. The Panel on Takeovers and Mergers (the “Panel”) is an independent body, established in 1968, whose main functions are to issue and administer the City Code on Takeovers and Mergers (the “Code”) and to supervise and regulate takeovers and other matters to which the Code applies in accordance with the rules set out in the Code. It has been designated as the supervisory authority to carry out certain regulatory functions in relation to takeovers pursuant to the Directive on Takeover Bids (2004/25/EC) (the “Directive”). Its statutory functions are set out in and under Chapter 1 of Part 28 of the Companies Act 2006. The Panel regulates takeover bids and other merger transactions (however effected) for companies which have their registered offices in the United Kingdom, the Channel Islands or the Isle of Man if any of their securities are admitted to trading on a regulated market or multilateral trading facility in the United Kingdom or on any stock exchange in the Channel Islands or the Isle of Man. Its remit also extends to other public companies and certain private companies which are resident in the United Kingdom, the Channel Islands or the Isle of Man. In certain circumstances the panel also shares responsibility for the regulation of an offer with the takeover regulator in another MS of the an EEA (a “MS”) (for example, where the offered company is registered in the United Kingdom and has its securities admitted to trading on a regulated market in another MS but not on a regulated market in the United Kingdom).
70. The Code is designed to ensure that shareholders are treated fairly and are not denied an opportunity to decide on the merits of a takeover and that shareholders of the same class are afforded equivalent treatment by an offeror. The Code also provides an orderly framework within which takeovers are conducted. In addition, it is designed to promote, in conjunction with other regulatory regimes, the integrity of the financial markets. The Code is not concerned with the financial or commercial advantages or disadvantages of a takeover. These are matters for the company and its shareholders.
71. The U.K. Financial Investments (UKFI) was created in November 2008 as part of the U.K.’s response to the financial crisis. It is a Companies Act Company, with HMT as its sole shareholder, and operates at arm’s-length from government. UKFI is responsible for managing the Government’s shareholdings in the RBS Group plc and the Lloyds Banking Group plc.
72. UKFI’s overarching objective is to manage these shareholdings commercially to create and protect value for the taxpayer as shareholder. Its aim is also to devise and execute a strategy for realizing value for the government’s investments in an orderly and active way over time within the context of protecting and creating value for the taxpayer as shareholder, paying due regard to the maintenance of financial stability and acting in a way that promotes competition. UKFI is also responsible for managing the Government’s 100 percent shareholding and loans in U.K. Asset Resolution Limited (“UKAR”) and its subsidiaries.
73. UKAR was formed during 2010 to integrate the activities of Northern Rock (asset management) plc and Bradford & Bingley Plc. UKFI managed the government’s 100 percent shareholding in Northern Rock plc from Northern Rock plc’s formation on January 1, 2010 up to its sale to Virgin Money on January 1, 2012.
Consumer protection
74. One of the FCA’s central responsibilities is to protect consumers from the firms and individuals in the financial industry that may cause them harm. The FCA expects firms to provide customers with appropriate products and services. To ensure consumers are protected and treated fairly, the FCA evaluates firms’ abilities to meet relevant supervisory requirements before they are authorized. The FCA then supervises their activities and prevents those that are not meeting standards from carrying out regulated activities. Where the FCA finds that firms are not following relevant rules, or where it finds that unauthorized firms are doing business in the United Kingdom, it intervenes where appropriate. This can take many forms, such as stepping in to impose penalties, stopping firms from carrying out certain types of business, requiring improvements in controls or management, or securing redress.
75. With respect to retail deposits, the relevant U.K. legislation and FCA rules sets down a conduct regime for banks and other account providers in relation to:
The provision of appropriate information, such as on terms and conditions, before an account is opened;
The ongoing provision or availability of information to customers about the activity on the account, such as through regular statements, as well as changes to terms and conditions such as notifications when the rate of interest applied to the balance on the account changes;
The making and receipt of payments on the account, and the related protections against issues such as unauthorized transactions;
Deposit protection; and
The provision of overdrafts.
76. In 2013, the government launched the ‘Current Account Switch Service.’ It lets consumers safely and reliably switches their accounts between banks in seven days, with a guarantee that they will be fully protected against any financial loss during the transfer.
Detailed Assessment
77. Compliance of each principle will be made based on the following four-grade scale: compliant, largely compliant, materially noncompliant, and noncompliant. A “not applicable” grading can be used under certain circumstances.
Compliant: a country will be considered compliant with a Principle when all essential criteria applicable for this country are met without any significant deficiencies.11 There may be instances, of course, where a country can demonstrate that the Principle has been achieved by other means. Conversely, due to the specific conditions in individual countries, the essential criteria may not always be sufficient to achieve the objective of the Principle, and therefore other measures may also be needed in order for the aspect of banking supervision addressed by the Principle to be considered effective.
Largely compliant: A country will be considered largely compliant with a Principle whenever only minor shortcomings are observed that do not raise any concerns about the authority’s ability and clear intent to achieve full compliance with the Principle within a prescribed period of time. The assessment “largely compliant” can be used when the system does not meet all essential criteria, but the overall effectiveness is sufficiently good, and no material risks are left unaddressed.
Materially noncompliant: A country will be considered materially non-compliant with a Principle whenever there are severe shortcomings, despite the existence of formal rules, regulations, and procedures, and there is evidence that supervision has clearly not been effective, that practical implementation is weak, or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. It is acknowledged that the “gap” between “largely compliant” and “materially non-compliant” is wide, and that the choice may be difficult. On the other hand, the intention has been to force the assessors to make a clear statement.
Noncompliant: A country will be considered non-compliant with a Principle whenever there has been no substantive implementation of the Principle, several essential criteria are not complied with, or supervision is manifestly ineffective.
A. Supervisory Powers, Responsibilities, and Functions
| Principle 1 | Responsibilities, objectives, and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.12 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.13 |
| Essential criteria | |
| EC 1 | The responsibilities and objectives of each of the authorities involved in banking supervision14 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. |
| Description and findings re EC 1 | The CRD requires MSs to ensure that National Competent Authorities (NCAs) assess compliance with CRD and CRR (Arts. 4–7), and that such function is separate and independent from the functions relating to resolution (Art. 4). Art. 5 requires MSs to coordinate internally if there are more than one NCA, and Art. 6 requires MSs that NCAs cooperate within the European System of Financial Supervision (ESFS) and European Systemic Risk Board (ESRB). The PRA and FCA are the NCAs for the United Kingdom. They have responsibility for the supervision of banks, the PRA for prudential matters and the FCA for conduct matters. The PRA supervises around 1,700 firms and groups, including over 900 deposit-takers (banks, building societies and credit unions) and nearly 700 insurers of all sizes (general insurers, life insurers, friendly societies, and mutuals).15 The FCA is the conduct supervisor for approximately 56,000 firms across all industry sectors (including all deposit-takers) and the prudential supervisor for approximately 24,000 firms not regulated by the PRA, including a large number of investment firms subject to the CRD. The responsibilities and objectives of the PRA and FCA are set out in the FSMA 2000, which is public (http://www.legislation.gov.uk/ukpga/2000/8/contents). In discharging its general functions, the PRA is required to act so far as reasonably possible in a way which advances its general objective of promoting the safety and soundness of PRAauthorized persons (S2B FSMA).16 This general objective is to be advanced primarily by: (i) seeking to ensure that the business of PRA-authorized persons is carried on in a way which avoids any adverse effect on the stability of the U.K. financial system; and (ii) seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system. The emphasis on bank failures in terms of their impact on financial stability supports the PRA’s ‘no zero-failure’ policy (i.e., that it is not the PRA’s role to ensure that no firm fails, which is also explicitly stated in S2G FSMA),17 and helps to understand the PRA’s apparent degree of risk appetite and consequent supervisory approach. In its public discourse the PRA often uses the term ‘risk appetite’ (e.g., in the programmatic document on its approach to banking supervision), even though there is not a defined and articulated process leading to a clear identification of the PRA’s risk appetite and of its implications at executive level. As announced in the 2015 annual report (p. 21), the PRA is reviewing its Target Operational Model, risk appetite, oversight and mitigation. PRA’s general safety and soundness objective is expressed also through the Fundamental Rules, contained in the PRA Rulebook. They set PRA’s general expectations with respect to banks’ conduct, adequacy of financial resources, risk strategy and risk management, organization and control, openness and cooperation with the PRA, preparedness to resolution. The PRA also has a secondary competition objective. This requires that when discharging its general functions in a way that advances its objectives, the PRA acts in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. In discharging its general functions, the FCA is required to act in a way that is compatible with its strategic objective and advances one or more of its operational objectives (S1B FSMA). The FCA’s strategic objective is to ensure that the relevant markets function well. The FCA’s operational objectives are:
In discharging its general functions, the FCA and PRA are also required to have regard to the regulatory principles specified in FSMA S3B, which include:
Much of the detail involved in the PRA’s and FCA’s execution of their responsibilities is included in secondary legislation and regulators’ rules, including the PRA and FCA Handbooks of Rules and Guidance and the Regulated Activities Order (SI 20001/544). This Order sets out the specific activities which firms must receive PRA or FCA permission to carry on. The FSMA establishes a number of coordination mechanisms for the PRA and FCA (see EC 3). There are also specific requirements in FSMA as to how the PRA and FCA will coordinate regulatory processes where both authorities are involved, such as rulemaking and enforcement. This ensures that both authorities have appropriate input into the process. Examples of hard requirements for cooperation include the duty to consult on rules (S138I and S138J of FSMA), imposition of a requirement by either regulator (S55L and S55M of FSMA), and the definition of “appropriate regulator” for enforcement purposes (S204A of FSMA). On April 1, 2013, the FPC was established on a statutory basis as the United Kingdom’s macroprudential authority, following two years of operating on an interim basis. The FPC has a primary objective to contribute to the achievement of the BoE’s financial stability objective “to protect and enhance the stability of the financial system of the United Kingdom.” The law gives the FPC two main types of power: first, it can make Recommendations, on a comply or explain basis, to the microprudential regulators (the PRA and the FCA) to take measures to mitigate risks in relation to any aspect of their regulated entities (but not focused on a specified individual entity).19 The other set of powers that the FPC has is to give directions to the PRA and FCA to deploy specific macroprudential tools prescribed by HMT. The FPC can currently direct the PRA to use: the CCB, which allows the FPC to change capital requirements above normal microprudential standards in relation to all loans and exposures of banks to borrowers in the United Kingdom; the SCR, which are more targeted and allow the FPC to change capital requirements on exposures to three specific sectors judged to pose a risk to the system as a whole: residential property (including mortgages), commercial property and other parts of the financial sector; the limits on residential mortgage lending, both owner-occupied and buy-to-let, in terms of loan-to-value ratios and/or debt-to-income ratios (including interest coverage ratios in respect of buy-to-let lending). The BoE is the United Kingdom’s resolution authority for banks, building societies, central counterparties and certain investment firms. The BoE and the relevant prudential supervisor will make the decision to put a firm into the resolution regime, having consulted HMT. The Banking Act clearly sets out the roles and powers of the respective authorities. HMT (as part of the U.K. government) is responsible for proposing any amendments to FSMA, which must be passed by parliament before they can become law. The statutory framework recognizes the importance of there being a credible and publicly available framework in place to avoid regulatory and supervisory gaps. In the banking regulatory framework of the EU, the EBA is a competent authority for the purposes of functioning of colleges of supervisors, whilst not bearing any supervisory responsibilities. The European Commission is in charge of regulatory matters for the whole EU, but has no supervisory powers. |
| EC 2 | The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. |
| Description and findings re EC 2 | In discharging its functions, the PRA, as the prudential supervisor for all deposit-takers, is assigned the primary objective of promoting the safety and soundness of PRA-authorized persons (S2B FSMA). The PRA also has a secondary competition objective, which does not conflict or override the primary objective. This requires that when discharging its general functions in a way that advances its objectives, the PRA acts so far as reasonably possible in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. |
| EC 3 | Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile 20 and systemic importance.21 |
| Description and findings re EC 3 | In the United Kingdom, banks are required to meet the Threshold Conditions set by FSMA (Schedule 6) and comply with rules made by the PRA and FCA, in order to be authorized and to continue to be authorized. The Threshold Conditions include, in particular, the obligation to have adequate financial resources. While they are not requirements directly applying to firms in the same way that rules do (i.e., a failure to meet Threshold Conditions cannot be used as a basis for fining a firm), the Threshold Conditions impose requirements on the regulator in relation to the authorization and on-going supervision of the firm, giving them power to act and forming the basis of the trigger for resolution of a bank. The PRA routinely sets Pillar 2A capital for credit, market, counterparty and operational risks where Pillar 1 capital requirements are found to underestimate risk. The PRA also sets Pillar 2A capital for IRRBB, credit concentration risk and pension obligation risk, which are not captured under the Pillar 1 regime. It may also set capital for other risks depending on their materiality to the firm.22 The sum of Pillar 1 and Pillar 2A requirements represent the individual capital guidance (ICG), i.e., the amount of capital a bank should hold at all times; the PRA expects banks to meet Pillar 2A with at least 56 percent of CET1 and no more than 25 percent of Tier 2 Capital, i.e., reflecting the composition of Pillar 1 capital. Firms may be expected to hold additional Pillar 2B capital (PRA buffer) to ensure that they continue to meet minimum capital requirements during a stressed period (as estimated under either the concurrent stress test (CST),23 for the largest banks, or own stress tests, for the remaining ones). Where the PRA assesses a firm’s risk-management and governance (RM&G) to be significantly weak, it may also set the PRA buffer to cover the risks posed by those weaknesses until they are addressed. Another component of the PRA buffer is meant to cover losses that may arise under a severe stress scenario and is informed by the results of stress test exercises (either the CST, for the largest banks, or own stress tests, for the remaining ones). In addition, the PRA can take into account other factors when carrying out the buffer assessment, including a bank’s systemic importance. Given the potential overlap between the risks covered by the PRA buffer and those addressed by the capital conservation and systemic buffers set forth by CRD, the PRA buffer is generally set as the excess—if any—over and above the CRD buffers. Both the PRA and FCA also have the power to alter or revoke rules, and to modify or waive rules in particular cases (FSMA S138A). Where the PRA or FCA proposes to make rules, it must publish a draft of the proposed rules in the way appearing to it to be best calculated to bring them to the attention of the public. The draft rules must be accompanied by a cost-benefit analysis; an explanation of the purpose of the rules; an explanation of the reasons why they believe that making the proposed rules is compatible with its general duties under FSMA; and a notice that representations may be made about the proposals within a specified time (S138I of FSMA). The PRA and FCA have strong enforcement powers, including the power to issue unlimited financial penalties and publicly censure firms and individuals. The regulators’ enforcement powers are set out in S66 FSMA (in relation to individuals) and in Part XIV FSMA (S205 and S206) (in relation to firms). If the PRA identifies any breach of the PRA’s rules, it could take steps to enforce against the firm which is in breach. There are a wide variety of enforcement powers available to the PRA and the fines that can be imposed are substantial (see EC 6 for further explanation). |
| EC 4 | Banking laws, regulations, and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. |
| Description and findings re EC 4 | The current CRD/CRR framework, adopted in 2013, represents the third reincarnation of the CRD originally issued in 2006, then modified and issued as CRD II in 2009 and updated again in 2010 (CRD III) each time following a public consultation process. EBA technical standards and guidelines are also subject to formal public consultations. The PRA and FCA update their rules and their guidance on a regular basis to take account of market changes.24 Updates are also made as and when necessary to implement new EU rules in the form of Directives. However, significant portions of the prudential framework for U.K. banks is directly applied under EU Regulations (the CRR), which are made and amended by the European authorities and are not implemented through PRA rules. Where either regulator proposes to make rules, it must publish a draft of the proposed rules in the way appearing to it to be best calculated to bring them to the attention of the public. The draft rules must be accompanied by a cost-benefit analysis; an explanation of the purpose of the rules; an explanation of the reasons why making the proposed rules is compatible with the regulator’s general duties under FSMA; and a notice that representations may be made about the proposals within a specified time (S138I FSMA). This affords the industry and others an opportunity to comment on proposed rule changes before they are made. |
| EC 5 | The supervisor has the power to:
|
| Description and findings re EC 5 | CRD Art. 65 requires MSs to provide NCAs to have information gathering and investigatory powers for the exercise of their functions. Art. 97 expects NCAs to have the ability to conduct supervisory review and evaluation to comply with CRD and CRR. The PRA and FCA have full access to a bank’s Board, management, staff and records by virtue of their powers to gather information under S165 of FSMA and to appoint persons to conduct investigations under S167 and S170 of FSMA. PRA Fundamental Rule 7 requires a firm to deal with its regulators in an open and cooperative way and to disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice. Failure to provide information required by either regulator in an investigation without reasonable excuse can be punished by the court in the same way as being in contempt of court. Knowingly providing materially false or misleading information to the PRA constitutes a criminal offence. Furthermore, destroying, concealing, falsifying or otherwise disposing of a document which is or may be relevant for an investigation will constitute a criminal offence where a person was aware or suspected that the regulators were likely to conduct any such investigation (S177 and S398 FSMA). The PRA and FCA may apply for a warrant to enter into the premises of a bank and obtain documents or information of a specified kind, where they suspect that a requirement to provide information is not being complied with or the documents or information would be removed, tampered or destroyed if such a requirement were imposed (S176 of FSMA). Any person who intentionally obstructs the exercise of any rights conferred by a warrant will be guilty of an offence. These powers can be exercised by the PRA in relation to U.K. incorporated firms (including U.K. subsidiaries of overseas firms) as well as in relation to U.K. branches of overseas firms (in the case of an EEA firm, in line with the allocation of responsibilities between the home and host supervisor under European law). In principle, the investigatory powers can be used in other jurisdictions, although the ability to enforce them in other jurisdictions may be limited by overseas legal requirements. However, a failure to cooperate with such an inspection may involve a breach by a firm of PRA Fundamental Rule 7, which requires firms to deal with regulators in an open and cooperative manner and may call into question the firm’s compliance with the Threshold Conditions for authorization. |
| EC 6 | When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to:
|
| Description and findings re EC 6 | CRD provides a common framework where NCAs are expected to have the power to withdraw the authorization granted to a credit institution (Art. 18), to impose penalties (Art. 64), to require an institution to take corrective actions (Art. 102), and for the NCAs to require corrective actions (Art. 104). The EU framework for resolution is established in the BRRD. The PRA and FCA have powers under FSMA to take action against banks that do not comply with the requirements set out in FSMA, the secondary legislation under FSMA, and in their rules. Corrective action and revocation of license: In cases where the bank is failing or likely to fail to satisfy Threshold Conditions (including the requirement to conduct business in a prudent manner, considering the effect that carrying on such a business or the bank failing can have on the stability of the U.K. financial system), the regulators may change the bank’s permission on their own initiative under S55J of FSMA (own initiative variation of permission (OIVOP)). They may also exercise this power to meet any of their regulatory objectives. An OIVOP may include withdrawing a bank’s authorization, and limiting its ability to accept deposits. In addition the FCA or the PRA may impose requirements on banks, including a requirement to do or not do a specified action (S55L and S55M of FSMA). Imposition of sanctions: Where a bank has contravened a requirement imposed on it by or under FSMA, the PRA or FCA may take disciplinary actions under Part XIV of FSMA which may include:
The BoE is the designated resolution authority for the United Kingdom. There are two key conditions that must be met before a firm can be put into resolution. The first condition is that the firm must be failing, or likely to fail. This assessment is made by the prudential supervisor (the PRA, or the FCA for those firms regulated solely by the FCA), having consulted the BoE as resolution authority. The second condition is that it must not be reasonably likely that action will be taken—outside resolution—that will result in the firm no longer failing or likely to fail. This assessment is made by the BoE as resolution authority, having consulted the PRA or FCA, and HMT. |
| EC 7 | The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. |
| Description and findings re EC 7 | The CRD (Art. 4) requires MSs to empower their NCAs to monitor the activities and obtain the information needed from FHCs and MFHCs. It also provides a legal framework to conduct consolidated supervision (Arts. 111–127). The PRA supervises large complex groups on a consolidated basis, even where the holding company is technically not a regulated legal entity. Where parent companies and their affiliates are ‘credit institutions’ or ‘investment firms’ (as defined in Art. 4 of CRR), they are supervised under the CRD and required to comply with general prudential requirements specified in the CRD/CRR. Parent companies that are holding companies fall outside of the scope of the CRR. The Financial Services Act 2012 gave the PRA and the FCA two new powers over ‘qualifying parent undertakings,’ i.e., U.K.-based parent companies of U.K.-authorized entities, which are not themselves authorized entities (see FSMA S192B and S192C). These powers are: (i) a power to give directions to individual qualifying parent undertakings, requiring them to take specific actions or to refrain from taking specific actions; and (ii) a power to make rules requiring qualifying parent undertakings to provide to either regulator information or documents of a specified description. Both regulators have issued policy statements on use of the power to issue directions over qualifying parent undertakings. The PRA’s power of direction over qualifying parent undertakings can be used by the PRA to require qualifying parent undertakings to provide information/documents in respect of activities of companies affiliated with such parent undertaking. The PRA’s specific rule making power could be used to impose rules requiring all qualifying parent undertakings to provide specified information to the PRA on the request of the PRA. This could be for the purpose of obtaining information from the qualifying parent undertaking in respect of affiliated companies to determine the impact of such companies on the safety and soundness of the relevant PRA authorized bank or the banking group. However, to obtain information on companies affiliated with the banking group, the PRA may also choose to use its information gathering powers over the PRA authorized entity. These rules require the PRA authorized entity to permit the PRA to have access to any document that the PRA reasonably requests (Rule 4.1 of the Information Gathering Part of the PRA Rulebook). |
| Assessment of Principle 1 | Compliant |
| Comments | The new financial regulatory architecture introduced by the Financial Services Act 2012 has formally separated the prudential and conduct supervision functions on deposit-takers, assigning the former to the PRA and the latter to the FCA. This somehow addresses one of the main concerns raised by the previous FSAP mission, i.e., an unclear and ultimately unbalanced allocation of effort and resources between the two macro-objectives, with the prudential one eventually crowded out by an increasing emphasis on conduct issues. The Act provides greater clarity by dividing these mandates and assigning them to two separate agencies, each one subject to specific accountability requirements; it is less clear whether it also addresses in a substantial way the unbalanced allocation of resources (see CP 2). The 2012 law also reformulates the two agencies’ objectives, assigning to the PRA a primary objective and defining it more clearly than it was the case for the FSA: while the FSA was tasked with four statutory objectives (market confidence, consumer protection, reduction of financial crime, and—from 2010—financial stability), with no guidance on how to deal with the trade-offs among them and no explicit mention of the safety and soundness of banks, the PRA has, as its primary objective, that of promoting the safety and soundness of PRA-authorized persons. It also has to act in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. This represents a secondary objective: while the PRA must consider the effect on competition when exercising its general functions in areas such as rule making, general policy, and Supervisory Statements (SS) and codes, in any circumstance in which there is a conflict between the promotion of competition and the PRA’s primary objective, the action that promotes the primary objective will have to take precedence. The FSA had also set for itself a number of principles related to good regulation that it had committed to ‘have regard to’ when discharging its functions. Among them: the international character of financial services and markets and the desirability of maintaining the competitive position of the United Kingdom; and the need to minimize the adverse effects on competition that may arise from anything done in the discharge of its functions. These were also rightly cited in the previous FSAP as elements likely to weaken the supervisor’s focus on prudential issues.25 The PRA objective function is formulated exclusively in terms of statutory objectives and is accompanied by a more narrative document (‘The PRA’s Approach to Banking Supervision,’ April 2014), which reconfirms the hierarchy of its primary and secondary objectives and describes how it has organized itself to achieve them. The law also states that the PRA’s general objective is to be advanced by seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system and clarifies that the PRA is not expected to ensure that no PRA-authorized person fails: this helps to understand the PRA’s apparent degree of risk appetite and its supervisory approach (see CP 8), which entails a relevant allocation of resources to the supervision of the largest, systemic banks, at the price of a significantly less intense and intrusive approach on the medium and small banks. While the prioritization adopted by the PRA makes sense from a financial stability perspective, it may raise concerns regarding reputational risk for the supervisor: as the recent financial history in the U.K. has demonstrated, a failure doesn’t need to concern a systemic bank for the trust of general public in the banking system to be undermined. Nor a supervisor can necessarily afford the risk of being perceived, ex-post, as having not been sufficiently intrusive—and, ultimately, effective—in the case of failure by a less-than-systemically important bank, even absent any relevant consequence for financial stability. The disruption to financial services and the losses on non-insured deposits caused, for example, by the failure of a mid-size regional bank could affect enough customers to garner public scrutiny and potentially discredit the supervisor’s reputation and credibility, should the intensity of its previous supervisory action be perceived as insufficient. Further considerations on the PRA resourcing are presented in CP 2. The FCA has a strategic objective (good functioning of financial markets) and three operational objectives that do not appear to conflict with or override the main one: securing an appropriate degree of protection for consumers; protecting and enhancing the integrity of the financial system; and promoting effective competition in the interests of consumers. Since April 2013 the FPC operates as the United Kingdom’s macroprudential authority, with the primary objective of contributing to protect and enhance the stability of the U.K. financial system. The law gives the FPC the power to make recommendations to the PRA and the FCA to take measures to mitigate risks in relation to any aspect of their regulated entities (but not focused on a specified individual entity) and to give directions to the PRA and FCA to deploy specific macroprudential tools prescribed by HMT (like the CCB, the SCR, and the limits on residential mortgage lending in terms of loan-to-value ratios and debt-to-income ratios). The experience with the deployment of macroprudential tools by the PRA/FCA under the direction of FPC is still recent and immature: the countercyclical and sectoral buffers have not been activated yet, while limits on residential mortgages have been applied in a limited form (the PRA and the FCA were required to ensure that mortgage lenders limit the proportion of mortgages at loan to income multiples of 4.5 and above to no more than 15 percent of their new mortgages). There is then limited evidence, until now, about either the effectiveness of the tools in achieving their aim or the operational burden imposed on the microprudential regulators by the enactment of the macroprudential measures: at this stage it seems that cooperation, especially between the BoE and the PRA, is favoring the dialogue between specialists and, ultimately, the deployment of the potential synergies stemming from having both the macro and micro dimensions of prudential supervision under a single roof (‘one bank’). The ‘trade’ of resources between the two sides also appears as fairly balanced, so far: the financial stability experts of the BoE contribute with their view of the macroeconomic and macrofinancial situation, while the specialists and supervisors from the PRA provide their more on-the-ground expertise and active collaboration (e.g., in running the CSTs). The concern, expressed by the previous FSAP, that “the new macroprudential overlay [might] divert resources from effective core supervision” does not seem to have materialized, so far. But this statement needs to be reassessed dynamically: the CST is already absorbing a significant amount of time, energy, and resources, and its further evolution, if not accompanied by an accurate program in terms of recruiting, staff retention, and training, might end up exacting an excessive toll on the micro side of prudential supervision. The powers over parent undertakings, assigned to the PRA and the FCA in 2012, appear as broadly adequate to allow the two authorities to assess the impact of non-regulated parent and affiliated companies on banks, though they would not allow them to exercise on such entities the same powers they have on regulated entities: for example, the APR and, from March 2016, the SMR would not apply to the directors of a non-financial holding—unless, of course, they also have directive/managerial roles in the controlled regulated entity. However, the new powers look broad enough and, when coupled with the extensive powers of requesting information to regulated entities that the PRA and FCA already had, they should allow them to obtain the information needed to assess the impact that parent companies (and, through them, affiliated companies) can have on the safety and soundness of a bank or banking group. |
| Principle 2 | Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. |
| Essential criteria | |
| EC 1 | The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. |
| Description and findings re EC 1 | The independence of the PRA and FCA, the supporting governance and accountability arrangements are set out in statute (the FSMA 2000), and in the articles of association of each body which are publicly disclosed (see also EC 3). The PRA is established as a company limited by shares with the BoE as the sole shareholder. The majority of its Board members are, by law, independent nonexecutives. The Court of the BoE (which is its governing body) approves the PRA’s budget. The FCA, established as a private company, has operational independence in conducting its activities, notwithstanding its ultimate accountability for performance of its statutory objectives to the government and parliament. Both the FCA and PRA are financed by fees they are directly empowered to levy on industry by statute, subject to consultation, and neither body is subject to budgetary control by central government. The PRA is required to publish this budget and any variation, and is responsible for annual reporting. The government has no involvement in the day to day operation of the regulators and has only very limited powers of direction in circumstances specified in legislation. Briefly, HMT may direct the regulators as follows:
The last point, in particular, refers to the new powers of investigation brought in through the Financial Services Act 2012. Under this Act, the FCA, and PRA are required to investigate and make a report to the Treasury, to be laid before parliament, where there has been a serious failure in the system of financial regulation, or in the operation of that system, and certain conditions as set out in legislation are met. The Act also provides the Treasury with the power to direct either the FCA or PRA that conditions for an investigation appear to have been met if, for example, it disagrees with the regulators assessment. It is also possible for the Treasury to direct either regulator to carry out an investigation solely on the grounds it believes it would be in the public interest, and there has been (and is) no investigation by the regulators into the event in question. The Treasury has announced the intention to use this power only once to date, in November 2013, by ordering an independent investigation into the events at the Co-op BoE and the circumstances surrounding them. However, as the FCA and PRA also announced the intention to launch formal enforcement investigations on the case, the Treasury clarified that “The independent investigation under the Financial Services Act will therefore not start until it is clear it will not prejudice any actions the relevant authorities may take, including the potential FCA and PRA enforcement investigations.” The PRA has concluded its enforcement action against two former senior Co-op BoE employees but, at the time of the assessment, the FCA made it clear that they were not at the stage where it was clear that there would be no such prejudice. Consequently, no HMT investigation had started yet. The nature of the legal provision and the evidence drawn from the only case when it was applied lead to interpret it as an instrument for ex-post accountability in cases of potential regulatory failure, rather than as a potential source of ex-ante interference in supervisory action. |
| EC 2 | The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. |
| Description and findings re EC 2 | Schedule 1ZB of FSMA includes the requirement for the BoE’s Governor to be Chair of the PRA and the Deputy Governor for Prudential Regulation to be Chief Executive of the PRA. Both the governor and deputy governor for Prudential Regulation are appointed by the Queen under Section 1(2) of the BoE Act 1998, on the recommendation of the Prime Minister and Chancellor. The governor and deputy governors for Prudential Regulation and Financial Stability are members of the PRA Board ex officio. They can be removed from office by the BoE, with the consent of the Chancellor of the Exchequer, if considered unable or unfit to discharge their functions as members. All appointed members of the PRA Board must be appointed by the court of directors of the BoE with the approval of HMT para. 6 of Schedule 1ZB FSMA). The grounds for removal of an appointed member are set out in FSMA (para. 14 of Schedule 1ZB) and include the grounds of incapacity or serious misconduct and significant conflicts of interest. Schedule 1ZA of FSMA includes details of the FCA’s constitution; this includes a requirement (para. 2 of Schedule 1ZA) that the chairman and other members of the FCA’s governing body must be appointed, and be liable to removal from office, by the Treasury (two members are required to be jointly appointed by the Treasury and the Secretary of State). The requirements include provision detailing the circumstances in which the Treasury may remove the chairman or other members from office (para. 4 Schedule 1ZA). As for the PRA, these include the grounds of incapacity or serious misconduct, and significant conflicts of interest. From April 1, 2013, the Treasury appoints the Chairman of the FCA for a minimum term of five years and the CEO for a minimum term of three years. According to the BoE Act, the Chair of the PRA (BoE Governor) is appointed by the Queen for a term of eight years (though the current governor has indicated he intends to serve for five years). The CEO of the PRA is appointed by the Queen for a term of five years from April 1, 2013. There are no legal provisions requiring that the reason(s) for removal of the head(s) of the supervisory authorities be disclosed. Appointed members of the Boards of both organizations are generally appointed for a standard minimum term of three years. In some cases initial appointments have been for less than three years to stagger changes in the nonexecutive membership. |
| EC 3 | The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.26 |
| Description and findings re EC 3 | The PRA and FCA objectives are set out in the legislation as summarized in EC 3 of Principle 1. The PRA’s approach to supervision is published. The PRA is accountable under FSMA for its performance against its statutory objectives through the power, assigned to HMT, to appoint an independent person to review the economy, efficiency and effectiveness with which the PRA has used its resources in discharging its functions (S2O). This power had never been used by the Treasury at the time of the assessment. HMT can also require the PRA to undertake an investigation into any “relevant events,” where HMT considers it to be in the public interest and the PRA has not undertaken, or is not undertaking, an investigation already (S77 of the Financial Services Act 2012). As said in EC 1, an investigation of this kind has been announced and immediately suspended to wait for the outcome of investigations to be conducted by the PRA and FCA. FSMA also requires that the PRA:
The FCA is accountable under FSMA for its performance against its statutory objectives through a separate but similar structure:
In addition, the Treasury Select Committee of the house of commons, from time-to-time considers the performance of the PRA and FCA in carrying out their functions under FSMA, and requires the senior executives of the PRA and FCA to appear before it. Lastly, the recipients of PRA and FCA decisions may challenge those decisions before the Upper Tribunal, where this is expressly stated by FSMA or, otherwise, via judicial review. |
| EC 4 | The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. |
| Description and findings re EC 4 | The PRA’s supervisory internal governance is operated through the PRA Regulatory Decision Making Framework Guide. The guide provides all staff with information on all relevant processes and provides clear guidance on how to take decisions at a level appropriate to the significance of the issue. When the guide is updated this is communicated to all staff. The PRA has a dedicated Secretariat which supports and manages PRA’s internal governance and its associated committees. The Secretariat works with the entire business to schedule decisions in a timely manner within a centralized forward agenda and for pre-scheduled meetings. If there is a need for decisions to be taken in an emergency then the Secretariat have procedures in place to arrange ad-hoc meetings or, if appropriate, decisions can be made considered by written procedure. The PRA Board reserves to itself certain decisions, including supervisory decisions in relation to the largest and most systemically significant firms but delegates other decisions to the CEO of the PRA; in practice he is advised in relation to these decisions by the Supervision, Risk and Policy Committee. Details of these delegations are set out in “Delegations and Matters Reserved to the Board” which is published on the BoE website. The PRA policy on conflict of interest of the “appointed members” of the PRA Board is public. At the FCA there is a process for escalation of supervisory decisions in place and the criteria around decisions for escalation are set out and available to all Supervisors. There is a framework in place for business as usual (BAU) supervisory decisions such as sign-off of the Firm Evaluation (which sets out the supervisory approach for the coming regulatory period); Interim Review, Deep Dives findings letters, Risk Mitigation Programs, etc. Supervisory decisions outside of BAU are first escalated to the Divisional Supervisory Risk Committee (DSRC), a subcommittee of the Executive Regulatory Issues Committee (ERIC). Decisions may be escalated from DSRC to the FCA’s Executive Committee (ExCo) if appropriate. ExCo is the FCA’s final decision making body. The executive team is made up of the nine members of the ExCo, including the CEO, chief operating officer (COO), director of supervision and authorization, the director of enforcement and market oversight, and the director of strategy and competition. It discusses issues across all areas of the organization and is responsible for implementing the strategy set at Board level. The FCA’s Board sets ExCo’s strategy annually and gives ExCo its decision making powers. The Board is informed of certain ExCo decisions for further sign-off, e.g., significant spending decisions; changes to the FCA’s Handbook. Directors are required to declare any conflict of interest (S175 of the Financial Services Act 2012). The interested director absents him or herself from the discussion of matters relating to the conflict and is excused from review of papers prepared by, or for, the directors to the extent they relate to such matters. |
| EC 5 | The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. |
| Description and findings re EC 5 | All staff in the PRA are covered by the BoE’s recently updated Code of Conduct. This document, which was rolled out in June 2015, brings together policies which previously existed in different places. The policies were also updated as a part of this process. The Code includes sections on records management and Information security as well as a broader range of policies around the management of potential sources of conflict of interest and impartiality (see http://www.bankofengland.co.uk/about/Documents/humanresources/ourcode.pdf). The FCA’s Code of Conduct is also public (see http://www.fca.org.uk/your-fca/documents/code-of-conduct). |
| EC 6 | The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes:
|
| Description and findings re EC 6 | The PRA and FCA have powers to require the payment of fees, with the cost of banking supervision being met by an annual fee (authorization being charged for separately). Their fee charging power is set out in FSMA (PRA in para. 31 of Schedule 1ZB and FCA in para. 23 of Schedule 1ZA). In making such rules, the PRA and FCA are required to follow the consultation procedures in S138I and M138J of FSMA. Budget and business planning takes place on an annual basis. The PRA budget includes provision of technology to equip staff with tools to carry out their roles. This is divided into ongoing support costs and investment in new technology. Much of the investment budget is targeted at adoption and implementation of European and national legislation. Travel budget to enable effective onsite work, cross-border cooperation and participation in relevant domestic and international meetings is also provided in the budget, and targeted at areas with a high requirement for travel such as Policy and International Banking areas. FSMA (S166) gives the PRA and the FCA power to require any regulated firm or member of its group, to provide it with a report by a skilled person.27 The PRA commissions the report and the firm concerned pays for a skilled person to produce it. This provides both the specialist resources and necessary expertise to review areas of concern identified within a firm and/or the effectiveness or remedial action a firm has taken. The PRA’s pay policy with regards to market position is that it aims to pay median against the private sector, and upper quartile against the public sector in order to attract, retain and motivate the key skills required within the BoE. The PRA’s salary scales are reviewed every two years. The identification of skills required and activity to rectify any skill gaps is conducted on an annual basis in the following ways:
In order to strengthen leadership across the organization, the PRA introduced developmental reviews for all senior leaders and reviewed its succession planning approach. The PRA also reviewed its leadership training and introduced 360 feedback for all managers. The PRA is doing work to articulate different technical and managerial career paths across the BoE—including when to think about building breadth versus depth. Applying for an internal job vacancy is the core promotion route for all staff. Additionally there is a promotion framework for experts, which can be applied to roles where there is a business requirement for longer than average tenure, and deep technical or professional experience. This process has typically been relevant for risk specialist roles, and involves a set of clearly defined promotion criteria. The most recent FCA fees consultation paper (CP 15/14) consulted on the proposed fees to raise the FCA’s Annual Funding Requirement (AFR) for 2015/16. CP 15/14 was published at the same time as the FCA’s 2015/16 Business Plan which set out how the AFR will be used to undertake the work program to achieve the FCA’s statutory objectives in 2015/16. The Business Plan includes the budget to:
S166 of FSMA gives the FCA and the PRA the power to obtain an independent view of aspects of a firm’s activities that cause them concern or where they require further analysis. The appointment of a skilled person can either be by the regulated firm or directly by the FCA. In each case, the FCA sets the scope of the review and the costs are borne by the regulated firm. The 2014/15 FCA Annual Report (Appendix 1) sets out details of the reviews undertaken, the skilled persons appointed and costs. The FCA budget and business planning process includes the determination of:
In the discussion with the supervisors and specialists and from the analysis of the documentation provided, the assessors perceived and found evidence of a situation of strain for staff, especially—but not only—as regards specialist resources. |
| EC 7 | As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. |
| Description and findings re EC 7 | PRA supervisors bridge gaps in skill sets and knowledge through accessing training made available both through the central learning and development team and through local team-level training frameworks. The identification of skills required and activity to rectify is conducted on an annual basis. This includes a training needs analysis facilitated by the central team with input from across the supervision business areas; and a learning and development analysis conducted by individual supervisors and team managers through performance management. The FCA’s Annual Planning cycle includes people capability plans for each area looking at short and medium term capability needs. The supervisory function is represented on the ‘FCA Academy’ Advisory Group that directs investment in learning. |
| EC 8 | In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. |
| Description and findings re EC 8 | The frequency and intensity of the PRA’s supervisory activity varies across firms. The level of supervision principally reflects the PRA’s judgment of a firm’s potential impact on the stability of the financial system, and therefore its systemic importance; its proximity to failure and its resolvability. Those firms that are unlikely, individually, to create disruption to the wider financial system are subject to a baseline level of supervisory activity to ensure that they meet key prudential standards, whereas for higher-impact firms, the PRA makes use of a fuller selection of its supervisory tools. The PRA uses quantitative and qualitative analysis to allocate firms to five ‘categories’ of impact 1 to 5; 1 representing most significant firms with a capacity to cause major disruption to the U.K. financial system and 5 representing firms with a capacity to cause almost no disruption to the U.K. financial system. Supervisors also consider a firm’s proximity to failure when drawing up its supervisory plan. The PRA’s judgment about proximity to failure is captured in a firm’s position within the PIF; the framework aids supervisors in handling banks in times of stress. The supervisor assesses the firm against the PRA risk model to determine an overall assessment of the firm and a relative PIF rating. Additional work is performed, where necessary, to provide information on particular areas of concern, taking into account a firm’s resilience and resolvability, the prevailing market and economic conditions, and the business model of the firm. Supervisory concerns influence the PRA’s future supervisory program for a firm. For example, concerns about management, or systems and controls, influence the PRA’s attitude to the growth of a business, including via acquisition, or to new appointments to significant influence functions (SIF). The FCA considers risk to be the combination of impact and probability. It combines these impact and probability factors to obtain a measure of the overall risk posed to its statutory objectives. It then uses this measure to prioritize risks and make decisions on what its regulatory response should be. It also uses it to set its strategic aims and outcomes and to allocate resources based on its regulatory priorities. All firms are allocated a conduct categorization (C1 for the largest down to C4 for the smallest) on the basis of an impact score. Resources are then allocated on the basis of the conduct classification. For banks and building societies the impact scores are driven by total assets and liabilities and the number of depositors. The FCA then applies an additional weighting on the basis of sector. For example, retail banks’ impact score is higher than the score for investment banks as the FCA considers impact on retail consumers to be a significant additional factor in considering the risk posed by firms. C1 and C2 firms are allocated to a dedicated team of supervisors who undertake proactive supervision of these firms. The supervisory strategy is then set at a firm specific level by the Supervisory team on an annual or bi-annual basis. This includes deciding what proactive engagement meetings to undertake, what deep dives to do, etc. C3 and C4 firms do not have a named supervisor and are not subject to the same level of proactive supervision. Instead they are supervised on a cluster or thematic basis and when risks crystallize. Banking and insurance groups with the largest retail customer footprint (e.g., major U.K. retail bank and wholesale firms with the most significant market presence) are rated C1; there are normally between 10 and 12 C1 groups. In December 2014 the FCA announced a revised supervisory strategy to enable a more market-focused approach to identifying risks and supervising firms (see CP 8–EC 1). |
| EC 9 | Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
| Description and findings re EC 9 | FSMA provides that both the PRA, FCA and any person who is, or is acting as, a member, officer, or member of staff of either body is not liable in damages for anything done or omitted in the discharge, or purported discharge, of the PRA’s or FCA’s functions (para. 25 of Schedule 1ZA and para. 33 of Schedule 1ZB). There have been no examples where PRA staff have been liable for damages. However, this protection does not apply if the act of omission is shown to have been in bad faith, or unlawful as the result of S6(1) of the Human Rights Act (HRA) 1998.28 The regulators cover the legal costs of defending their staff in legal actions against them in relation to their work as PRA or FCA employees. They both have the power to require the payment of fees, to cover the costs of defending its actions. |
| Assessment of Principle 2 | Largely Compliant |
| Comments | The U.K. framework is compliant with the requirements of independence, accountability and legal protection for supervisors set in this principle. In particular, HMT powers of direction on the regulatory authorities do not appear to affect day to day supervision and there is no evidence that they have been used to constrain supervisory independence. While there are no legal provisions requiring that the motivation for removal of the head of the supervisory authorities be disclosed, there is no reason to think that such an extreme event would not attract intense public scrutiny in a system, like the British one, characterized by reasonably transparent and accountable public institutions. An element of limited compliance has been identified in the resourcing arrangements, especially for the PRA. In the discussion with the supervisors and specialists and from the analysis of the documentation provided, the assessors perceived and found evidence of a situation of strain on staff, especially—but not only—as regards specialist resources (e.g., see CP 16). This is certainly caused by the convergence of new and challenging projects, like the preparatory works for the structural reform (ring-fencing policy) and the SMR. It is a condition shared by many other supervisory authorities around the world, because of the intense effort to implement the vast post-crisis regulatory reform agenda. But in the case of the U.K. authorities, the strain on resources is intensified by the same nature of the U.K. financial sector and, in particular, by the status of London as global financial marketplace that attracts activities often at the frontier of financial innovation and demands an exceptional effort for the authorities to keep up with the evolution of risks in the firms they supervise. This strain is not expected to abate in the next future, as the authorities are likely to be increasingly absorbed by their ordinary supervisory schedule; by new promising—but demanding—activities (e.g., the CST, especially if it will extend to a wider range of firms); and by the challenges posed by the emergence of new risks (e.g., cyber risk). The dynamic nature of the London marketplace also entails a high degree of competition in the recruitment of particularly skilled resources (like the risk specialists). The PRA’s intent to pay median against the private sector is a reasonable policy, but does not ensure the level of staff retention that it would need: it is not uncommon for recent entry-level hires to consider a few years’ worth of experience at the supervisory authority as a springboard for a more profitable career in the private sector. The assessors found indirect confirmation of a potential difficulty by the supervisors (especially the PRA) in managing the consequences of their high churn rate in observations raised by a number of market participants: in particular, of a frequent rotation of their main counterparts (e.g., lead supervisors) and of the low relative seniority of the PRA personnel they sometimes find at meetings (e.g., senior managers interviewed by staff with five or less years of experience). It must be recognized that following the move to replace the single FSA with two focused regulators in the PRA and FCA, the cost of regulation and supervisory resources have increased. As reported in the recent NAO report into Regulating financial services, the “combined cost of their ongoing activities in 2013–14 is GBP 664 million–GBP 127 million (24 percent) higher than the 2012–13 cost of the FSA.” The combined budgets for 2015/16 of the PRA and FCA (based on AFR) is GBP 739.4 million. However, at least in the case of the PRA, the increase is in large part due to fees linked to the implementation of special projects, such as the structural (ring-fencing) reform. The PRA has committed itself to set its budget at a level “no higher than the flat real cost of operation” as it seeks to ensure that it is operating as efficiently as possible.29 While this is a commendable commitment by an authority accountable to the public and called to supervise a financial sector that is still dealing with the consequences of its past excesses, it entails a constant quest for resource optimization and the risk of potentially weakening the supervisory action. The question arises of whether a flat real cost of operation for the prudential supervisor of hundreds of firms (among which four global systemically important banks) is compatible with the perspective of a financial sector that, in the perception of the same authorities, is in the condition of growing further in real terms. The PRA also seems to be aware of these tensions and willing to address it through the ongoing revision of its Target Operation Model. Overall, the assessors realize that this is an extremely complex and almost intractable issue and do not think that they can recommend any easy solution (although some specific suggestions for measures partially addressing it are offered in some of the following CPs). Nonetheless, because of the size and complexity of the U.K. financial sector and of its centrality in the network of international financial connections, it represents an issue of globally systemic nature. As regards the technological equipment of the PRA, the assessors found—within their limited observation window—a generally satisfactory situation in terms of IT systems. But they also perceived a certain difficulty in flexibly aggregating data to respond to relatively simple requests; if confirmed, this would cast a shadow on the availability of flexible analytical capacity to appropriately feed the management information (MI) that supervisors and senior managers need. |
| Principle 3 | Cooperation and collaboration. Laws, regulations, or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.30 |
| Essential criteria | |
| EC 1 | Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. |
| Description and findings re EC 1 | Art. 5 CRD establishes that MSs must have coordination measures with all domestic authorities responsible for supervision of “credit institutions, investment firms and financial institutions.” FSMA establishes a number of general coordination mechanisms between the PRA and FCA:
The PRA has never exercised, to date, its veto power over FCA action. There are also specific requirements in FSMA as to how the PRA and FCA will coordinate regulatory processes where both authorities are involved. This includes a duty to consult on relevant policy initiatives. In practice this collaboration often occurs at working level with oversight by directors through a policy coordination committee which meets quarterly. This ensures that both authorities have appropriate input into the process. In order to ensure a joined up and holistic approach to the supervision of firms, the FCA and the PRA have a series of MoUs in place. These are publicly available documents and include:31
The overarching MoU between the FCA and PRA sets out the requirement to establish domestic supervisory colleges for individual dual-regulated firms and groups to ensure that information is shared efficiently between the two regulators and that each has a complete overview of the firm. This approach is set out in Section 25 of the FCA/PRA MoU: http://www.bankofengland.co.uk/about/Documents/mous/prastatutory/moufcapra.pdf. In accordance with the MoU, FCA, and PRA directors meet quarterly to discuss policy coordination. This ensures that collaboration is thorough, constructive and at the appropriate level. Both the PRA and FCA report on performance against the MoU on a quarterly basis. This was most recently conducted in July 2015. This reporting identifies areas of risk in the PRA/FCA relationship, which can then be addressed at the policy coordination meeting or at working level if appropriate. The most recent policy coordination meeting, held in July 2015, included discussion of EU engagement, FSCS and the implementation of the SMR. Where the FCA and PRA firm classifications are not commensurate with each other, the minimum frequency of colleges is based on the higher of the firm’s FCA and PRA classifications unless the FCA and PRA Supervisors agree to base it on the lower classification. The PRA and FCA also work closely with the BoE and HMT to ensure the soundness of the U.K. financial system. The legislation provides for the co-operation of the PRA and the FCA with the BoE (S3Q), requiring both to take appropriate steps to cooperate with the BoE in the BoE’s pursuit of its financial stability objective. The BoE and PRA work closely with the FCA in the collection and management of regulatory data. Much regulatory data for PRA firms continues to be collected by the FCA. This includes reporting via the FCA’s GABRIEL system, the submission of firms’ controllers and close links reports and the reporting of changes to firms’ standing data.32 Coordination between the PRA and the FCA is assisted by the membership of their CEOs on each other’s Board. The FCA, PRA, and BoE are also members of the FPC. This is vital in supporting the flow of information across the different bodies and forging an understanding of approaches and likely reactions to events. At a working level, dedicated teams are responsible for co-coordinating analysis, and sharing information, across the FPC, FCA, and PRA. The CEO of the FCA is a voting member of the FPC and the FPC has the authority to make recommendations on a comply-or-explain basis to the FCA. There is also a MoU between HMT, the BoE, and the PRA on how they intend to coordinate the discharge of their functions in relation to financial stability or the public interest (S65 of the Financial Services Act 2012). Under the terms of the coordination MOU, the FCA, and PRA share data on firms, both dual regulated, and in some cases non-dual regulated, in order to maintain a complete view of the market. Performance against these requirements is reviewed quarterly at CEO level and proactive action taken to address issues as appropriate. Both organizations are required to publish a summary of coordination performance in their annual reports. An international coordination MoU sets out how HMT, the BoE, the PRA, and the FCA will ensure their engagement in international organizations is coordinated effectively (S66 of the Financial Service Act 2012). In their meetings with market participants the assessors recorded an overall positive opinion on the coordination and cooperation between domestic authorities: in the case of that between the PRA and FCA, it was perceived as better than initially expected. |
| EC 2 | Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. |
| Description and findings re EC 2 | CRD Art. 6 establishes that NCAs should cooperate with the other authorities within the ESFS. CRD Art. 7 establishes that NCAs should consider the impact of their decisions on the financial stability of other EU members. CRD Art. 50 establishes that NCAs should cooperate with each other supplying information on management and ownership of institutions, and all information that can facilitate supervision and monitoring. CRD Art. 55 establishes that MSs and EBA can conclude Cooperation agreements with non-EU authorities to exchange information. CRD Arts. 56 and 57 establish the cases where exchange of information between authorities within the EU and outside the EU (see EC 3). CRD Art. 112, more specifically, describes the obligation of coordinating supervisory activities by the consolidating supervisor within the EU. CRD Art. 115 determines that cooperation arrangements need to be in place between the consolidating supervisor and the other NCAs. CRD Art. 116 establishes that the consolidating supervisor must establish colleges of supervisors. Including ensuring cooperation with relevant third country supervisors. The article describes the general tasks of a college. Level 2 regulation, directly applicable to all EU member countries: EBA drafted, and the EC issued, a regulatory standard (Regulation 524/2014) that specifies the information that NCAs must exchange with each other according to Art. 50. The EC issued an implementing regulation (Regulation 620/2014) that outlines operational procedures and sets out standard forms and templates for information sharing requirements, which are likely to facilitate the monitoring of institutions that operate through a branch or through the exercise of the freedom to provide services. EBA regulatory technical standards (RTS) and implementing technical standards (ITS) on operational functioning of colleges of supervisors (published in December 2014, not yet approved by the EC). In order for the PRA (and FCA) to carry out effectively their supervisory activities, it is necessary for them, at times, to share and receive confidential information with overseas authorities. Such information sharing must take place only where professional secrecy obligations are in place that is equivalent to those set out in certain EU Directives. The PRA (and FCA) are party to a number of Memoranda of Understanding (MoUs) with overseas authorities that facilitate such information sharing. There exist also the less formal agreements, known as ‘Exchange of Letters’ (EoLs). Neither MoUs nor EoLs are legally binding. Prior to April 1, 2013, the FSA was party to a series of MoUs (and EoLs) with overseas authorities; a number of these were jointly signed with the BoE. Under transitional provisions in the Financial Services Act 2012, the FSA’s MoUs continue in effect with the relevant successor U.K. authority/authorities (i.e., PRA, FCA, and/or BoE). Such MoUs underpin the supervisory relationship and cooperation that exists between the PRA (and the FCA) and its counterparts. They are instrumental in ensuring that supervisory colleges are able to function effectively, with the free flow of non-public / confidential information that facilitates effective supervision. The FCA maintains close contacts with most supervisory authorities, building even further on these relationships through its membership of various international committees, including International Organization of Securities Commissions (IOSCO), FSB, International Association of Insurance Supervisors (IAIS) and FATF. It is also a member of the European Securities and Markets Authority (ESMA) and actively engages with the EBA and EIOPA in coordination with the PRA. The FCA has MoUs in place with many supervisors around the world. These formalize the way the cooperating with each other. The FCA participates in supervisory colleges to ensure international co-ordination amongst supervisors of global groups. |
| EC 3 | The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. |
| Description and findings re EC 3 | CRD Arts. 53–62 address exchange of information and professional secrecy for prudential supervision. Art. 53 establishes that “confidential information which such persons, auditors or experts receive in the course of their duties may be disclosed only in summary or aggregate form, such that individual credit institutions cannot be identified, without prejudice to cases covered by criminal law; except in the case the bank has been declared bankrupt, confidential information which does not concern third parties involved in attempts to rescue that credit institution may be disclosed in civil or commercial proceedings, shall not prevent the competent authorities from exchanging information with each other or transmitting information.” Art. 55 of CRD, regarding cooperation with non-member countries, establishes that information can only be provided if it is subject to professional secrecy requirements equivalent to those of the EU. Arts. 56 and 57 establish that, provided secrecy requirements are maintained, exchange of information in the discharge of supervisory functions is allowed with(i) other supervisory authorities; (ii) macroprudential authorities; (iii) “reorganization bodies;” (iv) deposit protection schemes; (v) liquidation authorities; and (vi) auditors. Authorities must communicate to EBA the names of all authorities that may receive information. Confidential information (i.e., any information which relates to the business or affairs of the person or firm in question unless already public or anonymized) that the PRA or FCA may receive in the course of carrying out its functions is subject to the restrictions on disclosure out in S348 FSMA. However, S349 FSMA and the FSMA (disclosure of confidential information) Regulations (SI 2001/2188) provide particular “gateways” which allow the PRA and FCA to lawfully disclose confidential information to certain persons and bodies specified in these Regulations. The PRA and the FCA are able to disclose information to EEA and non-EEA regulatory authorities only for the purpose of the discharge of the functions of those authorities as regulatory authorities. So the PRA/FCA must take steps to ascertain that a possible recipient will only use the information for those purposes, in order to satisfy themselves that they have power to share the information. The confidential information restrictions in S348 FSMA then apply to any recipient of the information (they follow the information around, so to speak). Persons or bodies to whom the PRA or FCA discloses confidential information are subject to the restrictions set out in S348 FSMA. In the EEA, supervisors are also subject to the restrictions on the use and disclosure of confidential information received from another authority which are set out in the single market directives, such as the CRD IV or the EU BRRD. As regards non-EEA authorities, the terms of the MoUs typically stipulate that confidential information disclosed by the disclosing authority may only be used by the recipient authority for supervisory purposes, and contain terms relating to the confidential treatment of that information by the recipient authority. |
| EC 4 | The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. |
| Description and findings re EC 4 | CRD Arts. 53–62 address exchange of information and professional secrecy for prudential supervision. Art. 54 of CRD states that authorities receiving confidential information from NCA and auditors shall use it only in the course of their duties and only for any of the following purposes: (i) to check that the conditions governing access to the activity of credit institutions are met and to facilitate monitoring, on a non-consolidated or consolidated basis, of the conduct of such activity, especially with regard to the monitoring of liquidity, solvency, LE, and administrative and accounting procedures and internal control mechanisms; (ii) to impose penalties; (iii) in an appeal against a decision of the competent authority including court proceedings; and (iv) in court proceedings initiated pursuant to special provisions provided for in Union law adopted in the field of credit institutions. Art. 57 details the capacity of information exchange with members and non-member authorities responsible for liquidation, protection schemes, and auditors. Art. 59 details that information can be transmitted to parliamentary enquiry committees, courts of auditors, and other entities in charge of enquiries in the MS, under certain conditions (proper mandate, need to know, professional secrecy requirements, agreement of the originating NCA). Information obtained from onsite inspections cannot be disclosed without the express consent of the NCA who performed the inspection. The PRA and FCA (in common with other public bodies in the United Kingdom) make available to the public information relating to their regulatory functions. This is subject to two important exemptions. First, personal data is excluded; it continues to be subject to the Data Protection Act 1998 regime. Secondly, information subject to statutory restrictions on disclosure is excluded. This includes confidential regulatory information, as defined in S348 of FSMA, which is not publicly available (see also response to EC 3). FSMA and the FSMA (disclosure of confidential information) Regulations do not impose an obligation on the PRA or FCA to disclose particular information to other bodies (except when regulatory action or litigation is being taken under or for the purposes of FSMA). The PRA and FCA are however under a statutory duty to co-operate (including the sharing of information) with overseas regulators and with other persons in relation to the prevention and detection of financial crime. In these Regulations, Regulation 4 sets out the cases in which disclosure may be made for criminal proceedings and investigations, while Regulation 5 sets out the cases in which disclosure may be made in civil proceedings. Essentially, disclosure in the latter is permissible only in cases which relate to the statutory functions of the PRA and FCA. The PRA would strongly resist disclosure and as a matter of courtesy the PRA would, where appropriate, let a supervisory authority know where information had been disclosed and circumstances surrounding that disclosure. Where the information comes from an EEA competent authority, the PRA would regard notification of onward disclosure as falling within the obligation on competent authorities to cooperate closely with each other under Art. 117 CRD. In cases where the PRA is required to disclose such information, the PRA can request that the information be heard by the court in camera. |
| EC 5 | Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. |
| Description and findings re EC 5 | BRRD sets the framework for interaction between competent and resolution authorities in recovery planning (Arts. 6 and 8), resolution planning (Arts. 11 and 14), early intervention (Art. 27), assessment of conditions for resolution (Art. 32 and EBA guidelines on determination of failing or likely to fail), notifications obligations (Art. 81), and resolution colleges (Art. 88). For cooperation with nonmembers, Art. 88 says that the resolution authorities of third countries where a parent undertaking or an institution established in the Union has a subsidiary institution or a branch that would be considered to be significant “were it located in the EU” may, at their request, be invited to participate in the resolution college as observers, provided that they are subject to confidentiality requirements equivalent, in the opinion of the group-level resolution authority, to those that apply to EEA authorities. Art. 90 establishes that information provided by third-country resolution authority can only be transmitted onward with the consent of the third-country resolution authority. Arts. 93–98 establish cooperation with non-EU countries. Art. 97 establishes the cooperation with third-country authorities regarding resolution, which allows EBA to conclude non-binding arrangements with foreign authorities, based on which individual resolution authorities or NCAs may conclude non-binding cooperation arrangements with these countries. Member countries must notify EBA of arrangements with third-country authorities. The EU resolution authorities may refuse to recognize enforcement of non-EU member countries resolution proceedings if there are adverse effects on financial stability, adverse fiscal effects in the EU, or if depositors in the EU would not receive the same treatment as the depositors in the non-EU country. (Art. 95). The United Kingdom implemented the requirements of the BRRD from January 1, 2015. The BoE as the U.K. resolution authority has the responsibility for the resolution of a failing bank, building society and certain investment firms and their group companies, under the Banking Act 2009.33 The resolution regime covers PRA-regulated firms and certain FCA-regulated investment firms incorporated in the United Kingdom. The regime sets out the objectives that the BoE must pursue when it carries out a resolution, as well as the formal responsibilities under the Act to consult the other U.K. authorities—the PRA, the FCA, and HMT—when placing a firm into the resolution regime and when choosing which of the regime’s tools to use. The Act provides a clear framework for use of the regime, with defined roles for each authority. In practice, all of the authorities will co-operate closely both in the run up to, and during, a failure. The roles are:
A core aspect of the PRA’s approach is to ensure preparedness for either recovery or resolution of a failing firm.34 The PRA’s rules help the BoE in its role as the resolution authority by requiring firms to provide key data to be used in resolution plans which will set out how the firm will be resolved in an orderly manner without causing systemic disruption. The assessors reviewed an MoU meant to facilitate rapid info exchange and cooperation and liaison, to address info sharing in crisis/emergency situations between supervisory authorities for recovery and resolution planning purposes (bilaterally and/or through any Crisis Management Group (CMG) to which both parties are members and at least one party is the home authority); to offer mutual support in the supervision of branches (in particular, in relation to home state supervision of recovery and resolution plans). |
| Assessment of Principle 3 | Compliant |
| Comments | The U.K. authorities appear to have established fairly effective cooperation and collaboration arrangements between domestic authorities; this, in particular, has allowed to mitigate the feared coordination failures generated by the switch from a single supervisor (the FSA) to the twin-peak regulatory architecture (PRA and FCA). International cooperation has also progressed both at bilateral (MoUs) and multilateral level (colleges of supervisors, CMG, and resolution groups). |
| Principle 4 | Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. |
| Essential criteria | |
| EC 1 | The term “bank” is clearly defined in laws or regulations. |
| Description and findings re EC 1 | Although legislation does not define the term “bank,” the FSMA 2000 (Regulated Activities) Order 2001 (“FSMA 2000”) sets out definitions of activities subject to regulation under the Act, including the acceptance of deposits. So while the relevant legislation does not define the term “bank,” it does define activities that are subject to regulation. For more detail, the PRA Rulebook’s Glossary does define a bank as “(i) a firm with a part 4A permission to carry on the regulated activity of accepting deposits and is a credit institution, but is not a credit union, friendly society, or a building society; or (ii) an EEA bank.” |
| EC 2 | The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. |
| Description and findings re EC 2 | FSMA 2000 (Regulated Activities) Order 2001 defines activities subject to supervision, including the acceptance of deposits. The PRA supervises all banks and building societies under its authority using the same prudential regulatory regime, though some differences may exist in terms of what applies to each kind of institution. The PRA applies a special prudential regime to credit unions, which is outlined in the Credit Union Sourcebook. |
| EC 3 | The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. |
| Description and findings re EC 3 | Under the Companies Act 2006 and “Company, Limited Liability Partnership and Business Names (Sensitive Words and Expressions) Regulation” 2014, any use of the word “bank” or a derivative thereof requires review by the FCA, which has the ability to reject the use of the name “bank” or a derivative in a firm’s name if it could create confusion for the public. |
| EC 4 | The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.35 |
| Description and findings re EC 4 | All institutions with the ability to accept deposits are subject to supervision by the PRA. Any institution seeking to take deposits from the public must receive permission under Part IV of FSMA 2000 or be exempt from that requirement. As an example of the latter case, firms chartered in EEA jurisdictions as banks are permitted to establish a branch in the United Kingdom or to provide cross-border banking services under the “passporting” regime within EU law. |
| EC 5 | The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. |
| Description and findings re EC 5 | The PRA and FCA maintain the Financial Services Register as a public record that shows details of firms, individuals and other bodies that are, or have been, regulated by the PRA and/or the FCA. Separately the PRA publishes lists of banks and building societies and branches of foreign banks on a monthly basis on its website. |
| Assessment of Principle 4 | Compliant |
| Comments | Although the name “bank” is not defined in U.K. laws, the use of this name and the related concept of “building society” are strictly controlled through legislation and the PRA’s and FCA’s rules. Accepting deposits is clearly identified as an activity requiring authorization, and only firms authorized to accept deposits may use the name “bank” or “building society.” Consequently, U.K. authorities are in compliance with this core principle. |
| Principle 5 | Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base).36 Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. |
| Essential criteria | |
| EC 1 | The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. |
| Description and findings re EC 1 | The PRA is the authorizing agency and is the lead regulator in the U.K. Institutions seeking to engage in an activity regulated by the PRA and FCA must apply to the PRA for authority to do so under S55A (2) of FSMA 2000. The PRA can approve an applicant only with the consent of the FCA and the application is managed jointly by both agencies. Since the date of the transfer of authority from the legacy FSA to the PRA and FCA (April 1, 2013, also known as the “legal cutover date”), 13 banks have received either authorization to provide services as a new bank or variations of existing authorizations; of these successful applications, three were authorizations for non-U.K. banks to establish branches in the United Kingdom. An exception exists for EEA banks that operate in the United Kingdom through a local branch on a European “passport” and that have a home regulator from another EEA member jurisdiction. Such firms are automatically authorized to do business in the United Kingdom under Schedule 3 to FSMA 2000 once the firm has completed the necessary notification procedure. As part of the authorization process, either the PRA or the FCA may impose conditions or limitations that become binding at the point of authorization. After a firm receives authorization to conduct regulated activities in the United Kingdom, both the PRA and the FCA have the power to remove or amend the firm’s Part 4A permission to receive deposits. These conditions or limitations can be exercised by either supervisor after consulting with the other U.K. regulator. Part XIII of FSMA 2000 provides a separate regime for the imposition of requirements or restrictions on passported firms, though this power is generally limited by the allocation of responsibilities to the home state regulator. |
| EC 2 | Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. |
| Description and findings re EC 2 | For an applicant to receive Part 4A permi ssion to accept deposits and therefore become a bank, the applicant must meet five “Threshold Conditions” set by the PRA and another four set by the FCA; together, these conditions and supporting requirements form the criteria for licensing banks. Each supervisor decides whether the applicant firm meets its individual set of Threshold Conditions; the PRA makes the final decision on the application after the FCA has given its consent to the PRA to authorize the applicant. The
The FCA’s Threshold Conditions for banks are comprised of the following:
Some overlap exists between the two agencies’ criteria, and the FCA has indicated that its approach will have due regard to its statutory objectives to protect consumers; protect and enhance the integrity of the U.K. financial system; and promote effective competition in the interest of consumers. If information on an application is deemed to be knowingly false, the PRA can cancel a firm’s Part 4A permission under S55J(1)(c)(ii) FSMA 2000. Assessors reviewed two examples of the FCA’s communications to the PRA providing its consent to approve applicants’ authorizations, including an example of the FCA’s consent to approve an application subject to specific conditions or limitations. Assessors reviewed as well an internal PRA document outlining a new bank authorization and summarizing the PRA’s and the FCA’s analysis, as well as examples of actual Approved Persons Assessments and Recommendations Memos for firms seeking authorization. These documents gave the assessors greater insight into the U.K.’s authorization process and suggested that the two supervisory agencies do rely on the criteria outlined above in evaluating applications. |
| EC 3 | The criteria for issuing licenses are consistent with those applied in ongoing supervision. |
| Description and findings re EC 3 | Under FSMA S513(3), firms must meet the Threshold Conditions when first seeking authorization and then on an ongoing basis. Assessors reviewed examples of New Bank and New Branch Authorization Assessments and Recommendation Papers detailing the PRA’s internal review, including assessing compliance with the PRA’s Threshold Conditions and noting FCA’s conclusions. |
| EC 4 | The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.37 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. |
| Description and findings re EC 4 | Both the PRA’s and the FCA’s Threshold Conditions include provisions that both regulators must be satisfied in respect of the controllers and “close links”38 to the applicant, and that those close links do not prevent effective supervision of the applicant on either a solo or consolidated basis. This forms the basis of the assessment of the ownership structure of the bank. Both regulators also assesses the close links the firm has with other entities. As noted above under EC 3, firms must meet these Threshold Conditions both upon authorization and then on an ongoing basis. The EBA is currently developing regulatory standards to specify what obstacles constitute a barrier to effective supervision, as required under Art. 8(2) of CRD IV. |
| EC 5 | The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. |
| Description and findings re EC 5 | The EBA’s guidelines address the suitability of major shareholders in paras. 1–2 of Art. 14 of CRD IV. Major shareholders are defined in the EBA’s guidelines as those who have qualifying holdings or, if no qualifying holdings exist, the twenty largest shareholders. In the United Kingdom, the “Threshold Conditions” for the PRA and FCA require the assessment of controllers and “close links” (defined in EC 4 above) to an applicant firm to evaluate the transparency of its ownership structure. Neither the EBA nor the U.K. supervisors have issued guidance specific to the suitability of ultimate beneficial owners. Instead, the EBA and U.K. supervisory agencies reference requirements (set out in the CRD and in future RTS) to evaluate the suitability of major shareholders of a company or any entity or individual who is to become a shareholder, which could include ultimate beneficial owners. In the United Kingdom, if a major shareholder, or a beneficial owner, does not meet the criteria, they may not maintain a controlling interest in the firm and ultimately the firm may fail to meet the threshold condition for suitability (Threshold Condition, para. 5E).39 The assessors reviewed licensing applications containing an analysis of controllers and close links (and of their other relevant holdings), intelligence information on the applicants and an analysis of the nature and source of capital resources. |
| EC 6 | A minimum initial capital amount is stipulated for all banks. |
| Description and findings re EC 6 | PRA applies the minimum required capital of GBP 5 million (Art. 12, CRD), with limited exceptions, as permitted under EU rules, for “small specialist banks.” |
| EC 7 | The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.40 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. |
| Description and findings re EC 7 | Under the “Threshold Conditions,” the PRA and FCA must be satisfied that non-financial resources (e.g., Board members) possess the requisite skills, knowledge, and experience relative to the business model of the firm and the ExCo’s structure and composition. In addition, both regulators have the power under FSMA S59 to require individuals in identified roles with a significant influence on the affairs of a firm (SIF roles) to seek approval before taking up their position. Such individuals are known as ‘Approved Persons.’ Approval is granted only if the PRA as prudential regulator and the FCA as conduct regulator are both satisfied that an individual is fit and proper. PRA SIF roles include all members of a firm’s Board, and the heads of the finance, risk and internal audit functions. The PRA and FCA consider the collective skills, knowledge and experience of a prospective firm’s management body to determine whether the firm has adequate resources. A draft SS issued for consultation in May 2015 underscores the collective responsibilities shared by Board members; it’s been published in its final version in March 2016. FSMA also gives the regulators power to dictate which factors determine an individual’s fitness and propriety (S61), and to issue statements of principle and a Code of practice that will apply to individuals performing the functions specified under S59. The fit and proper test for approved persons (‘fit’ as defined in the PRA Rulebook) sets out the minimum standards for becoming and remaining an approved person at a regulated firm. Each individual that performs a “Controlled Function” is assessed and approved if they meet the following ‘fit and proper’ criteria:41
|
| EC 8 | The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.42 |
| Description and findings re EC 8 | The PRA and FCA require firms to submit a 5-year business plan. They also consider plans to outsource any functions and what controls the firms will place over those arrangements. FCA also considers controls and systems in place, competence of management, and adequacy of AML policies and procedures. |
| EC 9 | The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. |
| Description and findings re EC 9 | Supervisors require 5-year financial forecasts, own assessments of capital required (stress testing), source of funds to support business activities, liquidity needs, and financial information on principal shareholders. |
| EC 10 | In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. |
| Description and findings re EC 10 | PRA and FCA have full powers and responsibilities over subsidiaries of overseas firms (whether EEA or non-EEA), and those firms must meet all Threshold Conditions. For branches of EEA banks, those firms can “passport” deposit-taking activities into the United Kingdom without an authorization necessary from U.K. authorities. The authorized firm must inform its home country supervisor, and the home supervisor may object to a firm’s passporting into another EEA MS if it doubts the administrative structure or financial situation of the firm. The home country supervisor must inform the firm and the relevant host country authorities of its decision within three months. For U.K. branches of non-EEA banks, the PRA evaluates equivalence of home country regulator and, if not judged equivalent, will refuse authorization for a branch. Where judged equivalent, the PRA collaborates with the home country supervisor through supervisory colleges. Annual updates are required on applicant’s ability to meet prudential standards. |
| EC 11 | The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. |
| Description and findings re EC 11 | Bank must continue to meet Threshold Conditions and other rules and requirements set out in the PRA Handbook and Rulebook. Supervision can be intensive and not risk-based for up to five years. FCA approach is judgment-based and pre-emptive, depending on three pillars:
|
| Assessment of Principle 5 | Compliant |
| Comments | Based on a review of the United Kingdom and the EBA’s self-assessments for these criteria, subsequent questions raised with U.K. supervisors, and a review of sample licensing evaluations and decisions, U.K. supervisors are found to be compliant with Principle 5 regarding licensing. While neither the European nor U.K. requirements specifically identify separate processes for evaluating the compliance of ultimate beneficial owners with European and U.K. rules, the licensing applications reviewed by the assessors revealed that the analysis of the applicants is adequately deep and thorough (see EC 5). |
| Principle 6 | Transfer of significant ownership. The supervisor43 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. |
| Essential criteria | |
| EC 1 | Laws or regulations contain clear definitions of “significant ownership” and “controlling interest.” |
| Description and findings re EC 1 | Relevant laws and regulations promulgated by the EU have not offered a definition of “significant ownership.” The EBA notes that the EU has defined a “qualifying holding” as a direct or indirect holding in an undertaking that represents 10 percent or more of the capital or of the voting rights or that enables the holder to exercise a significant influence over the management of the undertaking (Art. 4(1)(36) of Regulation EU/575/2013 (CPR)). Art. 22B states further that a NCA may not set a notification or approval requirement that is more stringent than what is set out in the Directive. The U.K. regulations do define “significant ownership” and “controlling interest” in FSMA 2000, which sets out definitions for “control” based on the following guidelines:
|
| EC 2 | There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. |
| Description and findings re EC 2. | Under S178 of FSMA 2000, a person who decides to acquire or increase control over an authorized firm must give the PRA notice of its intention to acquire and obtain approval before it acquires or increases control. This notification concerns both changes in beneficial ownership (shareholding changes) and voting rights that could be held either directly or indirectly through parent and subsidiary undertakings. Failing to obtain approval prior to making an acquisition can constitute a criminal offense under U.K. law. Notification regarding increases in control requiring approval as ownership increases from one category to the next:
A person who decides to increase control over an authorized firm must give PRA notice of intention to increase control over that firm. Assessors reviewed examples of the PRA’s “Change in Control: Assessment and Recommendation Memos” that outlined the analysis conducted, including a review of how the authorization would alter ownership of the company, and found the examples indicative of the process described above. |
| EC 3 | The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. |
| Description and findings re EC 3 | The PRA may object under S186 of FSMA 2000 to the acquisition or ongoing ownership (meaning holdings above 10 percent or via significant influence) by a “controller” on the following grounds:
The FCA evaluates the effect that a proposed transaction may have on customers to ensure that the acquiring bank maintains or develops appropriate customer contact at the outset and that interactions with customers are appropriate. If it was determined that the change in control/significant ownership was based on false information, the PRA may deem this as evidence that the person does not have the required reputation to be a controller of a U.K.-regulated bank. |
| EC 4 | The supervisor obtains from banks, through periodic reporting or onsite examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. |
| Description and findings re EC 4 | Annual reporting is required of all controllers and close links44 as well as regarding possible changes in controllers and close links. As noted under Principle 5, EC 5, neither the EBA nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners. Instead, the EBA and U.K. supervisory agencies reference requirements (set out in the CRD and future RTS) regarding major shareholders of a company or any entity or individual who is to become a shareholder, which could include ultimate beneficial owners. Consequently, beneficial owners would be subject to scrutiny similar to other shareholders. In addition, banks are required to notify the PRA when they become aware of potential changes in their controllers or close links. The assessors found evidence of PRA analysis of change in control applications, with an appropriate drill-down into the legal structure of the acquiring entity up to the ultimate legal owners, and also of verifications (from open and closed sources) on the individuals and the families at the top of the controlling chain, all aimed at ensuring adequate information about all persons and entities in a position to exercise control over the target of the acquisition. |
| EC 5 | The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. |
| Description and findings re EC 5 | Under S191A of FSMA 2000, the PRA may object to a person’s control over a U.K. authorized firm and in some cases may launch criminal proceedings if the controller failed to seek approval in advance of a change; acquired control after receiving a “warning notice;” or breached an interim order. It is a criminal offense to acquire or increase control in an authorized firm without notifying the PRA first. Similarly, the PRA has the power under S191B to issue a “restriction notice” modifying the way in which control is exercised (e.g., prohibiting the voting, payment of dividends, or disposal of shares); this notice follows a warning notice objection to a controller. The PRA likewise can apply to the court for an order for the sale of shares following an objection to control under S191C. In addition, it is a criminal offence under S191F of FSMA 2000 to acquire or increase control without notifying the PRA first. |
| EC 6 | Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
| Description and findings re EC 6 | Under “Fundamental Rule” 7, firms must deal with the supervisor in an open and cooperative way and must disclose anything to the PRA for which the PRA would “reasonably expect” notification. This could include, for example, a development related to a controller that would call into question the controller’s integrity. A similar rule applies to the FCA. |
| Assessment of Principle 6 | Compliant |
| Comments | Based on a review of the U.K. authorities’ self-assessment, discussions with representatives of the authorities, and a review of sample analyzes made available to assessors during the review, U.K. authorities are in compliance with the core principal regarding the transfer of significant ownership. As noted under Principle 5, neither the EBA nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners. However the analysis of change in control applications revealed that the PRA requires adequate information about all persons and entities in a position to exercise control over the target of the acquisition. |
| Principle 7 | Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. |
| Essential criteria | |
| EC 1 | Laws or regulations clearly define:
|
| Description and findings re EC 1 | Chapter 2 of the Notifications Part of the PRA Rulebook requires that a firm give the PRA notice of: “(1) any proposed restructuring, reorganization or business expansion which could have a significant impact on the firm’s risk profile or resources, including, but not limited to: (a) setting up a new undertaking within a firm’s group, or a new branch (whether in the U.K. or not)…” While the detailed example refers to the establishment of a new undertaking, by analogy, failure to notify the PRA of any acquisition of another operating entity is likely to contravene the more general notification requirements. The same chapter also imposes an obligation of notification for “any action which a firm proposes to take which would result in a material change in its capital adequacy or solvency, including, but not limited to: (a) any action which would result in a material change in the firm’s financial resources or financial resources requirement.” Following the notification of an acquisition, the PRA can decide to prevent it, based on its statutory power to impose requirements on a bank, including a requirement to refrain from taking a specified action (S55M and 55N(1)(b) of FSMA. This power can be used to require a firm not to make a proposed acquisition or investment. Under S55M(7), the PRA must consult the FCA before imposing or varying a requirement. The PRA can therefore prevent an acquisition or investment if it judges that the acquisition or investment would be likely to lead to the failure of any Threshold Condition or if preventing the acquisition or investment would advance any of the PRA’s statutory objectives (including the safety and soundness of a PRA-authorized entity, which is the first of the PRA’s statutory objectives). U.K. supervisors have gone through this process once regarding a major acquisition in the past five years, namely in the case of Barclays seeking to acquire ING Direct. The assessor had access to the documentation regarding this operation and could verify that it was subject to intense scrutiny, in particular with respect to the adequacy of the acquirer’s financial resources. The supervisor’s judgment is backed up by prescribed criteria provided in explanations of what firms need to achieve in order to meet Threshold conditions and also a clear statement of the PRA’s objectives. Similar powers are given to the FCA under S55L. If the target entity is a bank, the acquirer must also obtain prior approval (see CP 6). |
| EC 2 | Laws or regulations provide criteria by which to judge individual proposals |
| Description and findings re EC 2 | The U.K. supervisors may impose requirements should a firm face a risk of failing to meet Threshold Conditions, especially regarding prudence; suitability; and the ability to supervise a new entity effectively (Threshold Conditions 3, 4, and 5, respectively). |
| EC 3 | Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.45 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. |
| Description and findings re EC 3 | PRA has statutory powers to intervene and prohibit an investment or acquisition if a firm might fail or be likely to fail to meet Threshold Conditions 3 (business must be conducted in a prudent manner), 4 (firm must be fit and proper) and 5 (firm is able to be supervised effectively). |
| EC 4 | The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. |
| Description and findings re EC 4 | The U.K. supervisors must determine the adequacy of financial and non-financial resources available to a firm to meet Threshold Condition 3 (prudence). |
| EC 5 | The supervisor is aware of the risks that nonbanking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. |
| Description and findings re EC 5 | Under Threshold Condition 3, a bank must have sufficient financial and non-financial resources to manage all risks to its safety and soundness. If resources are lacking, the supervisors may impose restrictions. If the supervisor considers that the bank does not have (or may not have in the future) the means to mitigate risks to its safety and soundness, the supervisor can mitigate these risks by imposing a requirement on the bank. Such a requirement would include preventing investment in a nonbanking activity (S55N(1)(b) of FSMA 2000). |
| AC 1 | The supervisor reviews major acquisitions or investments by other entities in the banking group to determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.46 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments. |
| Description and findings re AC1 | Under Threshold Conditions 3 and 5, the supervisors must review other acquisitions to ensure that the banking group maintains compliance with those requirements. Threshold condition 3 (“business to be conducted in a prudent manner”) requires a supervisor to consider a bank’s “membership of a group and any effect that membership may have” when determining the risks to which a bank is exposed.47 Threshold Condition 5 (“effective supervision”) requires a supervisor to consider whether a bank’s membership of a group “is likely to prevent the PRA’s effective supervision” of the bank.48 The supervisor therefore must review major acquisitions or investments by other entities in a banking group to make sure that these do not expose the bank to any undue risks or hinder effective supervision. To date, U.K. authorities have not yet had a case in which a U.K.-authorized bank was reviewed because another entity in the group made a major acquisition or investment. The authorities report that enhanced capital and liquidity requirements are in place for some firms due to their inclusion in a group. Threshold Condition 3 also requires a bank to be able to comply with requirements imposed or likely to be imposed on the bank by the PRA in the exercise of its functions. This means that the supervisor has to determine that any new acquisition or investment by another entity in the group does not hinder effective implementation of corrective measures in the future. The powers over ‘qualifying parent undertakings’ (i.e., U.K.-based parent companies of U.K.-authorized entities that are not themselves authorized entities) granted to the PRA and the FCA by the Financial Services Act 2012, can also be used in case of major operations conducted by a bank’s parent, as they allow the regulators to give directions to such undertakings, requiring them to take specific actions or to refrain from taking specific actions. |
| Assessment of Principle 7 | Compliant |
| Comments | While the U.K. legislation does not define the term ‘major acquisition,’ it sets forth notification requirements that result in an expansive definition: all firms supervised by the PRA must give the PRA notice of any proposed business expansion which could have a “significant impact on the firm’s risk profile or resources,” as well as of any action which a firm proposes to take which would result in a “material change in its capital adequacy or solvency, including, but not limited to, in the firm’s financial resources or financial resources requirement.” These criteria apply to any operation of significant impact, be it the acquisition of a bank or nonbank, EU or non-EU. Once notified, U.K. authorities have (especially through the application of the “threshold conditions”) the necessary powers to approve or reject requests to undertake major acquisitions that raise concerns about the risk that may result or the authorities’ abilities to supervise the firms. The supervisor must review major acquisitions or investments also by other entities in a banking group, to make sure that these do not expose the bank to any undue risks or hinder effective supervision. |
| Principle 8 | Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess, and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. |
| Essential criteria | |
| EC 1 | The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact, and scope of the risks:
The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. |
| Description and findings re EC 1 | No legislation sets out a specific methodology for determining and assessing a firm’s risks within the EU. NCAs are expected to develop their own approaches for assessing the risk profiles of individual firms. The legal basis for supervisors within the EU to review and evaluate firms is based on the CRD, which—in turn—the EBA has detailed through comprehensive procedures and methodologies for supervisory review and evaluation process (SREP) (EBA/Guideline (GL)/2014/13). SREP sets out four areas for analysis, namely (i) business model analysis; (ii) assessment of internal governance and institution-wide control arrangements; (iii) assessment of risks to capital and adequacy of capital to cover these risks; and (iv) assessment of risk to liquidity and adequacy of liquidity. The EBA SREP guidelines, which are based on a ‘comply or explain’ approach, take effect from January 2016; the PRA has committed to comply.49 The PRA’s approach to supervision depends on supervisors’ judgment, but prescribes a structure for evaluating relevant issues and forming judgments related to risks facing individual firms as well as risks that firms pose to the broader safety and soundness of the financial system. Three areas of focus comprise the PRA’s risk framework:
In terms of its methodology, applied to all banks, the PRA scores 8 elements (generally on a scale of 1 to 10) for each firm. The eight elements can be broken up into five groups of considerations, namely the “gross risk” associated with a particular firm; the “risk context” in which the firm operates; the “operational mitigation” a firm has in place to reduce the gross risks; the “financial mitigation” a firm achieves through its balance sheet resilience; and the “structural mitigation” against risks that a firm’s legal and operational organization may provide. Gross risk
Risk context
Operational mitigation
Financial mitigation
Structural mitigation
The PRA’s supervisory approach varies the frequency and intensity of supervisory activities based on a firm’s potential impact on financial stability; its proximity to failure (reflecting the PRA’s risk model and the PRA’s PIF); and its resolvability. For larger firms (Category 1 to 3), the PRA conducts this work through ongoing reviews, though the PRA does not necessarily evaluate each element each year. The supervisory cycle includes a “periodic summary meeting” (PSM) in which the scores for a firm are reviewed and capital and liquidity guidance is set; and a mid-point review for Category 1–4 firms. For Category 4 and 5 firms (the smallest), the PSM may encompass a group of firms simultaneously. Assessors had an opportunity to review documents prepared for past PSMs and mid-year reviews of firms in each Category from 1 to 5, and to meet with supervisors and others who participate. The FCA, in turn, operates a supervision approach that varies depending on a series of measures primarily related to the size of the firm. At the time that U.K. authorities submitted the BCP Self-Assessment, the FCA had assigned all firms to one of four impact categories, the first two of which required the FCA to undertake individual evaluations of the firms. Toward the end of 2015, the FCA changed its approach and now divides up all firms subject to its supervision into two categories rather than four. The new categories are based on the size, market presence, number of customers, and other characteristics. The first Category is called the “fixed portfolio,” which consists of firms for which the FCA appoints a named supervisor who oversees the FCA’s supervision of that firm. FCA staff confirmed that, at the time of the assessment, 26 banks, out of a total of approximately 110 firms, qualified for inclusion in the “fixed portfolio” Category. The remaining firms—which constitute the vast majority of firms supervised the FCA—form the “flexible portfolio” category, in which a specific supervisor is not assigned to oversee the FCA’s supervision. These firms are supervised in various ways, including through: thematic work; education and engagement; baseline monitoring; and through dealing with crystallized risk that exceeds the FCA’s risk appetite. For banking organizations that are subject to supervision on an individual basis by the FCA, the FCA’s approach includes a “firm evaluation,” which considers the nature and extent of risks that a firm poses to the FCA’s statutory objectives. The firm evaluation includes an analysis of 10 underlying risk groups, which include the external environment; the business model and strategy; the effectiveness of management and conduct culture; the effectiveness of front line functions; the client asset and financial crime framework; the effectiveness of governance and control functions; and prudential risk, among others. |
| EC 2 | The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. |
| Description and findings re EC 2 | To understand the risk profiles of the firms subject to its supervision, the PRA seeks to conduct assessments on a continuous cycle that increases in frequency and intensity commensurate with a firm’s potential impact on financial stability. The process nonetheless appears to be most developed for the largest systemically important firms (Category 1) than for the majority of firms, as the intensity and frequency of reviews, as well as the availability of expert supervisory resources—is greatly constrained for Category 2–5 firms (the majority). Even for Category 1 firms, the frequency and depth of probes can be more limited that the “CA” supervisory model may suggest, and U.K. authorities acknowledged that all eight elements of the PRA risk model may not be assessed in detail every year for Category 1–3 firms. While all elements of the PRA risk model are reviewed at least twice per year (in line with the PSM and the subsequent mid-year review), PRA supervisors note that detailed field work covering a Category 1 firm’s management of operational risk can require up to three years to evaluate all major areas of focus. Likewise, as noted elsewhere under CP 18, reviews of asset quality at Category 1 firms involve testing of actual loans and exposures, but the number of files reviewed can vary significantly. The overall process for evaluating a firm’s risk profile includes, among other components, reviews of a firm’s business models as well as evaluations of its capital. To establish a forward-looking view on the viability of a firm’s business model, the PRA requires firms to submit business plans for the next three to five years. Supervisors then evaluate the risks associated with these plans, seeking to understand how the firms generate profits; what issues could threaten their viability; what the firms’ potential to fail is; and what areas require additional review. To ensure that a firm has sufficient capital relative to its risk profile, the PRA conducts a SREP and considers risks that are not mitigated or not fully mitigated under the CRR (“Pillar 2A”) and risks to which the firm may become exposed in the future (“Pillar 2B”). In the course of its deliberations, the PRA evaluates the size of the Pillar 2A and Pillar 2B capital that a firm may hold and considers whether additional capital should be required. Supervisors may also apply temporary increases in capital requirements—called “scalars”—to cover unexpected losses that could arise from weaknesses that the firm has not yet mitigated. The PRA considers analyzes of a firm’s risk profiles, its individual risk elements, and all supervisory concerns are discussed at a PSM. At the PSM, the PRA’s relevant senior managers agree on the scoring of the risk elements, the individual capital and liquidity guidance that will be required of a firm, and the supervisory strategy for the firm going forward. |
| EC 3 | The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. |
| Description and findings re EC 3 | To assess compliance with Prudential Regulations and other legal requirements, the PRA undertakes “baseline monitoring” for all firms. This monitoring program includes reviewing regulatory returns from firms as well as other data gathered by the PRA in its supervision. The PRA employs automated surveillance systems that generate alerts and require supervisors to evaluate the issue(s) triggering the alert(s) and document decisions arising from the issues within 10 days. Baseline monitoring of regulatory returns is the primary way in which smaller firms (Category 3–5) are supervised. The U.K. authorities note that a “responsive” supervisory approach is adopted for these firms, with greater dependence on automated monitoring tools. For larger firms, such as Categories 1–3 firms, but also for smaller firms as required, the PRA may request additional information such as audit, Board packs, Asset-Liability Committee (ALCO) and risk committee reports, plus planned meetings. For firms posing greater risks to U.K. financial stability, the PRA’s baseline monitoring includes a planned schedule of meetings with senior managers and control function heads. The FCA, in turn, does regulate prudentially certain entities within banking groups and requires those firms to provide regular information in the form of regulatory returns to gain insight into compliance with rules such as the “Threshold Conditions.” The FCA coordinates its work with the PRA, which is the consolidating supervisor for all U.K. banking groups. In addition to its baseline monitoring and requests for additional documents, the PRA and FCA expect firms to report relevant issues as part of the “Fundamental Rules” and “Principles for Business.” For example, the PRA’s Fundament Rule 7 prescribes that “a firm must deal with its regulators in an open and cooperative way, and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.” |
| EC 4 | The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. |
| Description and findings re EC 4 | “External context” is scored as part of the annual PRA risk model, for which macroeconomic issues are taken into account. The PRA draws on work prepared by other areas of the BoE, including the views of the FPC; sectoral analyzes; or insight gathered by the market intelligence function, as examples. To take cross-sectoral issues into account, the PRA relies on its governing Board, whose membership is designed explicitly to ensure that the PRA’s strategy reflects the macroeconomic environment. The Governor of the BoE serves as chair of the PRA Board, as well as of the FPC and of the MPC, and the Deputy Governors for Markets and Banking and for Financial Stability likewise sit on all three groups. The Chief Executive of the FCA serves on the PRA Board as well. In terms of cross-sectoral developments, the chief executive of the PRA sits on the FPC and receives briefings on U.K. and international economies as well as insight into the nonbank sector. A reorganization of the BoE in 2014 furthermore sought to ensure that the three policy-setting committees benefit from the expertise of staff across the BoE. In addition, the annual stress testing that the PRA and FPC run jointly may help to capture macroeconomic risk. |
| EC 5 | The supervisor, in conjunction with other relevant authorities, identifies, monitors, and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. |
| Description and findings re EC 5 | Within the BoE, the FSSR Directorate provides support to the FPC and is responsible for identifying and evaluating risks arising from across the financial services sector. This includes: conducting a financial stability risk assessment and research across all sectors and markets; providing support to microprudential supervisors; identifying policy responses, including what macroprudential instruments the BoE may need and designing the strategy for their use; and delivering and developing the BoE’s stress testing framework. The FSSR produces a “quarterly risk pack” that focuses on trends and concentration of risks in the United Kingdom; quarterly capital and liquidity packs; a quarterly large exposure (LE) pack; and notes on special subjects. These notes are used more specifically for major U.K. banks. Supervisors review regularly capital and liquidity information for their firms; for smaller firms (Categories 4 and 5), these reviews may be done on a peer group basis. Overall, risks and trends within sectors and across the banking system are assessed by supervisors as part of the “External Context” element of the PRA risk framework, and key issues relevant to specific firms are identified in the annual PSMs and mid-year reviews. Significant risks and trends are communicated to relevant firms through a “Dear CEO” letter, and more broadly significant risks and trends are communicated via the bi annual FSR and speeches by the BoE and PRA staff. |
| EC 6 | Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. |
| Description and findings re EC 6 | The U.K. authorities are not seeking a “zero failure rate,” and they instead seek to avoid disorderly failures that might otherwise disrupt the supply of critical functions. To do so, the PRA collaborates with the BoE’s RD to ensure that a firm’s failure will not have a significant impact on the supply of financial services. Resolution is assessed as an element of the PRA risk model, and the PRA’s SS19/13 outlines what is required for a “resolution pack.” Both the PRA and the BoE have statutory objectives requiring action to ensure that institutions are resolvable, and can therefore be resolved in an orderly way, and an annual assessment of resolvability is required under law. The U.K. authorities consider an institution to be resolvable if the BoE finds that it is feasible and credible to take resolution action (using its stabilization powers) or it can pursue insolvency proceedings against an institution while avoiding any significant adverse effect on the financial system of any EEA sate or the continuity of the institution’s critical functions. The BoE determines the preferred resolution strategy, and the PRA contributes by helping to verify information submitted by the firm. The BoE coordinates resolution planning on a cross-border basis through CMGs. After the BoE has made a determination of a firm’s resolvability and—following formal consultation with the PRA and, where relevant, the resolution college—the BoE is required to share a summary of its resolution plan with the firm. The summary includes barriers to resolution and a request that the firm remove those barriers within four months. This process is not fully implemented yet given the time line for implementation of the BRRD. |
| EC 7 | The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. |
| Description and findings re EC 7 | The PRA considers proximity to failure when establishing its usual supervisory plans and relies on its PIF to express its judgment about the firm’s viability. The PRA relies on the PIF to achieve its goal of identifying and responding to emerging risks at an early stage and sets out five PIF stages, each representing a different level of risk of failure. Firms in Stages 1 and 2 are viewed as having the lowest to moderate risks, respectively, to their viability. Those in Stage 3 are viewed as having risk to their viability in the absence of any action by the firm. Firms in Stage 4 are viewed as having imminent risk to their viability, while those firms that are in the resolution phase are in Stage 5. When a firm moves into a higher PIF stage, indicating that the PRA believes the firm’s viability has deteriorated, supervisors are required to review their supervisory actions accordingly and in line with a list of appropriate actions detailed in the PRA’s Approach to banking supervision document. Senior management at firms, in turn, are expected to take appropriate action to reduce the likelihood of failure, and U.K. authorities will ensure preparedness for resolution. For firms assessed as being in PIF Stages 3 or 4, the BoE’s RD will add them to a watch list and begin assessing barriers to resolution through analysis and information-gathering; in Stage 4, the RD begins generating solutions to mitigate the identified issues. Two key conditions must be met before a firm can be put into resolution. First, the firm must be failing or likely to fail; for example, supervisors may assess that the firm is failing or likely to fail to meet its Threshold Conditions for authorization in a manner that justifies the withdrawal of its authorization. Second, it must be reasonably likely that no action will be taken outside of the resolution regime that will result in the firm no longer failing or being unlikely to fail. The decision to place a firm in resolution does not, on its own, allow use of all of the resolution tools. To use the stabilization tools, it must be necessary to do so, having regard to the public interest in achieving the objectives of resolution. The BoE will consult with the PRA, FCA, and HMT and then determine whether the public interest test is met by assessing the probable impact of the firm’s failure. If the assessment indicates that the use of the insolvency procedure would not meet the resolution objectives, the stabilization tools may be used. It should be noted that the PRA is currently evaluating the PIF to ensure that it complies with the Early Intervention Measures under the BRRD. From the FCA’s perspective, when a bank is in difficulty, the FCA engages with the BoE RD, HMT, and the PRA to consider the resolution contingency plan for the firm. The FCA considers in particular depositor protection, continuity of access, possible changes to terms and conditions, and completion of ongoing redress and remediation programs. In addition, the FCA seeks to provide confidence in the adequate regulatory protection of client money and safe custody assets (client assets) and sets out requirements for firms to have readily information to facilitate the prompt return of client money and safe custody assets in a resolution event. |
| EC 8 | Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. |
| Description and findings re EC 8 | If bank-like activities are taking place outside the supervisors’ firewall, the PRA notifies the FPC for evaluation. Under the BoE Act 1998, the FPC has the power to make recommendations to HMT on regulated activities. The committee is able to provide advice or recommendations to the Treasury on what activity should be regulated; which activities should be designated for Prudential Regulation by the PRA; and which categories of firms outside the scope of its regulation from which the PRA may collect information specifically for the purpose of promoting financial stability. When firms are operating outside of the regulatory regime, the FCA’s Enforcement and Markets Oversight Division has a dedicated Unauthorized Business Division that investigates suspected breaches of the general prohibition and/or contravene restrictions on financial promotions. |
| Assessment of Principle 8 | Largely Compliant |
| Comments | The U.K. authorities have made important progress in adopting a more rigorous and hands-on approach to supervision since the prior FSAP. The current FSAP took place during a period of continued development and transition, and offers a good stock-take of the state of the supervisory approach today as well as the outlook for its development in the future. Overall, the goal of U.K. authorities’ current supervisory approach is consistent with the objective of promoting and preserving systemic resilience. To be both effective and efficient, U.K. authorities made two important decisions.
These two decisions have influenced the shape of the U.K.’ supervisory approach in several important ways. The concentration of supervisory attention and resources on capital and liquidity in systemically important firms may have reduced the availability of attention and resources for other risk-management work within those firms. This is not to say that supervisors are doing little or no work in monitoring and evaluating risk-management in firms; on the contrary, supervisors today may be undertaking more hands-on work in evaluating risk-management practices within systemically important firms than was true in the past. Still, U.K. supervisors seem to have tipped the balance of their work toward evaluating the adequacy of those two important forms of financial resources that promote balance sheet strength. This could increase the risk that the supervisor is less aware of problematic practices and how risk is evolving in the firm. Moreover, the focus on systemically important firms may have reduced the availability of attention and resources for smaller and less systemically important firms, requiring supervisors to rely to a greater degree on automatic triggers to notify them of significant changes in risk profiles. Supervisors are compensating for the limitations by relying more on monitoring regulatory returns, data, and key ratios and trends, including mortgage lending growth; their goal is to identify outliers among smaller firms that may be experiencing unusual growth or challenges relative to their peers. Still, U.K. supervisors acknowledge that they have adopted a more responsive approach to the supervision of smaller firms. Supervisors are aware of these challenges that the current approach introduces and seek to mitigate the risk through several ways.
Still, the current approach potentially leaves open gaps. As noted below, the reviews of risk-management in even the largest firms take place over a period of years, which could leave the system exposed to undetected issues that emerge in the short run given how dynamic and competitive the largest firms tend to be, risk profiles can evolve quickly; supervisors that are less engaged in evaluating internal developments and practices could face surprises. The approach likewise appears to focus more on the risk of failure and less on slowly emerging malaise in firms, which could cause a slow drag on the financial system or the economy, although the PIF does give the authorities a means for monitoring and addressing both rapid and slow burning risks. Discussions with industry observers and participants also noted an underlying theme of inconsistencies in how supervisory teams communicate messages and recommendations to firms. Some said that the teams communicated clearly their concerns and what they expected firms to do. Others said that some teams were less clear about next steps that are expected or that the tone of the communication in face-to-face meetings was more favorable than the subsequent written communication. Assessors had an opportunity to review PSMs and other communications with firms; they noted, in general, that supervisors tended to describe key risks and concerns clearly. In a few cases, however, what the firm was expected to do was less clear other than to respond to the supervisor’s letter. Finally, the more reactive approach adopted for smaller firms increases the likelihood that smaller institutions in a particular geographic region, or classes of institutions across the financial system, could develop similar exposures over time and face similar challenges simultaneously. Outlier analysis can fail to spot broad growth in risk within many firms at the same time: if all are building up risks in the same manner, the supervisor may be less able to identify the relative increase in risk across firms. Customers dependent on similar or smaller firms could face credit crunches and other challenges at the same time. While supervisors should expect firms to behave prudently and manage their businesses appropriately, U.K. supervisors continue to rely substantially on setting out supervisory expectations for firms to follow and on the firms to inform their supervisors when they find areas in which they do not meet expected standards. Overall, the foundation for U.K. supervisors’ expectations are articulated in the “Threshold Conditions” and in the PRA’s “Fundamental Rules” and FCA’s “Principles for Business.” The approach is based on holding firms and their senior management accountable for their compliance with rules and regulations and for conducting their business in a prudent, safe, and sound manner. While supervisors may well probe and test statements more than before, especially in the largest firms, in the IMF’s view, U.K. supervisors could undertake more independent probing to ensure firms’ prudence and propriety. Given recent concerns about weaknesses in conduct and culture, it is important that U.K. supervisors continue to probe firms’ compliance, safety, and soundness more carefully and intensely than before the crisis. The U.K. supervisors nonetheless appear cognizant of these risks and, as noted above, have adopted reasonable mitigants, though some have yet to be deployed (such as the SMR). Consequently, at this time, the gaps that may exist no longer appear to be severe, warranting an upgrade since the prior FSAP’s assessment to “largely compliant” for this component. |
| Principle 9 | Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. |
| Essential criteria | |
| EC 1 | The supervisor employs an appropriate mix of on-site and off-site supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between onsite and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. |
| Description and findings re EC 1 | The PRA seeks to conduct its supervision through “CA,” aiming to update is overall evaluations of a firm’s condition, the risks it faces, and the risks it poses. For each firm, the PRA operates an annual review cycle. While the PRA seeks to evaluate each risk element annually, it may emphasize some over others such that all elements should be evaluated at least once every three years. The PRA takes stock of its assessments on annual basis through a PSM, followed six months later by a mid-point review. These check points are overseen by more senior managers, who evaluate decisions and recommendations that the supervisors make in order to ensure effectiveness and appropriateness of their supervision. In formulating its views, the PRA draws upon a broad set of information and data. Supervisors require firms to submit regulatory returns; it draws on information in public disclosures; and it may request additional, firm-specific information such as MI or forecasts. Because of the importance of the data in informing its views, the PRA may periodically validate the data, either through onsite inspections or through the employment of third parties. To support this information-gathering and analysis, the PRA requires firms to participate in meetings with supervisors. For the largest, most systemically important firms, the PRA employs a dedicated team of supervisors for each firm who conduct both onsite and offsite work, drawing on specialists from outside of the team when necessary. The team coordinates and conducts all on- and offsite supervision. Firms judged to pose lower levels of risks may be subject to less intensive supervision, drawing on supervisors who may oversee on- and offsite work for groups of institutions. The PRA’s work increases in frequency and intensity such that its engagement is higher with those firms with the most significant potential impact relative to those with less significant potential impact. At the firms with the greatest potential impact, the PRA conducts a mix of onsite testing or inspections as well as “baseline monitoring,” which includes offsite monitoring and analysis and discussions with managers and staff at the firms. PRA staff indicated that reviews of some risk elements, such as operational risk, can require up to three years to complete a cycle of reviews at one large firm. For exposures to credit risk, PRA staff indicated that they review credit risk measures and sometimes engage in testing by reviewing a variable number of loan files, etc. At firms with lower potential impact, more of the work centers on baseline monitoring and analysis, as fewer risk specialist resources are generally available. The FCA relies on a range of on- and offsite tools that it applies on a risk-based basis to firms depending on their size and risk profile. The FCA has decided to focus most of its firm-specific supervisory resources on the large and higher-risk banks in the United Kingdom. The FCA’s approach to supervision relies on three pillars, and the largest banks are subject to all three pillars, namely: proactive work, such as meetings with banks’ senior management (Pillar 1); reactive work to deal with emerging or “crystallized” risks (Pillar 2); and thematic or cross-firm work across arrange of banks (Pillar 3). In addition, the FCA prepares a periodic overall assessment (“firm evaluation”) for larger firms. Smaller banks are subject primarily to Pillars 2 and 3 work only. |
| EC 2 | The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. |
| Description and findings re EC 2 | As part of the PRA’s annual supervisory cycle, supervisors take part in an internal PSM, which includes proposing a schedule of work and an overall supervisory strategy for the firms. The results of the PSM include activities that the supervisors expect to undertake and how these activities relate to the conduction of the firm. The seniority of members of the PSM varies depending on the potential impact of the firm, with the most significant firms being discussed at senior governance committees. For the largest Category 1 firms, Executive Directors and senior staff are typically involved in the PSM; for smaller firms, the PSM may consist of heads of supervisory departments or local supervisory line management. This stratification of firms and PSM members allows for greater consistency in decision making as PSMs for firms within a group of peers share PSM members, giving visibility across the population and allowing for the level of supervisory activity to be coordinated in a more consistent manner. As noted above in EC 1, once the supervisory plan is agreed at the PSM for the largest, most systemically important firms, the relevant team conducts all on- and offsite work. For firms judged to pose lower levels of risk, a team may coordinate and conduct the supervision of more than one firm. The FCA’s approach to key pieces of firm-specific work is set out in various “How To” guides, such as carrying out a firm evaluation; carrying out an interim view; carrying out a deep-dive assessment; and assessing whether an issue is outside supervisors’ risk appetite and therefore requires supervisory intervention. Established procedures exist for supervisors carrying out thematic work to discuss their findings with firm supervisors. |
| EC 3 | The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable and obtains, as necessary, additional information on the banks and their related entities. |
| Description and findings re EC 3 | The PRA draws upon a variety of information and data to form supervisory judgments, and requires firms to submit sufficient data—of appropriate quality—to inform their judgments about material risks. The PRA periodically seeks to validate firms’ data, either through onsite inspection by PRA staff or by third parties. Supervisors gather and analyze some information on a regular basis through regulatory returns; they consider as well as information in the public domain, such as firms’ annual reports and disclosures. Other information-gathering practices are described above (see, for example, EC 1). For regulated entities that are parts of international groups, the PRA will work with other regulators via supervisory colleges and other means of communication to achieve a more-collaborative approach to supervision, including sharing and reviewing supervisory information where appropriate. Across the financial services sector, the PRA works with the FCA and the FRC where appropriate to improve the quality and usefulness of information disclosed on firms’ safety and soundness. The FCA likewise receives information from a range of sources—including from firms directly, as well as from across the FCA, from other supervisors, from customer complaints, from letters from members of parliament, and from publicly available sources. While FCA supervisors do not routinely assess the reliability of information supplied by banks, they are empowered to investigate the accuracy of the information or to require a third-party to do so where they have reasonable grounds to question the reliability of the information. |
| EC 4 | The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as:
The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. |
| Description and findings re EC 4 | The PRA reviews its judgment of the risk to firms’ safety and soundness, communicates these judgments to firms, and requires them to take action to address them. The PRA uses a variety to tools to do so, including all listed in the essential criterion. Assessors had an opportunity to review recent selected analyzes and reports similar to each of the examples cited above. In this regard, evaluating a firm against the PRA risk model includes analysis of financial statements, business model analysis, stress testing, and analyzes of corporate governance, among others. As described early under BCP 8 above (supervisory approach), the PRA relies on its PSM process to aggregate its views and consult internally and with the FCA to determine key messages. It then sends an annual letter to each firm’s Board, outlining key risks that are of greatest concern and on which it requires action, which it subsequently expects to verify for itself. The PRA sends individually tailored letters to all firms except those with the lowest potential impact (usually Category 4 and 5), where a standard letter outlines issues the supervisor has identified relative to all firms in that group, unless specific issues have been identified for a particular firm. For Category 1 firms, the deputy governor for the PRA and senior PRA staff attend major U.K. banks’ Board meetings to present the PSM messages. The PRA communicates other issues identified between annual letters and requires the firm to take action. The PRA undertakes horizontal peer reviews on a systematic basis for small firms. For larger firms, such as Category 1 firms, the PRA performs horizontal peer reviews on a particular risk issue. It considers Pillar 2 capital assessments concurrently across all Category 1 firms to ensure consistency in its assessments and judgment. The FCA is responsible for identifying risks to consumers at individual banks and across the banking system as whole that arise from banks’ conduct and risks to market integrity. Given the significant impact of the costs of redress exercises and conduct-related fines in recent years, the FCA has regular dialogue with the PRA to ensure that the PRA can take estimates of future cost into account in their assessment of bank and systemic stability. |
| EC 5 | The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. |
| Description and findings re EC 5 | FSSR within the BoE is responsible for identifying and assessing risks to financial stability from across the banking system as a whole and defining the BoE’s strategy for responding to them. For example, the PRA conducted a CST of eight major U.K. banks and building societies in 2014. Given that only one firm had fallen below that year’s threshold at the trough of the scenario, that capitalization of the financial system had strengthened further over 2014, and that the PRA had formed plans with the stress tested firms to build capital further, the FPC reached the view that the system’s resilience had improved since the capital shortfall exercise the prior year. The FPC judged that no system-wide, macroprudential actions were needed in response to the stress test. For 2015, the PRA expects all Category 1 to 4 firms to adopt the published scenario in their own stress testing. Beyond stress testing, AQRs form part of the PRA’s continuous assessment (CA) of business risk, enabling supervisors to form judgments about the quality of assets and to identify current and potential threats to a firm’s assets through concentrations, legacy risks, and market and evaluation issues. SRS may undertake sector reviews; assessments of appropriateness of valuation, provisioning, and forecasts; and assessment of risk measures, including of portfolio stress tests (see CP 17 and 18). In terms of communicating other emerging risks, the BoE publishes papers on financial stability themes; these publications are designed to offer new insight into risk management, to promote risk reduction policies, to improve financial crisis management planning, or more generally to report on particular aspects of the BoE’s systemic financial stability work. In addition, the FPC prepares and publishes a FSR twice a year. In this report, the FPC outlines its outlook for U.K. financial stability, the resilience of the U.K. financial system, the current risks to financial stability, and actions it is taking to remove or reduce those risks. The FCA communicates its views on conduct matters to individual banks or to the wider industry as appropriate, including the desired regulatory action. As an example, following a firm evaluation, the FCA sets out its views on the firm in a letter to the firm’s Board and it meets the Board to discuss its views and the required actions. |
| EC 6 | The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. |
| Description and findings re EC 6 | As part of the PRA’s CA of a firm, the supervisor evaluates a bank’s internal audit function. PRA staff meet with the audit function periodically (for Category 1 firms, it can be monthly or more, as needed, though this may vary between supervisory teams), review audit reports, and seek to understand how audit findings have been addressed. The assessment of internal audit may influence the PRA’s overall assessment of the firm and can affect the assessment of the risk-management and controls element within the PRA risk model and the PIF stage of the firm. Where the PRA feels it can rely on an internal audit function’s work, it may use firms’ internal audit functions to identify and measure risks. The FCA, in turn, engages in periodic dialogue with the internal audit function in firms that it supervises on an individual basis. A primary goal is to understand the scope of the function’s work and the extent to which it will provide insight into the conduct risks within a firm. |
| EC 7 | The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, nonexecutive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. |
| Description and findings re EC 7 | The PRA’s supervision involves engagement with firms at all levels of seniority, and the Board as a whole should expect regular dialogue with the PRA, either in groups or on an individual basis. Supervisors assess the collective Board and senior management effectiveness in setting strategy as part of the management and governance element of the PRA risk model. The exact work that the PRA undertakes varies in frequency and intensity in line with a firm’s potential impact and other factors. For a U.K. bank with a high level of potential impact (Category 1), a supervisor may hold quarterly meetings with regular heads of individual business units and meetings with nonexecutive directors (NEDs) of the firm every six months. For smaller firms (Category 2–4), meetings may be less frequent. The precise timing and structure of meetings are discussed and agreed as part of the PRA’s annual supervisory review process (the PMS). For banks that the FCA supervises on an individual basis, the FCA has a program of regular “Proactive Engagement” meetings with key Board members (such as the senior independent director and chair of key Board committees) and with senior management. These meetings are intended to help FCA supervisors understand the bank’s strategy, the conduct risks that are emerging, and how the firm is addressing those risks. The minimum number and frequency of Proactive Engagement meetings is prescribed and is also informed by judgment about the risk inherent in the firm. |
| EC 8 | The supervisor communicates to the bank the findings of its on- and supervisory analyzes in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. |
| Description and findings re EC 8 | For the PRA, on- and offsite analysis feeds into the annual PSM process, and the PRA sends an annual letter to each firm’s Board outlining the key risks that are of greatest concern and on which it requires action. The PRA expects to verify itself that the action is taken and communicates to the Board how it intends to do so. For supervisory reviews conducted throughout the year, such as specialized examinations of particular issues, the PRA communicates its findings through both verbal discussions with the firm and often with written communications such as letters to management. As noted above under EC 5, the FCA likewise sends a letter to a firm’s Board following its completion of a firm evaluation. |
| EC 9 | The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. |
| Description and findings re EC 9 | After sending its annual letter to each firm’s Board, the PRA records the issues it in its “Risk Management System” and includes details and an expected completion date for the firm’s mitigating action. Senior management within the PRA receive reports on open issues and actions, and supervisors may run reports for the firms they supervise to allow for timely follow-up. Corrective actions are reviewed at the PSM and subsequent mid-year review to ensure completion; if the actions have not been completed, supervisors may escalate the concern to the appropriate level within the PRA and include those concerns in a post-PSM letter sent to the firm’s Board. Supervisors may rely on firm attestations—which are written and signed statements indicating that the firm has corrected a matter—as a supervisory tool to ensure that a firm has remediated PRA-identified issues. Attestations may enable supervisors to implement a judgment-based approach to supervision and to place responsibility on the firm to comply. Supervisors at the FCA are empowered to determine which issues and risks require corrective action by a bank. Supervisors determine the extent of monitoring of a banks remediation, taking into account such factors as the significance of the issue and the bank’s track record in resolving past issues. Supervisors can furthermore escalate concerns about a firm’s response to senior managers at the FCA. |
| EC 10 | The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. |
| Description and findings re EC 10 | Both the PRA and the FCA expect firms to keep their supervisors informed of relevant developments about which the supervisor would expect to be notified. As noted earlier, the PRA sets this expectation through Fundamental Rule 7, and the FCA relies on a similar expectation that firms deal with supervisors in an open and honest way. With regard to the PRA, the fundamental rules are supported by more detailed PRA rules and the directly applicable requirements in the CRR (Regulation 575/2013. A PRA-authorized firm must comply with these requirements and must know what they mean for its business. A failure to comply may be relevant to a firm’s ongoing compliance with the Threshold Conditions, and may result in enforcement or other actions. |
| EC 11 | The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. |
| Description and findings re EC 11 | The U.K. authorities consult with external parties especially in two sets of circumstances. First, the PRA makes use of external auditors to inform supervisory assessments and has set out expectations in how such discussions should be managed in its SS entitled, “the relationship between the external auditor and the supervisor: a Code of Practice.” The statement notes that supervisors and auditors should seek an open, cooperative, and constructive relationship on topics of relevance to both parties. In the case of Category 1 firms, the PRA has explicit expectations for supervisors to meet bilaterally with the largest firms’ external auditors twice per year and “trilaterally” with the external auditors as well as the chair of the audit committee of the firm’s Board of Directors at least once per year. Second, both the PRA and the FCA have the ability to require the provision of a report on a firm by a “skilled person” under S166 of the FSMA 2000. These skilled persons may be engaged when the supervisor believes that a particular expertise may be necessary to evaluate an issue at a firm; when the supervisor wishes to gain an independent perspective on an issue; or when the supervisor believes that resource constraints or other supervisory priorities preclude the supervisor for conducting such work. The assessors had an opportunity to review such reports prepared by skilled persons and found the reports in general to be thorough and serious evaluations of specific issues in the target firms. |
| EC 12 | The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. |
| Description and findings re EC 12 | A central function within the BoE, the regulatory data group (RDG), processes and monitors regulatory data using various information systems. The PRA and FCA jointly rely on GABRIEL, which is a portal through which supervised firms submit regulatory forms. The RDG relies on automated solutions such as the “Alert Manager System” to identify any areas of follow-up for supervision, such as unusual changes in financial measures. Assessors viewed demonstrations of several such systems and had an opportunity to speak with staff about how the systems are used to monitor firms’ condition, track supervisors’ evaluations of issues, and inform the supervisory process. |
| Additional criteria | |
| AC1 | The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. |
| Description and findings re AC1 | Under the Financial Services Act of 2012, the NAO was made the statutory auditor of the FCA and the PRA as of April 2013. The NAO performs review the supervisors’ activities and performance and makes public its findings. Both the PRA and the FCA maintain internal audit functions within their respective organizations that may review each respective supervisor’s programs and performance periodically. Both supervisory agencies have also developed internal review functions. The PRA, for example, relies on an internal supervisory oversight function (SOF) that provides the PRA Board with assurance on the quality and effectiveness of supervision. It is not necessarily an audit or compliance function and instead supports the development of supervisory strategy within the PRA, as well as the exercise of sound supervisory judgment internally, by focusing on how the PRA engages with the firms it supervises. When necessary, the SOF can also supplement supervisory resources to address urgent priorities. The SOF is made up of about 26 staff, most of whom have prior supervisory experience. It reports directly to the PRA Board. Similarly, the FCA created a specialist review function in 2010 to assure the quality and effectiveness of its supervision of major banks and other firms. It serves as part of the FCA’s second line of defense, forming part of the FCA’s Risk and Oversight Division, and evaluates supervisory strategy, the use of supervisory tools, and supervisors’ understanding of risks. |
| Assessment of Principle 9 | Largely Compliant |
| Comments | Overall, U.K. authorities appear to have taken a more active approach to using supervisory tools especially in the portfolio of the largest and most systemically important firms. Still, vestiges of concerns identified during the prior FSAP persist. Themes carrying over from the prior FSAP relate to the depth of onsite work, especially testing and the potential reliance on “skilled persons” in place of deploying supervisory resources onsite. Another theme remains the relatively low level of application of supervisory tools to smaller firms. While it does appear that prudential supervisors are engaging in more “hands-on” supervisory work at the largest firms, some reviews and periodic “deep dives” appear to be more cursory than might be expected in firms of such significance. For example, PRA staff indicated that AQRs are conducted several times per year at Category 1 firms; these reviews can be varyingly staffed and scheduled, but can entail visits lasting few days, with three or four risk specialists and relying on the review of a limited number of loan files. In addition, staff related to the assessors insight into a variety of “conversations” that take place onsite at the largest firms, often led by experts from the supervisory risk specialists (SRS) department. Such regular dialogue is indeed an important part of contemporary supervision of large firms; however, the PRA may be able to draw greater confidence about the information gathered through such conversations by validating the information described to the supervisors. It remained unclear to the assessors how much supplemental testing and validation supervisors undertake following these regular meetings with senior executives and business leaders at the largest firms; it is consequently an open question whether supervisors are simply trusting their counterparts at the firm. To gain supplementary insight into significant issues at firms, supervisors from both the FCA and the PRA repeatedly referred to the potential use of S166 “skilled persons” reviews as a powerful tool for supplementing ordinary supervision. These views should be evaluated in the context of the CP’s admonition against “outsourcing” prudential responsibilities to third parties (EC 11). The benefits that staff cited for employing such external resources are not unpersuasive. Staff cited their sense that skilled persons can bring special insight that can carry extra weight with firms given their expertise; that skilled persons can provide an independent view to bolster the supervisors’ views; and that skilled persons may be able to perform some reviews faster and with greater focus than supervisors could, or that these external parties may be able to allow supervisors to focus scarce resources and time on other priorities. It should also be noted that firms bear the costs of skilled-persons reviews, which may also be beneficial in managing the costs and resources associated with special reviews, and that supervisors remain engaged through regular dialogue with the skilled persons and the firms. Assessors at the prior FSAP noted that S166 reviews and “deep-dive” reviews “cannot be really seen as an onsite supervision system with transaction testing, even on a on a select basis.” Assessors at the current FSAP continue to share those concerns. Supervisors shared informal statistics indicating that S166 reviews are not employed frequently in the largest firms. Assessors understand that supervisors are not seeking to outsource supervisory responsibility to third parties, yet are concerned that relying on such tools can reduce the sense that such skills and expertise need to be developed and maintained within the supervisor staff so that the authorities can deploy expert judgment more frequently and more consistently across the broad population of firms they supervise. S166 reviews convey real benefits in situations requiring particular expertise or significant resources; supervisors should employ such resources with care, as U.K. authorities agree that the use of external consultants should not be viewed as a way to reduce the need for supervisors to develop appropriate skills and knowledge. Finally, while supervisors have developed a suite of tools that are important to evaluating safety and soundness and firms’ condition and performance, the use of these tools is highly concentrated in the largest and most systemically important firms. Some onsite reviews and testing does seem to take place in Category 2 firms, though the assessors could not confirm that this was more than sporadic. Supervisors acknowledged that a more reactive approach has been adopted for smaller firms, with automated “baseline” monitoring serving as the primary tool for conducting day-to-day supervision. |
| Principle 10 | Supervisory reporting. The supervisor collects, reviews and analyzes prudential reports and statistical returns50 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. |
| Essential criteria | |
| EC 1 | The supervisor has the power51 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss (P&L), capital adequacy, liquidity, LE, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. |
| Description and findings re EC 1 | Art. 65(3) of the CRD requires competent authorities—which are the PRA and the FCA in the United Kingdom—to have all information gathering and investigatory powers that are necessary for the exercise of their functions, including the specific powers set out in 65(3)(a). The EU harmonized supervisory reporting requirements—provided for in the CRD and EC regulations on reporting—encompass a comprehensive range of information for the supervisor to perform a risk assessment, including:
As per the CRR, reporting is due both on a consolidated (prudential) and solo level and it covers on- and off-balance sheet items. All banks are required to prepare and deliver common reporting (COREP). The reporting requirements are defined by EBA ITS on supervisory reporting, which were introduced in Q1 2014 and are being phased in over a number of years. Frequency varies between reporting from monthly (liquidity) to quarterly and semi annual or annual for some individual templates. COREP data must be reported on both a solo and consolidated basis by all firms covered by the CRR, while FINREP is mandatory only for international financial reporting standards (IFRS) institutions at consolidated level (though NCAs can extend to GAAP firms on consolidated level). Solo level reporting remains national discretion. NCAs can require regular reporting outside the scope of the ITS on supervisory reporting. COREP covers capital adequacy, liquidity, LE, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, and market risk; while FINREP covers, inter alia, on- and off-balance sheet assets and liabilities, and P&L. The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise of its functions under FSMA (S165) and also from those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the United Kingdom (S165A). The PRA also has the power under FSMA to make rules, and has made rules, requiring firms that it regulates to submit regular reporting (for example, the main regulatory reporting rules are known as Supervision (SUP) 16.12 in the PRA Handbook, soon to be moved over to the PRA Rulebook as the Regulatory Reporting Part). FINREP data for solo entities and for firms that do not report according to FINREP are collected on a regular basis using PRA-specific supervisory reporting templates. As well, under the PRA’s S55M FSMA powers, the PRA may impose a requirement on a regulated firm, which could include a regular reporting requirement, including, inter alia, on- and off-balance sheet assets and liabilities and P&L items for non-FINREP reporters and interest rate risk. |
| EC 2 | The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. |
| Description and findings re EC 2 | According to the CRR (Art. 99(2)), FINREP reporting templates for supervisory purposes are required to be based on the IFRS at the consolidated level (see EC 1). At the solo level, reporting can be based on local Generally Accepted Accounting Principles (GAAP) and national discretion can be exercised to require IFRS for solo reporting of FINREP. Reporting instructions are included in Commission Implementing Regulation (EU) No. 680/2014 that contains detailed instructions for the submission of supervisory reporting. FINREP reporting is based on IFRS and adapted also for national GAAPs. To ensure consistency and comparability of information, the ITS indicates that firms should use the same accounting framework for both own funds and FINREP. FINREP reporting templates for supervisory purposes are required to be based on the IFRS (see EC 1) for firms that meet that meet the criteria of CRR (Art. 99(2)). As the United Kingdom has not exercised the national discretion, under Art. 99(3) CRR, to require FINREP reporting, also to those firms that do not meet the criteria of CRR Art. 99(2), they report P&L and balance sheet data using U.K.-specific FINREP templates. The PRA asks firms to submit regulatory returns—including COREP and its own supervisory reporting returns–using their normal accounting practice or applicable accounting framework at that time. For most firms, the relevant framework is IFRS or U.K. GAAP (but some firms use other national GAAP frameworks, e.g., U.S. GAAP). Reporting instructions for U.K. regulatory returns, including information about the accounting standards to be used, are available on the BoE’s website. For example, Annex 25A of SUP 16 provides guidance on the completion of returns required SUP 16.12. On April 7, 2015 the PRA published a note setting out the basis under which it will accept regulatory returns during the transitional period for first-time adopters of FRS 102 that are currently applying old U.K. GAAP (meaning pre-FRS 102 U.K. GAAP). General Prudential Sourcebook (GENPRU) 1.3 sets out general rules and guidance as to how a firm should recognize and value assets, liabilities, exposures, equity, and income statement items. These are consistent with IFRS and U.K. GAAP accounting standards (whichever applicable) |
| EC 3 | The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. |
| Description and findings re EC 3 | Art. 24 of the CRR specifies that the valuation of assets and off-balance sheet items shall be effected in accordance with the applicable accounting framework. Art. 76 of the CRD requires that the management body will devote sufficient time to the consideration of risk issues as well as the valuation of assets, the use of external credit ratings and internal models relating to those risks (see para. 2). The RTS for prudential valuation (EBA/RTS/2014/06/rev1) establishes approaches for prudential valuation adjustments as required by the CRR for traded instruments (simplified and core approaches). The final draft has been published and is pending approval by the EC. The PRA requires banks to establish and maintain systems and controls sufficient to provide prudent and reliable valuation estimates under GENPRU 1.3.13 in the PRA Handbook. The onus to comply is on the banks themselves. For the largest firms, the PRA assesses compliance at a high level through desk-based reviews of firm’s MI (prepared offsite via extensive analysis of MI sent by the bank and supported by a two to three hour meeting with the firm). Risk specialists conduct assessments of major firms’ valuation frameworks in various forms, including via high level semiannual CA reviews, thematic reviews, and assessments of applications for internal models approaches (IMA) permissions. The aim of the review is to evaluate the effectiveness of banks’ governance frameworks, policies, and controls around accounting system valuations. Accounting experts review major firms’ disclosures in conjunction with front line supervision. The PRA can require banks to make adjustments to their reporting for capital adequacy/regulatory reporting purposes when it determines that valuations are not sufficiently prudent. Where any concerns are identified the PRA may undertake additional work. Supervisors can also use powers under FSMA (S166) to require external experts (“skilled persons”) to review aspects of the processes for determining valuations. Banks may be required to address any deficiencies. Where the supervisor does not consider banks’ governance structures and control processes suitable, then it applies add-ons/scalars to account for the uncertainty concern. The PRA can take enforcement action in response to poor reporting. The PRA adopts a risk-based approach and, hence, risk specialists focus on the more systemically important (Category 1) firms and on the positions that supervisors have identified as having material valuation risk. A systematic approach for reviewing all mark to market positions has not been established. As the smaller firms do not typically have assets that mark-to-model and do not have trading books, many of the more difficult problems in the area of valuations do not apply to them. However, where it is relevant to a small bank, the supervisor seeks specialist support and cover as part of their supervisory strategy if they consider it to be a material risk. For example, supervision and valuation specialists have conducted valuation reviews of material Category 2–4 firms that have trading books. Supervisors also discuss on a frequent basis with the firm and external auditors. Valuations are picked up as part of the meeting with the external auditors; however these meetings focus on accounting valuations rather than regulatory valuations. The United Kingdom has an established prudent valuation approach, which has led to developing, both reporting requirements and technical standards for prudent valuations. Starting December 2010, relevant U.K. firms have been required to report prudent valuation adjustments in quarterly reports. U.K. firms are required to deduct prudent valuation adjustments from capital. Other ongoing reforms include changes to U.K. GAAP, which will increase the emphasis on fair value accounting for those firms that use U.K. GAAP. Unrealized gains or losses currently concealed in assets that are valued at historic cost will be revealed. |
| EC 4 | The supervisor collects and analyzes information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. |
| Description and findings re EC 4 | The EBA ITS on supervisory reporting sets out the frequency at which COREP and FINREP returns have to be collected. The required frequency depends on the nature of the information requested; for example, banks report liquidity data on a monthly basis; comprehensive capital adequacy and FINREP data on a quarterly basis; and some FINREP templates on a semiannual or annual basis. CRD Art. 104(1)(j) enables the PRA to impose additional or more frequent reporting on a firm or firms similar risk profiles, including reporting on capital and liquidity positions. Accordingly, the PRA requires the highest impact firms to report capital data (including projections) on a monthly basis (via the Capital+ return), and liquidity data both more frequently (weekly) and with greater detail (e.g., banks’ funding plans). COREP and FINREP also provide for proportionality—reducing reporting requirements for smaller firms, as do the reporting requirements set out in SUP 16.12 of the PRA Handbook. For example, materiality thresholds ensure that less detail is required to be reported for firms below a certain size and/or positions below a certain monetary value. PRA-specific returns are also required to be reported at a frequency appropriate to the nature of information and size of firm. The reporting frequencies for PRA handbook returns are set out in SUP 16.12.6. Detailed firm data are collected to support the annual stress testing cycle, which currently focuses on systemic U.K. firms. Most of these data are reporting annually, but some are collected on a more frequent basis. Where additional risk is identified (e.g., during a stress), then the supervisor may request information of increased detail/frequency as they consider appropriate. In April 2015, the PRA published policy statement PS8/15 setting out a rule requiring incoming firms and third country firms to submit a branch return on a six-month basis. The branch return will provide the PRA with information about the U.K. activities of these firms. The reporting burden imposed on firms by new nonmandatory data collections is reviewed by PRA/FCA governance structures to ensure that it is proportionate and that the data are collected at an appropriate frequency. Typically, returns are allocated to supervisors for review based on their area of focus and expertise, for example: capital and leverage; credit risk; market risk; operational risk; LE; and/or liquidity risk. The review process is currently focused on COREP data and the PRA handbook returns. FINREP data will be incorporated into the process as soon as practical. Reviews are carried out in line with the relevant reporting frequency and conducted at group level and/or solo level aligned with the PRA’s overall supervisory approach. For example, liquidity returns are reviewed based on liquidity subgroups, rather than on a solo level. The reviews are based on time series of key data judged to be reliable high-level indicators of a changing risk profile. This includes regulatory limits, such as LE limits and capital ratios. Any supervisory observations of material movements or actions taken with the firm are recorded as part of the process. Supervisors of the major U.K. deposit takers draw extensively on firms’ own MI as well as regulatory data. The PRA receives monthly MI from firms considered complex and of high impact. The PRA receives MI as and when it needs it from smaller and less complex firms. Building societies and credit unions that are rated as Category 2–4 firms are currently subject to the same frequency and level of review although the PRA is exploring alternative options in this area. For international banks, the requirements to review regulatory data are more detailed and more frequent for larger firms than for smaller firms, which reflect the PRA’s risk-based approach. Review processes are complemented by automated alerts against defined criteria (e.g., breach of LE rules), which are notified to supervisors in the e-mails announcing receipt of the data items. Supervisors acknowledge the alert within five days of it being generated, and within 10 days record a decision as to what action (if any) should be taken. Possible actions could include no action, following up with the firm via a phone call or other means (e.g., to sanitize the data), through to informing a decision to take a S166 action (when the data issues are deemed to be more serious and/or persistent). Alerts are closed off when the actions are complete. The internal capital adequacy assessment process (ICAAP), which is reviewed annually for larger firms and biennially for smaller firms, also contains firm data of a more detailed and granular nature than is obtained through the regular cycle of regulatory reporting. Regulatory data is also used to produce peer analysis e.g., capital, liquidity and LE of the largest eight U.K. banks—which is used by supervisors to supplement their individual analysis, identify outliers, and trends. As part of the PRA’s project for utilizing the broader data collection under CRD IV, the PRA is developing an IT project to expand the PRA’s analytical tools to support analysis of the regulatory data. |
| EC 5 | In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). |
| Description and findings re EC 5 | Standardized regulatory returns under the U.K. and EU regulatory framework COREP, FINREP, and SUP 16.12 define reporting dates and periods and reporting requirements for all firms meeting a verifiable set of criteria. Different balance sheet and P&L collections exist for solo and consolidated entities (for FINREP reporters) and between FINREP and non-FINREP reporting firms. This difference in the financial reporting regimes that apply to solo and consolidated entities, and between firms that use IFRS and local accounting standards is being addressed as part of the PRA data-stocktaking exercise, which is considering the feasibility of replacing existing financial reporting under U.K. GAAP (balance sheet and P&L returns with less granularity and no accounting, sectoral, or geographical breakdown) with reports that are consistent with the FINREP templates. COREP reporting is required to be on a calendar quarter. All other reporting requirements, including FINREP, allow firms to follow their own reporting cycle based on the firms’ year-end. |
| EC 6 | The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal MI. |
| Description and findings re EC 6 | Art. 4 of the CRD regarding designation of powers to the NCA provides the legal basis for supervisors to have access to all relevant information from banks as well as entities in the wider group. Para. 3 states that MS shall ensure that appropriate measures are in place to enable the NCA to obtain the information needed to assess the compliance of institutions, and of FHCs and MFHCs. Para. 5 states that MS shall also ensure that internal control mechanisms and administrative accounting procedures of the institution permit the checking of their compliance with such rules at all times. Art. 65(3) CRD requires competent authorities—which the PRA is for purposes of CRD IV in the U.K—to have all information gathering and investigatory powers that are necessary for the exercise of their functions. The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise by the PRA of its functions under FSMA (S165) and also from entities in the wider group, including those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the U.K. (S165A FSMA). Fundamental Rule 7 of the PRA Rulebook requires firms to be open with the PRA, and provide it with information that it can reasonably expect for the performance of its regulatory duties. SIG1 (Information Gathering) of the PRA Rulebook gives the PRA rights of access to relevant staff and information at firms which it supervises. The PRA requests firms to report the information it requires for supervisory and resolution purposes on a regular and/or ad hoc basis, as it deems appropriate. For example, the most systemically important U.K. headquartered firms provide detailed FINREP data via firm data submission framework (FDSF) templates that are used for stress-testing purposes. MI—including Board and Board committee papers—are regularly received and reviewed as well as other information required to enable supervisors to identify and assess risks. |
| EC 7 | The supervisor has the power to access52 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. |
| Description and findings re EC 7 | Art. 65 of the CRD provides the legal basis for the supervisor to have unfettered access to the managing body (Board), senior management, and staff as required to discharge the mandate of the NCAs (see para. 3). The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise by the PRA of its functions under FSMA (S165) and also from those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the U.K. (S165A FSMA). Fundamental Rule 7 of the PRA Rulebook requires firms to be open with the PRA and provide it with information which it can reasonably expect for the performance of its regulatory duties. SIG1 (Information Gathering) of the PRA Rulebook gives the PRA rights of access to relevant staff and information at firms which it supervises. Supervisors regularly meet with senior executives and Board members as part of their CA program and under the PRA powers to mandate meetings with holders of SIFs within a bank. For all Category 1–4 firms, there is a planned schedule of meetings with senior management and control function heads, with increased frequency for more systemically important firms. Supervisors attend firm Board meetings to present the findings of PSMs. For Category 2–4 U.K. banks, supervisors meet with the executive and some NEDs annually during the SREP and L-SREP process. Supervisors also meet the entire Board together or individually as part of a biennial review of Board-level governance. |
| EC 8 | The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. |
| Description and findings re EC 8 | Art. 4 CRD requires that MS empower NCAs to obtain the needed information. Art. 67 paras. (e) to (m) establish the capacity for the NCA to enforce compliance with the requirement that information submitted for regulatory purposes is accurate and timely. Section SUP 16.3 of the PRA Rulebook sets out general requirements for firms to submit reports as required by the relevant parts of SUP 16 on a timely basis. The PRA Rulebook (Notification 6) states that a firm must take reasonable steps to ensure that all information it gives to the PRA in accordance with a rule is complete and accurate. If a firm is unable to obtain the information required, then it must inform the PRA that the scope of the information provided is, or may be, limited. If a firm becomes aware, or has information that reasonably suggests that it has or may have provided the PRA with information which was or may have been false, misleading, incomplete, or inaccurate, or has or may have changed in a material particular, it must notify the PRA immediately. The notification must include: details of the information which is or may be false, misleading, incomplete, or inaccurate, or has or may have changed; an explanation why such information was or may have been provided; and the correct information (if the correct information is not available, it must be provided as soon as possible afterwards). S398 of FSMA makes it an offence for a firm knowingly or recklessly to provide the appropriate regulator with information which is false or misleading in purported compliance with the appropriate regulator’s rules or any other requirement imposed by or under the Act. An administrative fee of GBP 250 used to be levied on firms for late or incomplete regulatory reporting (SUP 16.3.14R). The fee was an administrative charge levied in order to recover the costs of pursuing late returns and was not meant to be used as a penalty or a deterrent. Following a consultation, it has been deleted. Failure to submit a report in accordance with the SUP 16 or the provisions of relevant legislation may also lead to the imposition of a financial penalty and other disciplinary sanctions. Under FSMA, the PRA has powers to intervene where there is persistent late or incomplete reporting, for example, by commissioning a S166 report. There are instances where the PRA has used S166 powers in response to poor reporting over the past couple of years. The PRA holds senior management responsible for the accuracy of their firm’s regulatory reporting, just as the PRA holds them responsible for everything else that happens on their watch. The production and integrity of the firm’s financial information and its regulatory reporting under the regulatory system is one of the prescribed responsibilities set out in the PRA’s SMR, which came into force in March 2016. The PRA takes into account the quality and timeliness of firm’s CRD regulatory returns when assessing firm’s risk management & controls; and may require firms submitting poor-quality data to take mitigating actions or increase capital and liquidity add-ons. The assessors found evidence of the used of skilled person reports (S166 FSMA) to investigate serious and/or persistent quality issues in the supervisory reporting. The reports produced by the skilled persons appear thorough in the analysis and detailed in the recommendations, facilitating the PRA’s follow-up. As the cost of the investigation is borne by the regulated entity, a wise use of skilled persons could set the right incentives for banks’ management to devote the needed attention to data quality in general and to the quality of regulatory reporting in particular. As the SMR only came into force in March 2016, the mission could not assess its effectiveness in ensuring that the responsibility for the production and integrity of the firm’s financial information and of its regulatory reporting is assigned to the appropriate level of the bank’s senior management. |
| EC 9 | The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.53 |
| Description and findings re EC 9 | There are multiple lines of defense to determine the validity and integrity of data. Validation rules for COREP and FINREP reporting are set out in the EBA ITS, and are automatically applied on submission. Validation rules are also automatically applied to the existing PRA Handbook returns (i.e., those set out in SUP 16.12). Following receipt of the validated data, the PRA’s RDG carry out a program of plausibility checking (comparison to previous periods and using available information), focusing on data sets that supervisors indicate are of greatest importance, such as capital adequacy, liquidity, and FINREP returns. The RDG use their plausibility checking processes to motivate regular dialogue with firms with a view to getting clarification on and improving data quality. Firms are asked to resubmit their data at the relevant reporting level (i.e., consolidated or unconsolidated or solo levels) where the data are materially incorrect. In extremis, this dialogue can be formalized by using S166 powers to instigate a review of a firm’s supervisory reporting. The S166 powers are used to require external experts to review certain aspects of a bank’s operations and the PRA has powers over their selection. The s166 powers have occasionally been used to test the completeness and accuracy of regulatory returns in compliance with PRA rules. All queries arising from plausibility reviews are initially sent to supervisors for their input/feedback. Following feedback from supervisors, unresolved queries are sent onto firms for resolution. |
| EC 10 | The supervisor clearly defines and documents the roles and responsibilities of external experts,54 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. |
| Description and findings re EC 10 | Powers under S166 FSMA are used to require external experts to review certain aspects of a bank’s operations and PRA has powers over their selection. When contracting directly with a skilled person, the PRA uses a panel of suitable suppliers to tender the S166 review; equally, where the firm has been directed to contract with a skilled person, the PRA directs the firm to the skilled persons in the relevant lot(s) on the panel. Skilled-person firms are subject to a robust set of criteria to be included on the Panel, which helps ensure a consistent and high quality approach to conducting skilled person reviews. As part of the tender process, the PRA scrutinizes the existence of potential conflicts of interest and the skill set of the proposed team with reference to the curricula vitae (CVs) in the proposal and the total proposed days by grade of staff. The panel of suitable suppliers was established from April 1, 2013 by both the PRA and FCA; see http://www.bankofengland.co.uk/pra/Documents/supervision/activities/skilledpersonpanel.pdf. |
| EC 11 | The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. |
| Description and findings re EC 11 | The PRA uses external experts when commissioning reviews under its S166 powers to require the provision of a report on a firm by a skilled person. When contracting directly, the PRA enters into a legal contract with the skilled person which requires the skilled person to communicate to the PRA information on or opinion on matters of which they have become aware in their capacity as a skilled person reporting on the firm, as set out in the section use of skilled persons 3.1(1)(b) of the PRA Rulebook. The skilled person is also expected to “maintain an open line of communication” with the PRA and to inform the PRA of “any significant developments as and when they occur.” Where a firm is directed to contract with a skilled person, the firm has an obligation to require the skilled person to communicate with the PRA in line with use of skilled persons. The PRA’s SS, reports by skilled persons (SS 7/14) lays out expectations of skilled persons, regard to communication. According to SS 7/14, the PRA expects the skilled person normally to give a periodic update on progress and issues during the engagement directly to the PRA. It may also be appropriate for the skilled person to communicate matters of material significance to the PRA set out in the rule on use of skilled persons 3.1(1)(b) without first informing the firm. |
| EC 12 | The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. |
| Description and findings re EC 12 | For CRR-mandated reporting, the EBA reviews the ITS through question and answer (Q&A) processes, which the PRA is engaged with. For nonharmonized reporting, all new data collections are subject to the PRA’s data governance processes. Ad-hoc data collections (those that are not enshrined in EU legislation and/or the PRA Handbook) approved by the PRA’s data governance body are subject to sunset clauses that mean that the need for those data collections has to be reexamined. Supervisors agree the information they want firms to provide on a periodic basis. This is normally undertaken during the PSM process. The PRA is currently undertaking its first iteration of internal data stock takes. The guiding principles for the review include rationalizing the number of data collections and in particular reducing duplication, imposing proportionality with greater rigor, and where possible standardizing definitions and also aligning them with those used in the CRD data collections. The approach the PRA is taking to the data stock take is to create an inventory of existing data collections—by 14 broad data/risk categories (for example, balance sheet and P&L, capital and leverage, etc.) and to compare these with data requirements identified across the PRA and the relevant areas of the BoE. The gaps and/or redundancy that are revealed by this comparison inform the proposals for any changes to data collected. The process should be completed by 2016. Implementation of any new data reporting will be phased, and will take account of other significant initiatives such as the introduction of the new International Accounting Standard (IAS) IFRS 9 in 2018 and, in the U.K., structural reform in 2019. It is likely that, in future, stock takes will take place via a rolling review across the risk categories, and be aligned with developments in international or internal data requirements. There is already a well-established precedent of reviewing statistical data in the BoE on this basis, where a rolling review of each reporting form takes place within a five-year cycle. |
| Assessment of Principle 10 | Compliant |
| Comments | The collection of data for supervisory reporting has generally improved since the previous FSAP, as recognized also by several industry representatives. This is, at least partly, the results of the U.K. adoption (like for all the other MSs) of the EU-harmonized reporting framework, which is more structured than the pre-existing U.K. approach, and may lead to greater consistency and an increased ability to assess exposures and risks across firms. The creation of a PRA data governance group is also improving the decisions supervisors make about what data to gather (and which ones to discontinue) and how to make use of it. Opportunities remain for U.K. supervisors to develop better data on credit exposures and performance (see CP 17): as noted in the assessment, this does not necessarily mean that supervisors should support the creation of a central credit register; nonetheless, supervisors should consider more ways to enhance their ability to monitor and interpret trends in credit and in credit markets across the industry. When the harmonized reporting is based on the FINREP scheme, which applies only to banks under the IFRS accounting regime, the U.K. authorities should set up similar (though proportionate) reporting schemes for non-FINREP banks, at least with respect to the most relevant risk categories (see CP 20). |
| Principle 11 | Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. |
| Essential criteria | |
| EC 1 | The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. |
| Description and findings re EC 1 | Supervisors maintain communications with the firm’s management and hold key meetings during the PSM process; the results of risk assessments are formally communicated to the firm in a letter, along with required actions to mitigate the risks identified. The firm is then subject to monitoring and further meeting or visits to evaluate progress on those items. To propose significant corrective actions, the PRA has published for staff and the public the “PRA Regulatory Decision-Making Framework” that sets out an overview of the process through which the agency makes decisions. This tool, for example, differentiates the decision-making process for addressing issues in firms that require statutory notice, such as decision to vary a firm’s permission to engage in regulated activities, versus decisions that may not require statutory notice. Given their implications for a firm’s business or for the PRA’s objectives, decisions to require corrective actions or sanctions that require statutory notices typically involve a more senior level of management in the PRA, up to the PRA Board. This framework appears to be helpful to ensure that decisions to sanction or to use corrective powers on firms are handled consistently and appropriately across the PRA, with a prescribed level of review and sensitivity. |
| EC 2 | The supervisor has available55 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations, or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. |
| Description and findings re EC 2 | The FCA and PRA have the legal powers under FSMA 2000 to take an appropriate range of remedial actions against banks, including imposing penalties. In addition to using formal tools, informal tools, such as reaching voluntary agreement with a firm through negotiation or persuasion, are also available. The tools available to supervisors range from making recommendations for remedial action, imposing individual requirements under S55L and S55M of FSMA, to actions that involve restricting a firm’s activities, such as withdrawing or varying a firm’s permission to carry certain regulated activities. |
| EC 3 | The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. |
| Description and findings re EC 3 | The EU provides regulations to address breaches against threshold requirements and also to intervene at an early stage. The conditions for the use of the “early intervention” are “where an institution infringes or, due, inter alia, to a rapidly deteriorating financial condition, including deteriorating liquidity situation, increasing level of leverage, NPLs or concentration of exposures, as assessed on the basis of a set of triggers, which may include the institution’s own funds requirement plus 1.5 percentage points, is likely in the near future to infringe the requirements of the CRD and CRR. MS shall ensure that competent authorities have at their disposal, without prejudice to the measures referred to in Art. 104 of Directive 2013/36/EU where applicable, at least the following measures:”
In the U.K., HMT used its powers to amend Schedule 6 of the FSMA 2000 and issued the FSMA 2000 Order 2013 (the Threshold Conditions Order). Under this order, Threshold Conditions were set out for firms authorized and supervised by the FCA; FCA-specific conditions for firms authorized by the PRA and subject to dual regulation; and PRA-specific conditions for insurers and for other PRA-authorized persons. The PRA can use its power to impose requirements under S55M of FSMA 2000, to vary the bank’s permissions under S55J at an early stage based on whether a bank is or was likely to breach the Threshold Conditions set out in the Order. The FCA and PRA have powers under Part 4A of FSMA 2000 to intervene at an early stage to require a bank to take action to prevent it breaching regulatory threshold requirements or to limit activities appropriately. In addition to the above, the PRA’s PIF requires supervisors to assess at least annually (and in response to development) each firm’s proximity to failure and sets out expectations for the supervisor’s responses at each of five stages.56 |
| EC 4 | The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. |
| Description and findings re EC 4 | The PRA’s power under S55M to impose requirement may be used to impose more stringent prudential limits upon banks. The FCA has a parallel power to impose requirements under S55L; however, in dual-authorized firms for which the PRA is the prudential supervisor, the FCA applies requirements related to conduct. The PRA or the FCA may require corrective action to be taken, impose requirements, withhold approval of new activities or acquisitions, or all other responses enumerated in EC 4. |
| EC 5 | The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. |
| Description and findings re EC 5 | The PRA and FCA may apply sanctions to individual approved persons, including those within a firm performing a SIF, where they breach FCA or PRA rules of conduct or are knowingly involved in a breach by the firm of the PRA or FCA’s rules or requirements. Sanctions may include making public statement of the misconduct; imposition of fines; and suspension from performing their approved functions. Where the PRA or the FCA considers that a person is not “fit and proper” to carry out functions in a regulated firm, it may withdraw the person’s approval to do so, or prohibit the individual from carrying out any functions in a firm for such period as it considers suitable. |
| EC 6 | The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. |
| Description and findings re EC 6 | The PRA may use its powers to impose requirements on authorized firms under S55M to ring-fence the authorized entity from parents, subsidiaries, parallel-owned banking structures, and other related entities. Use of this power would, of course, be subject to EU law. The FCA may impose requirements under S55L FSMA 2000. Both supervisors may also direct U.K. parent undertakings to take certain steps, under S192C. |
| EC 7 | The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). |
| Description and findings re EC 7 | The PRA is responsible for determining that a banking institution is failing, or likely to fail, its Threshold Conditions. The BoE, following consultation with the PRA and others, is responsible for determining that it is not reasonably likely that action will be taken by or in respect of the institution that will enable the institution to meet those conditions. This situation opens up the possibility for the BoE to use the resolution process set out in the Banking Act 2009. See also the discussion of the resolution process under BCP 8, Supervisory Approach, for additional insight into the coordination that takes place between the PRA and the RD of the BoE. |
| Additional criteria | |
| AC1 | Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. |
| Description and findings re AC1 | S2B of FSMA 2000 sets out the PRA’s general objective to promote the safety and soundness of PRA authorized persons. S2B(3) of FSMA 2000 provides that this is to be achieved primarily by seeking to ensure that the business of PRA-authorized persons is carried on in a way that avoids any adverse impact on the stability of the U.K. financial system and by seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system. These provisions have the cumulative effect of requiring supervisors to take corrective action in an appropriate and timely manner. The PRA’s PIF process sets out the key steps that should be taken to ensure a timely response. FSMA 2000 additionally provides for the possibility of independent inquiries into the PRA’s actions in certain circumstances, in particular, should it appear that events had occurred which had, or could have had, a significant adverse effect on the safety and soundness of one or more PRA-Authorized. Such inquiries may be triggered by HMT or by the PRA itself. |
| AC2 | When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. |
| Description and findings re AC2 | FSMA 2000 requires the PRA to consult the FCA (and in certain circumstances to obtain its consent) in a variety of regulatory contexts, including when authorizing a firm or approving an individual (FCA consent required); imposing a requirement or variation of permission (consultation required); making rules (consultation required); and taking disciplinary action against a firm or an individual (consultation required). |
| Assessment of Principle 11 | Compliant |
| Comments | The PRA and FCA have the tools necessary to require corrective actions of firms or to issue sanctions. If a firm appears to be in breach of a Threshold Condition, or is likely to breach a Threshold Condition, U.K. supervisors can impose requirements on the firm or vary its permissions. Generally the firm will be given an opportunity to take corrective action, but should the firm fail to do so, the PRA will consider (among other options) whether to trigger the first step toward beginning the resolution process articulated in the Banking Act 2009. In the prior (2013) FSAP, U.K. authorities received a recommendation that more proactive use of such tools would be aided by the development of a more formal early intervention framework. The creation of the PRA’s PIF, with five explicitly defined stages, provides U.K. supervisors with a more formal process and a supervisory tool that describe steps supervisors—and the RD of the BoE—must take as a firm’s condition deteriorates. |
| Principle 12 | Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.57 |
| Essential criteria | |
| EC 1 | The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks may jeopardize the safety and soundness of the bank and the banking system. |
| Description and findings re EC 1 | Arts. 97–98 of CRD determines the SREP, and establish that supervisors need to understand the risks the institutions are exposed to and the risks the institution poses to the financial system. There are no specific requirements concerning the supervisory review of the structure of the group and risks brought by nonbanking activities and group-wide management. The 2014 EBA Guidelines on common procedures and methodologies for SREP recommends supervisors include in their SREP process an evaluation that the banks have established an effective group-wide MI and reporting system applicable to all material business lines and legal entities, that the management bank has established consistent group-wide strategies including a risk-appetite framework; and that group risk-management covers all material risks regardless of whether the risk arises from entities not subject to consolidation. PRA To understand the overall structure of banking groups, and to ensure its familiarity with all material activities conducted by entities within wider groups, the PRA relies on a combination of CA—meetings with key control functions and which oversees overseas regional and country heads supervisory colleges, and bilateral contact with overseas regulators—and onsite reviews of selected overseas operations (see EC 4 below). The PRA monitors the contribution of all business lines (including nonbanking activities) to the consolidated financial performance and risk profile of the bank. Supervisors conduct thematic reviews of nonbanking activities, e.g., custody services. U.K.-regulated insurance activities within banking groups are supervised by a separate supervisory team in the PRA’s Insurance Department. To understand and assess group-wide risks, each high-impact banking group has a dedicated PRA supervision team. These teams carries out a CA program to assesses and respond to the risks posed by the group to the PRA’s objectives. Supervisory activities are organized around the PRA risk model (see BCPs 8 and 9). The SREP takes place in accordance with the CRD and the 2014 EBA ‘Guidelines on Common Procedures and Methodologies for SREP.’ For U.K. banks with activities elsewhere in the EEA, this involves a joint risk assessment and decision (JRAD) process, as required by CRD. Matters on which the CRD encourages joint decision include ratings of risk management, agreement on Pillar 2 capital add-ons, liquidity and recovery plans. As consolidating supervisor, the PRA collates input from host regulators and coordinates discussions and approval processes. The PRA tests the resilience of major banks’ capital ratios through its annual CST exercise. The 2015 stress test scenario includes greater stress in the locations and market segments where major U.K. international banks are active, in order to test the risks of contagion from international operations and markets activities to the U.K.-based groups. PRA supervisors have regular dialogue with the FCA on conduct-related matters, as these could affect safety and soundness through direct financial impact of fines or redress, through business restrictions or through reputational risk. In addition, PRA and FCA regularly conduct joint thematic reviews; current examples include ‘CBEST’ (a cyber vulnerability testing framework) and ‘Dear Chairman 2’ (a critical infrastructure and technology resilience exercise). As discussed in EC 6 (below), the PRA has implemented on several occasions ‘supervisory ring-fences’ or ‘specific supervisory measures’ in order to mitigate risks to safety and soundness of U.K. subsidiaries arising from other entities within the group. Other actions taken by PRA supervisors where contagion and reputation risks jeopardize the safety and soundness of the bank or of the banking system include monitoring daily liquidity of the entity, requiring regular updates from the firm and asking for notification before external announcements are made. The PRA may establish internal crisis groups encompassing relevant stakeholders from across the BoE. For instance, crisis groups may include relevant supervision directorates, markets directorate, legal directorate, prudential policy directorate and the RD. Crisis groups may also include the FCA. PRA supervisors will liaise closely with relevant international regulators, usually via supervisory college arrangements. FCA The FCA seeks to understand the structure of a banking group and the entities within it where risks to consumers and to market integrity may arise. The FCA’s supervision is not confined to the main bank within a group but instead covers all material business units and legal entities where these risks arise. This includes understanding how these risks are identified and managed across the group. It also includes periodically quantifying and making the PRA aware of the financial impact of redress and remediation exercises across the group, and where possible likely fines. The FCA communicates with the PRA regarding financial redress and remediation exercises in a number of ways, including:
|
| EC 2 | The supervisor imposes prudential standards and collects and analyzes financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, LE, and exposures to related parties, lending limits and group structure. |
| Description and findings re EC 2 | Art. 436 of CRR states that banks must disclose “an outline of the differences in the basis of consolidation for accounting and prudential purposes, with a brief description of the entities therein, explaining whether they are:
Prudential standards established by the CRD are imposed at different levels of consolidation:
CRR Art. 6 (1) states that: Parts 2 (Own Funds), 3 (Capital Requirements), 4 (LE), 5 ((Exposures to Transferred Risk); and 8 (Disclosure) are to be complied with on individual basis. CRR 6(4) applies Part 6 (Liquidity) on an individual basis and CRR 6(5) applies Part 7 (Leverage) on an individual basis. CRR 6(3) alters individual disclosure requirements for institutions that are part of consolidation groups. In addition, “parent institutions”58 must comply, on a consolidated basis, with Part 2 (Own Funds), 3 (Capital Requirements), 4 (LE), and 7 (Leverage) under CRR Art. 11(1) and with Part 6 (Liquidity) under CRR 11(3). Institutions controlled by a parent FHC or parent MFHC must comply, on a consolidated basis of the parent FHC or MFHC in a MS, with requirements on Part 2 (own funds), Part 3 (capital requirements), and Part 4 (LE) and Part 7 (leverage) under CRR 11(2) and with Part 6 (liquidity) under CRR 11(3). Consolidated financial statements are defined by the accounting standards. A NCA may require an institution to provide information on a consolidated basis if it its “necessary to obtain a comprehensive view of the risk profile of the activities of, and a view of the systemic risks to the financial sector or the real economy posed by” the institution, after consultation with EBA (CRR Art. 99), institutions other than those referred to in paras. 2 and 3 that are subject to an accounting framework based on Directive 86/635/EEC, the competent authority shall consult EBA on the extension of the reporting requirements of financial information on a consolidated basis to those institutions, provided that they are not already reporting on such a basis The PRA imposes prudential requirements on a consolidated basis for all U.K. consolidated banking groups, including U.K. subgroups that are parts of wider non-U.K. banking groups, in accordance with Art. 11 of the CRR. In addition, the PRA also imposes prudential requirements for all PRA-authorized entities on an individual (solo) basis in accordance with CRR Art. 6. Under CRR Art. 11(2), credit institutions and investment firms that are controlled by a parent holding company are required to comply with regulations on own funds, capital requirements, LE (which encompass lending limits) and Leverage on the basis of the consolidated situation of their parent holding company. The PRA has specific national rules on related parties transactions risks (PRA Rulebook RPS) (see BCP 20). These rules apply to U.K. banks, building societies and certain overseas firms. It is a function of the rules that all of a bank’s affiliates and their related parties, and therefore all members of its group, are covered by them. On-going reforms to implement the proposals of the independent commission on banking will affect group structure. In May 2015, the PRA issued Policy Statement (PS10/15), which covered legal structure arrangements of banking groups subject to ring-fencing; governance arrangements of ring-fenced bodies; and arrangements to ensure continuity of services and facilities to ring-fenced bodies. The U.K. government has stated its intention for ring-fencing to take effect from January 1, 2019. The PRA collects information on both a consolidated and solo basis for most of the areas discussed in this EC in accordance with the CRR and the EBA ITS on reporting (Commission Implementing Regulation (EU) No 680/2014). The CRR establishes reporting requirements for own funds (Arts. 99–101), for LE (Arts. 394), for liquid assets (Arts. 415–416), for stable funding (Arts. 427–428) and for leverage in (Art. 430). The PRA collects information on capital through COREP template COR001. This template also contains information on group structure, including the entities within banking groups. The PRA collects information on LE through COR002; on the net stable funding ratio through COR003 and on the LCR through COR004. The PRA also collects information via reporting systems developed at the U.K. level. It receives additional capital adequacy information via its “Capital+” reporting template, containing information on groups’ capital resources and capital requirements. This includes quarterly forecasts for three years ahead as well as well as data pertaining to the actual financial situation of the reporting group. For Category 1 groups, this data is received monthly after 10 working days, generally on a U.K. consolidation group basis. Less significant groups report this information less frequently, also on a U.K. consolidation group basis. The rules on related parties transaction risk (PRA Rulebook RPS) require firms to provide the PRA with details on aggregate exposures to related parties, if requested by the PRA (see BCP 20). Information on group structure is provided in accordance with PRA Handbook (SUP 16.4–6). This sets out requirements for reporting in relation to annual controllers reports, close links reports and organograms. CRR Arts. 7 and 8 allow derogations on the provision of information on an individual basis. The PRA does not ‘switch off’ regulatory requirements for individual banks as provided for in CRR Art. 7. Thus it does not allow derogations from individual entity reporting requirements under CRR Art. 7. CRR Art. 8 refers to derogation to the application of liquidity requirements on an individual basis. Supervisors routinely analyze the data mentioned above in order to inform their assessment of the risks posed to the safety and soundness of the bank. Supervisors review a firm’s regulatory returns and MI as regularly as it is received. For example, capital returns are received and reviewed monthly. Supervisors review banks’ regulatory returns to ensure that the firm is continuing to meet regulatory requirements. Supervisors look to identify any material deviations from the firm’s annual operating plan and any large variances versus the prior period. MI includes Board packs (e.g., group Board, regional Boards, risk committee, audit committee, asset & liability committee), financial information (performance versus plan, annual operating plan, ICAAP) and risk data (e.g., credit risk and market risk). Supervisors use this data to inform their view of the firm and to support meetings with senior management. Supervisors will ask for more granular MI in areas deemed to be higher risk. |
| EC 3 | The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. |
| Description and findings re EC 3 | To ensure that the management body of a U.K. bank is monitoring activities of overseas businesses, PRA supervisors rely on a combination of CA meetings (both with senior management at the parent bank and with overseas regional and country heads); supervisory colleges and bilateral contact with overseas regulators; and onsite reviews of selected overseas operations (see EC 4 below). This allows supervisors to determine whether there are any hindrances in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries, and whether local management has the appropriate expertise to manage its respective business in a safe and sound manner. When a bank operates in foreign markets as a branch of a U.K. bank, ultimate responsibility for cross-border operations and the strategic direction of the branch lies with the management body of the U.K. bank. The PRA expects overseas branches of U.K. banks to have in place governance and risk-management processes and policies on a par with those established by the management body of the U.K. bank (see BCPs 14 and 15, below, for more detail). When supervisors review a bank’s overseas entities, they will often consider the governance of the entity as part of their overall review. For instance, a review of the risk-management and controls of an overseas entity may include a review of whether the governance is appropriate and whether the escalation chain up to the group is effective. In cases where an overseas branch constitutes a ‘significant business unit,’ as expressed in the PRA Handbook (SUP 10A.9.5 G), responsibility for managing this unit can be allocated to a senior manager within the branch. Under the APR, the senior manager would have to be pre-approved by the FCA for performing Controlled Function (CF) 29: Significant Management Function. In order to be granted approval, the candidate must fulfill the fitness and propriety criteria of the FCA, as expressed in FIT 1.3. An important consideration in assessing the fitness and propriety of an individual is their competence and capability, as demonstrated by their professional experience and training. In July 2015, the PRA published final rules on a SMR that replaced the current APR (see BCP 14). Under the SMR, senior managers directly responsible for a ‘key business area’ would have to be pre-approved to perform senior management function (SMF) 6: head of key business area. A large branch may meet the conditions for key business area (although the PRA expects this would be quite rare). For an individual to become a head of key business area, the firm must ensure that the individual is fit and proper and capable of carrying out this SMF. The preapproval process can also involve an interview with the supervisor. Since its establishment, the PRA has embarked on a new work program (with reference to the assessments that were carried out by its predecessor organization, the FSA) of carrying out Home Country Equivalence Assessments that are submitted to the PRA’s Equivalence Committee for consideration. The Committee has identified a list of priority jurisdictions to be assessed. Assessments consider a jurisdiction’s compliance/observance with the Basel, IAIS, and IOSCO CP, as set out mainly in the IMF’s detailed assessment reports. Due, however, to the fact that the PRA’s own program of equivalence assessments does not always coincide with those of the publication of the FSAP (and other, e.g., RCAP) reports, especially when these are more than 2 years old since publication, this can result in the PRA reaching a ‘not equivalent’ or ‘partially equivalent’ equivalence determination. When the PRA cannot reach an equivalence determination due to the lack of recent reports (such as FSAP, RCAP, FSB peer review, etc.) it seeks to review the determination decision as quickly as possible, once more up-to-date information has been published. |
| EC 4 | The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. |
| Description and findings re EC 4 | CRD Title VII, Chapter 3, establishes the principles of coordination between home and host supervisors within the EU. EBA issued in 2013 (ITS) on joint decisions on institution-specific prudential requirements, which need to be reached by the consolidating supervisor and NCAs responsible for the subsidiaries, setting common procedures and templates. In addition, there are EBA guidelines on “joint Assessment of the elements covered by the SREP.” Art. 104 of CRD states that supervisors must have the power to require additional reporting and disclosures. The PRA conducts onsite visits of the foreign operations of U.K. consolidated banking groups. The choice of country visits is based on the business model analysis’ of banks’ annual operating plans, identification of operations with identified risks, and operations targeted for strategic investment and growth. In the past two years, the PRA supervision team for a large U.K. consolidated international banking group conducted onsite reviews in eight countries. When the PRA conducts onsite visits overseas, it first contacts the host regulators and invites them to join the onsite visits and to have meetings with PRA supervisors. The PRA also participates in joint reviews with other supervisors. This can involve PRA staff participating in host authorities’ reviews of U.K. banking groups’ foreign operations. The PRA does not have an explicit policy for assessing whether it needs to conduct onsite exams of a bank’s foreign operations. However, such guidance is implicit in the PSM guidance (see EC 8). PRA supervisors regularly issue ad-hoc reporting requests in response to new identified risks, including risks in foreign operations. For example, in recent years supervisors have started to collect quarterly information on large banks’ exposures (in-country and cross-border) to vulnerable euro area peripheral economies. The PRA has also regularly asked firms to conduct bespoke risk assessments, including exposures data, in respect of emerging geo-political risks. The scope of the FCA’s responsibilities for foreign operations is more limited than the PRA’s but the FCA has visited banks’ overseas operations where appropriate, including in relation to financial crime. |
| EC 5 | The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. |
| Description and findings re EC 5 | The PRA supervises large complex groups on a consolidated basis, even where the holding company is technically not a regulated legal entity. The PRA interprets its APR (and the SMR) to include directors of holding companies that have significant influence over the U.K. regulated entity, and subjects them to regulatory approval requirements. As part of the consolidated supervision of banks, the PRA is aware and has thorough knowledge of the activities carried out by parent companies and companies affiliated with parent companies. Where parent companies and their affiliates are ‘credit institutions’ or ‘investment firms’ (as defined Art. 4 of CRR), they are supervised under the CRD IV and required to comply with general prudential requirements specified in the CRD IV/CRR. CRR does not apply directly to parent companies that are holding companies, although they are included in CRR consolidation groups. The Financial Services Act 2012 gave the PRA and the FCA two new powers over ‘qualifying parent undertakings,’ i.e., U.K.-based parent companies of U.K.-authorized entities, which are not themselves authorized entities (see FSMA S192C and S192J). These powers are: (i) a power to give directions to individual qualifying parent undertakings, requiring them to take specific actions or to refrain from taking specific actions; and (ii) a power to make rules requiring qualifying parent undertakings to provide to either regulator information and documents of a specified description. The latter rule making power was extended by the Financial Services (Banking Reform) Act 2013 to include the ability to make rules applying to parent undertakings or ring-fenced bodies that are necessary or expedient for ring-fencing and the ability to make rules requiring parent undertakings to facilitate resolution, which may include (but is not limited to) requiring a parent institution to issue debt instruments and to provide services and facilities as necessary to enable a subsidiary or transferee to operate the business in a resolution scenario. EC 6 (below) discusses the supervisory actions the PRA takes when activities of parent companies or subsidiaries of parent companies have a material impact on the safety and soundness of a bank. |
| EC 6 | The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that:
|
| Description and findings re EC 6 | Under the FSMA 2000, as amended by the Financial Services Act 2012, the PRA has the power to require regulated entities to take action as appropriate in certain conditions. This includes powers to disallow unsuitable persons to control the regulated entity, ring-fencing of assets, imposing requirements on a regulated entity to refrain from acting in a particular way or to take specific actions as may be appropriate in the circumstances. Specifically, S55J FSMA enables the PRA to vary or cancel the permissions of PRA authorized entities to carry on regulated activities (‘Part 4A permissions’) if:
S55M FSMA further enables the PRA to impose requirements on entities that have applied to be granted or to change their permissions. Under S55N FSMA, requirements may be imposed by reference to the entities’ relationship with their group or other members of the person’s group. The PRA’s powers therefore enable it to limit the range of activities of consolidated groups, and the location where those activities are conducted, albeit indirectly via restrictions on the individual entities within those groups. As discussed in relation to EC 5 above, the PRA also has specific powers to intervene directly at the holding company level so as to have influence over the activities of unregulated entities which may be adversely affecting the firm. Regarding EC 6 (b), before a non-EEA branch or subsidiary is allowed to operate in the U.K., the PRA will consider the degree of equivalence that the entity’s home state’s supervisory regime has with the U.K. (and including with the EU Single Market Directives), to determine the reliance that the PRA can place on it. From this, the PRA will decide the type of entity (branch or subsidiary) that is permitted to operate in the U.K., the activities that it can participate in and the PRA’s own supervisory approach to the firm in question (see EC 3 above). Equivalence assessments will also determine the extent to which the PRA relies on ‘host’ supervisors in non-EEA jurisdictions where U.K.-authorized firms have established branches or subsidiaries. The PRA has implemented on several occasions ‘supervisory ring-fences’ or ‘specific supervisory measures’ in order to mitigate risks to safety and soundness of U.K. subsidiaries arising from risks created at their parents’ level. Such restrictions have been imposed in various cases including: cases of overseas parent becoming insolvent while group and U.K. banking subsidiary remains solvent on a consolidated basis; cases of foreign parent under threat of bank run or severe financial stress while U.K. subsidiary remains stable; cases of foreign parent facing risks of severe downgrade in capital quality while subsidiary remains financially healthy. These supervisory measures usually include restrictions on upstreaming of liquidity and capital from the subsidiary to the parent or other parts of the group and sometimes restrictions on intragroup LE limits below the usual limit (25 percent of eligible capital). These measures are normally agreed with the subsidiary which submits an application to implement the requirement on a voluntary basis. |
| EC 7 | In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.59 |
| Description and findings re EC 7 | All institutions are to be supervised and comply with all requirements both on solo and consolidated basis, unless there are waivers applied based on CRR Arts. 7–10. In case of cross-border groups, all entities subject to minimum capital requirements and supervision are covered in the Group risk assessment report and joint decision under Art. 113 of CRD and pursuant to the requirements of the EBA ITS on joint decision. In addition to supervising on a consolidated basis, the PRA carries out individual (‘solo’) supervision of all institutions in accordance with CRR Art. 6. Banks must comply with CRR regulations on own funds, capital requirements, LE, exposures to transferred credit risk, liquidity, leverage, and disclosure (where not part of a consolidation group) on an individual basis. The PRA has not exercised the discretion available to it under Art. 7 of the CRR to switch off solo prudential requirements. Where entities are subject to individual supervision, they are required to deduct from their capital their ownership shares in other financial sector entities. Art. 43 of the CRR requires institutions to deduct from their CET1 ‘significant’ investments in the CET1 of financial sector entities. Significant investments, defined in accordance with that article are ownership shares in excess of 10 percent of the CET1 of the entity in question; ownership shares in entities that have ‘close links’ to the entity owning shares; or investments in the CET1 of entities that are not included in the regulatory scope of consolidation but are included in the accounting scope of consolidation. Experience has shown that capital located elsewhere in a group cannot always be relied upon to be available to a bank facing stress. To address this issue (among other things), and so improve the resolvability of the individual firms, the PRA has exercised discretion under CRR Art. 49(2) to deduct from their own capital holdings of capital instruments issued by financial sector entities that are included in the scope of that institutions’ regulatory consolidation group. This is to ensure that capital is located in the regulated entities where it is needed. Supervising U.K. banking groups at both consolidated and solo levels enables supervision teams to understand the relationship between the bank and other members of the group, for instance, in terms of capital, liquidity, strategy, governance, and recovery and resolution planning. Supervision teams for U.K. banking groups are structured so that they cover both the consolidated group and the main U.K. regulated entity within the group (including the domestic and European branches and subsidiaries of that entity). |
| Additional criteria | |
| AC1 | For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies. |
| Description and findings re AC1 | Under S178 FSMA 2000 the PRA and the FCA have the power to prevent the acquisition of a U.K. bank if they are not satisfied with the fitness and propriety of the owner of the parent company. In considering the suitability of an acquirer, the PRA and FCA will consider the criteria specified in S186 FSMA 2000, which includes among other things: reputation, experience, and financial soundness. If the composition of the Board of the parent undertaking changes subsequent to approval being granted, the PRA or FCA may determine that the parent undertaking no longer fulfils the assessment criteria of S186 FSMA 2000. In such a case, then the PRA or FCA can object to the acquisition and require the parent entity to sell shares of the U.K. bank. These powers are complemented by a separate regime focused on individuals from parent entities that are actually involved in the running of the bank. As explained in the Handbook SUP 10B.6.1. R, a person who is a director, partner, officer or member of a parent undertaking or holding company of a U.K. bank and whose decisions or actions are regularly taken into account by the governing body of the bank can be brought into the scope of the APR as performing a ‘CF1: Director function.’ Nonexecutive members of a parent undertaking or holding company whose decisions or actions are regularly taken into account by the governing body of the bank, as per SUP 10B.6.3, may be brought into the scope of the regime as performing a ‘CF2: NED function.’ Individuals performing either CF1 or CF2 need to apply for pre-approval by the PRA, and, hence, fulfill the fitness and propriety criteria. Moreover, individual sanctioning powers and fines can apply in the case where individuals are approved by the PRA. As discussed in EC 2, the PRA issued final rules on a new SMR in July 2015. Under the SMR, individuals that qualify as performing CF1 and CF2 functions need to apply for approval for SMF7: Group Entity Senior Manager. |
| Assessment of Principle 12 | Compliant |
| Comments | The U.K. authorities supervise banking groups on a consolidated basis, covering all entities within the consolidated group for U.K. firms and at subconsolidated level for U.K. subgroups of wider global groups. Prudential standards established by the CRD are imposed at different levels of consolidation. Supervisors routinely analyze information collected on both a consolidated and solo basis in order to inform their assessment of the risks posed to the safety and soundness of the banking groups. |
| Principle 13 | Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. |
| Essential criteria | |
| EC 1 | The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. |
| Description and findings re EC 1 | EU-wide legislation and guidance on home-host relationships:
The CRR and CRD provide for different scopes of consolidated supervision:
RTS and ITS on operational functioning of colleges (finalized by EBA and submitted to the EC) set the rules for the establishment and functioning of colleges, including (Art. 4(1) of the RTS) the requirement that the consolidating supervisor proposes college membership to “the competent authorities responsible for the supervision of subsidiaries of an EU parent institution or of an EU parent FHC or of an EU parent MFHC and the competent authorities of host MSs where significant branches as [..] are established.” Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular to ensure adequate exchange of information. PRA home perspective The PRA has well-established bank-specific supervisory colleges for the four U.K. banking groups with material cross-border operations (HSBC, SCB, Barclays, and RBS). For one of these, the host authorities of two countries where the group has significant branches participate in the college. For U.K. banking groups with international operations that are not material, the PRA has conferred with EBA and potential college members to agree that college arrangements are not needed; however, it relies on MoUs or EoLs as a support for information sharing and cooperation with relevant host supervisors. The PRA reviews the membership of colleges annually, based on the firm data on the size of business activities in different jurisdictions, and taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. For the largest banks there are multiple colleges:
PRA host perspective For U.K. subsidiaries of EEA groups, European law requires that the PRA be invited by the consolidating European supervisor to participate in college activities and it is involved in joint decisions on prudential and recovery and resolution decisions concerning the subsidiary and the group (Arts. 113 and 116(6) of CRD4; see also the draft Art. 4 of EBA/RTS/2014/16). For significant U.K. branches of EEA banks, the PRA uses criteria set out in the PRA SS 10/14 as a basis for judging whether a branch has a critical economic function (CEF). Where a branch carries out a CEF, the PRA contacts the consolidating supervisor to inform him/her that it considers the branch as ‘significant’ under European law (CRD IV) provisions. Once agreed by the consolidating supervisor—or, in the case of nonagreement, once the branch is designated ‘significant’ on a unilateral basis by the PRA (as allowed provided for under Art. 51 and 116(6) of CRD IV—the consolidating supervisor is required to invite the PRA to become a member of the college to participate in entity and group risk discussions (and recovery and resolution planning to the extent it is relevant to the branch/host). At the time of the assessment, the U.K. authorities participated in 10 supervisory colleges of banks with significant branches in the U.K. For U.K. branches on non-EEA banks, the PRA follows SS 10/14 to determine whether the branch is outside risk appetite and would not be allowed to operate as a branch in the U.K. The risk appetite is formalized in a decision tree, in which the first check is whether the home state’s supervision is deemed sufficiently equivalent: if not, the branch is considered outside risk appetite, otherwise the PRA verifies whether the home state supervisor accepts responsibility for the branch. In case it does, if the branch of a non-EEA bank contains a CEF, then in addition to the equivalence and responsibility conditions, the PRA requires a high level of assurance over resolution for the branch to remain inside risk appetite and to follow the agreed split of responsibilities between home and host states. The PRA is currently undertaking these assessments on U.S. branches on a case-by-case basis. For non-EEA banks more generally, where the PRA is deemed a significant regulator by the home state regulator, or make requests to be invited, the PRA attends an annual supervisory college and a crisis-management college. The PRA is responsible for establishing and coordinating supervisory colleges for banking groups but the FCA is invited to participate where conduct issues, including financial crime, are relevant. The FCA has attended colleges for the major internationally active U.K. banks, including where appropriate attending colleges held overseas. |
| EC 2 | Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group60 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. |
| Description and findings re EC 2 | Art. 50 of CRD requires competent authorities of the members states to supply one another with all information on management and ownership of the institutions they supervise and all information useful to facilitate their monitoring, particularly with regard to liquidity, solvency, deposit guarantee, LE, administrative and accounting procedures, internal control mechanisms, and other factors that may influence the systemic risk posed by such institutions. Art. 51 of CRD states the conditions and procedures for the identification of a branch in a MS of a EU bank or banking group as ‘significant,’ the obligations on the home or consolidated supervisor to communicate to or consult with the host supervisor and to establish a college of supervisors. Art. 116 of CRD requires the consolidating supervisor, EBA, and the other competent authorities to exchange information (also of confidential nature, when needed) between each other and with EBA, within appropriate frameworks established by the colleges of supervisors. EBA RTS and ITS on information exchange between home and host competent authorities specify the kind of information that supervisory authorities are required to share, including:
Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular, to ensure adequate exchange of information. PRA home perspective In order to facilitate timely sharing of information, the PRA schedules regular college teleconferences between college meetings, both with the core and general college. Such teleconferences are also scheduled prior to the disclosures of market-sensitive supervisory outcomes, such as the EBA and PRA stress test results. Both the banks, the PRA and host regulators share information openly in the college setting. When setting the agenda for college meetings and teleconferences, the PRA consults with host regulators to identify their areas of interest and concern, and prepares (and asks the firm to prepare) presentations to address these concerns. College updates from PRA and host supervisors include information on the material risks and risk-management practices of the banking group, and each supervisor’s assessment of the safety and soundness of the entity/entities that they supervise. In recent years, the JRAD process, guided by the EBA, has provided an increasingly structured framework and process for home and host authorities to share confidential supervisory information about risks, the quality of risk management, capital, and liquidity and in 2015 also recovery plans. The PRA as home regulator compiles input of detailed SREP scores, Pillar 2 add-ons and risk assessment narratives from all EEA-competent authorities and from non-EEA regulators of significant entities, and then drafts a JRAD risk assessment document and individual capital/liquidity guidance letter for discussion, amendment, and approval by the EEA-competent authorities in the college. MOUs are in place with most of the host regulators in the core colleges where the United Kingdom is consolidating supervisor. EA regulators within the General Colleges are covered by EU confidentiality rules and information-sharing gateways. In those instances where MoUs have not yet been completed with all regulators, the PRA either obtains written consent from the firm and other regulators to allow information sharing at that college meeting, or (for global colleges) avoids sharing supervisory confidential information and leave it for the bank to present on its risk profile. PRA host perspective The PRA follows in full all European legislative requirements establishing information to be exchanged with home authorities and other host authorities within the college. This includes details on material risks and risk-management practices through EBA JRAD templates covering all material risk elements. This information is provided to all members of the college, including host supervisors of branches where the branch has been designated as ‘significant’ or where the host supervisor of the branch has been invited as an observer. Where the PRA is host to an EEA branch and it is not part of the college, it will receive information through a specific EBA template (the forthcoming branch information pack—EBA/RTS/2013/10 to be rolled out from April 2016) that outlines basic prudential solvency and liquidity information at a group level, but does not provide detail on the supervisory assessment of material risks or risk-management practices. Prior to this, the PRA received a branch report and relevant information from the home authority, if requested. The PRA supplements this with information provided by the home supervisor in bi-annual calls, when the home supervisor is willing to provide this. The PRA’s ability to exchange confidential information with non-EEA regulators is restricted primarily by S348 and S349 of FSMA 2000 and regulations made by HMT under that section. The regime implements EU Directive requirements. The PRA is required to satisfy itself that there is a legal gateway to share confidential information. This involves assessing whether the professional secrecy laws applicable to the relevant non-EEA supervisor are at least equivalent to those imposed on the PRA by European Directives. In addition to this ‘equivalence’ assessment, the PRA also applies two additional criteria to determine whether to establish a formal MoU:
When the PRA is satisfied that the three criteria are met, it is in a position to enter into a formal MoU with the relevant non-EEA supervisor. The PRA’s policy is to publish its MoUs. They can be found on http://www.bankofengland.co.uk/about/Pages/mous/default.aspx. For other countries, the PRA’s policy is to engage with the relevant supervisor under the home-host framework. The PRA establishes informal supervisory arrangements to share nonconfidential information and agree the key issues and responsibilities for each supervisor. In either case, the confidentiality safeguards provided under FSMA incorporate the requirements of professional secrecy contained in the EU Directives. In addition, under S169(7), the PRA can permit a representative of an overseas regulator to attend and participate in an interview conducted, using the PRA’s investigative powers, on behalf of the overseas regulator. S169(8) requires the PRA to be satisfied that confidential information disclosed in the course of the interview be subject to confidentiality safeguards equivalent to those provided under FSMA 2000. Where the framework is in place to allow the sharing of confidential information, the PRA will share details on their assessment of the safety and soundness of the relevant entity, as well as the material risks and risk-management practices. The PRA also utilizes frequent formal calls with the home state supervisors to share knowledge and views. The assessors reviewed some JRADs and a presentation by the PRA—in its capacity as host supervisor—at both a EU and non-EU supervisory college. |
| EC 3 | Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. |
| Description and findings re EC 3 | EU-wide legislation on home-host relationships:
EBA RTS and ITS on operational functioning of colleges contain provisions on information exchange and coordination between the consolidating supervisor and college members for a number of tasks: for performing group risk assessments and reaching joint decisions; with regard to the ongoing review of the permission to use internal approaches and non-material extensions or changes in internal models; on early warning signs, potential risks and vulnerabilities; with regard to non-compliance and sanctions; for the assessment of the group recovery plan; for the assessment of the group recovery plan; and with regard to group financial support agreements. PRA home perspective Core college meetings include as a standing item an update from each supervisory agency on its supervisory work program. This provides visibility between home and host supervisors and allows for identification of areas of shared focus/concern (and potential duplication), opportunities for information sharing, coordination and even joint supervisory activities, and for adjusting planned JRAD timetables and supervisory work plans to be able to incorporate more timely supervisory insights. Within the EU colleges, the JRAD process has resulted in greater collaboration and information sharing. PRA has participated in onsite supervisory reviews led by overseas host regulators, joint reviews of off-shored service centres and collaborated with local regulators on AQRs. PRA host perspective Arts. 112 and 117 of CRDIV require that home and host supervisors coordinate and plan supervisory activities. For non-EEA subs and branches, the PRA consistently undertakes joint working with the home state supervisors where either U.K. activities have a meaningful impact on the group (financial or people resources), or alternatively, the activities in the U.K. constitute a CEF. The PRA sets out in SS 10/14 the split of prudential supervisory activities with the Home State Supervisor in the case of the U.K. branch of a non-EEA bank. The PRA’s focus is specifically on any CEFs carried out by the branch, and its interconnectivity to U.K. financial stability. The assessors reviewed recent example of collaborative work with supervisors within and outside of the EU. FCA Where appropriate, the FCA co-ordinates supervisory activity and works collaboratively with other supervisors. For example, the Federal Reserve Bank has an interest in a major U.K. bank’s efforts to strengthen its AML controls both in the U.S. and globally. The FCA has therefore in the interests of efficiency co-ordinated with them to join some of the meetings which they have held with the bank and, to the extent permissible by law; both supervisors have exchanged information regarding the findings of supervisory reviews. |
| EC 4 | The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. |
| Description and findings re EC 4 | EU-wide legislation on home-host relationships:
Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular, to ensure adequate exchange of information. PRA home perspective The PRA as home supervisor coordinates communication on behalf of the college to the U.K.-regulated banking group. This includes sending information requests for bank inputs into JRAD (where applicable), commissioning bank presentations to the supervisory colleges (to address agreed key risks and concerns raised by host regulators), communicating feedback from the college members (on supervisory views, areas of concern, and quality of firm presentations) to the bank, and formally communicating JRAD outcomes to the bank. While individual bank colleges may not formally have an agreed a communication strategy, the JRAD processes have provided an increasingly structured framework for colleges to reach a share view about an widening range of supervisory issues and for agreeing a coordinated communication to the banking group and its regulated entities. While non-EEA regulators are formally only observers for the JRAD, and can only be asked to provide inputs on a voluntary basis, the PRA seeks to fully reflect their views for banks with material operations outside the EEA. For U.K. banks with non-EEA colleges, the PRA summarized the views of the college, agrees this with college members, and provides feedback to the bank. In case of joint reviews the PRA participates in the writing of the final report and input into the letter or final communication to the firm. Given the absence of a formal framework for specific joint supervisory reviews (outside of the prescribed JRADs) input into bilateral joint work is typically provided on an informal basis with either the PRA or the host regulator formally leading the review and validating findings through their internal governance process. FCA The formal communication of issues arising from international colleges is led by the PRA, with input from the FCA; but the FCA has developed channels of communication with overseas regulators on matters relating to conduct where there is a shared interest, where appropriate. |
| EC 5 | Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. |
| Description and findings re EC 5 | EU-wide legislation on home-host relationships:
PRA home perspective As a home regulator, the PRA and the RD of the BoE establish cross-border CMGs for U.K.-based internationally active banks. These CMGs are used to review the resolvability of individual U.K. banking groups within the FSB resolvability assessment process (RAP) Framework, including identifying and addressing potential obstacles to resolution. Resolution plans and RAPs for major U.K. banking groups are at different stages of developments, with CMGs for some banks having agreed resolution cooperation agreements (CoAgs). The CMGs typically include core college members plus resolution authorities for the same jurisdictions. PRA also engages bilaterally with key host regulators on crisis preparation contingency planning to safeguard business continuity and financial stability in the face of specific risks. PRA host perspective As a host supervisor for EEA branches and subsidiaries, the PRA shares information in every case with the home supervisor and other hosts on crisis preparation and actions following EU legislative requirements on crisis management as set out in Arts. 87–92 of the BBRD. Recent examples of this were provided to the assessors during their visit. As a host supervisor for non-EEA branches and subsidiaries the PRA provides all relevant crisis preparation information when requested by the home authorities, and where the branch or subsidiary is material and/or the PRA considers a crisis situation is likely to occur, it contacts the home supervisor to look to ensure that this occurs at an early stage. The framework for sharing confidential information with non-EEA regulators is set out in the response to EC 2 above. |
| EC 6 | Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. |
| Description and findings re EC 6 | EU-wide legislation on home-host relationships:
The PRA requires banks to draw up group recovery plans and to submit group resolution packs. The PRA reviews the group recovery plan(s) for completeness, credibility, and compliance with BRRD and EBA guidelines, before sending a draft JRAD template to the relevant competent authorities for discussion, amendment, and agreement in the new resolution colleges. PRA supervisors support the resolution planning work of the BoE’s RD (which leads on the discharge of the BoE’s functions as resolution authority) with provision of supervisory data, risk assessment, and supervisory insights. More formally, the PRA shares the recovery plan with the resolution authority for its view on any actions that may impact resolution. The supervisory authority is also consulted on its view as to the resolvability of the firm (this is a formal and legal requirement), and on the use of any powers which require the firm to remove any impediments to resolvability. The PRA must also be consulted on the resolution plan being drawn up by the resolution authority. The PRA is also obliged to inform the resolution authority when a firm meets the conditions for early intervention (as defined in the BRRD) and of its decision of whether or not to take any supervisory action as a result. This occurs when there are risks to viability absent action by the firm or significant threats to a firm’s safety and soundness. The PRA also must notify the resolution authority if a firm is considered failing or likely to fail. The BRRD does not set a requirement on NCAs to notify a non-EEA resolution authority that a firm is failing or likely to fail. |
| EC 7 | The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. |
| Description and findings re EC 7 | EU-wide legislation on home-host relationships:
For the subsidiary of a foreign bank or FHC incorporated in third countries, Art. 127 CRD requires that the EU competent authority at the highest level of potential consolidation assesses whether the subsidiary is subject to consolidated supervision by a third country supervisory authority equivalent to the regime for consolidated supervision in the EU (including prudential and reporting requirements and the power to conduct onsite inspections). If the assessment leads to the conclusion that equivalence is not guaranteed, the subsidiary has to be subject to CRR and CRD or to other appropriate supervisory technique(s) apt to achieve the objective of consolidated supervision, including by requiring the establishment of a financial (or mixed financial) holding company with head office in the EU. All banks (both U.K. incorporated and overseas banks operating in the United Kingdom) are assessed by the PRA to the same prudential standards. This is set out in “The PRA’s approach to banking supervision.”61 The PRA has the same statutory objectives, whether it is regulating domestic or overseas banks. However, the PRA’s powers and requirements differ between U.K. incorporated firms and U.K. branches of EEA and third-country firms. As set out by the EBA above, for the cross-border operations of EEA banking groups, the United Kingdom’s powers and responsibilities are set by EU law, specifically CRR/CRD and BRRD, and standards and guidelines adopted by the EBA. These ensure that prudential, inspection, and regulatory reporting requirements are similar for all banks across the EEA. Banks from non-EEA jurisdictions may operate within the United Kingdom as branches or subsidiaries. The PRA has set out its risk appetite for when it will allow firms to operate as branches in PRA SS 10/14. This depends upon the nature and scale of the activities in the United Kingdom, whether the PRA has assessed the Home State Supervisor as sufficiently equivalent, and whether the home state supervisor accepts responsibility for the branch and the level of assurances on resolution provided to the PRA by the home state supervisor. Where the operation of a branch is within risk appetite, the PRA seeks to agree a formal split of supervisory responsibilities so as to be able to place reliance on the home state regulator for key aspects of the branch’s supervision. Where the operation of a branch is outside the stated risk appetite, the firm is required to operate within the United Kingdom as a subsidiary (where it is subject to the same prudential requirements as a subsidiary of a U.K. banking group). In placing reliance upon the home state supervisor, the PRA carries out a third-country assessment as set out in Principle 12 EC 6. Where a home state supervisor is considered to be equivalent and a branch is authorized the PRA’s objective is to ensure that it does not impact on the safety and soundness of the U.K. financial system in the same manner as if it were a U.K. banking group. Thus if the branch contained a CEF the level of scrutiny of those operations would be considerably more than for other branch operations where greater reliance would be placed on the home state supervisor. The PRA will require that the home state supervisor accepts its Prudential Regulations responsibilities for the branch and that there is a firm-specific split of Prudential Regulation responsibilities. The PRA’s policy is that all banks are subject to similar inspection and regulatory reporting requirements. As part of the implementation of the LCR, the PRA now requires liquidity information on a whole firm basis and has discontinued the ‘Whole Firm Liquidity Modification’ regime, which allowed overseas banks with U.K. branches to apply for a waiver of most of prudential sourcebook for banks, building societies, and investment firms (BIPRU) 12 rules, subject to certain conditions (including an equivalence assessment of the liquidity regime of the home state regulator of the applicant bank). |
| EC 8 | The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. |
| Description and findings re EC 8 | EU-wide legislation on home-host relationships:
Art. 47 CRD means that an EU-MS cannot treat a third-country branch any better than an EU entity. It is expected therefore that the third-country’s home state supervisor’s access cannot be better than any EU MS’s access to its branch. It does not necessarily mean that non-EU home supervisor is given onsite access to local offices (i.e., branches) of a banking group—nor does it mean that the 3rd country supervisor would be given parity of treatment with an EU-home country supervisor of an EU branch. In theory, if not in practice, the EU home authority would be allowed to explicitly restrict or prevent such access. PRA Rules require firms to provide it with access to their business premises.62 The PRA regularly conducts onsite supervisory reviews of U.K. banks’ operations in other countries. Where the PRA is the home supervisor it arranges these onsite reviews through the head office of the bank under review. The PRA follows a protocol to notify host supervisors of intended visits, and also inviting them to join in the meetings, if they wish. FCA The FCA has where necessary visited the overseas operations of certain major U.K. banks in order to assess the quality of customer due diligence AML controls in relation to U.K. requirements. The FCA notifies the relevant home supervisor in advance of such visits and typically shares the findings. For example, The FCA has within the past two years visited several overseas operations of a major U.K. bank for these purposes, including Brazil, Turkey, the U.A.E., Hong Kong SAR, Macau, and Switzerland. |
| EC 9 | The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. |
| Description and findings re EC 9 | EU-wide legislation on home-host relationships:
NCAs should demonstrate that they actually ban shell banks and supervise booking offices in a manner consistent with internationally agreed standards. One of the Threshold Conditions is that “the firm must be capable of being effectively supervised by the PRA.” Furthermore firms are required to have a sustainable and viable business model and be capable of accreting capital through the business cycle. All these would preclude a bank that was a ‘shell bank’ or ‘booking office.’ There are no shell banks in the United Kingdom. On the supervision of booking offices reviewers were given access to confidential papers that set out PRA expectations. Shell banks are effectively prevented from operating in the U.K. through S16 Money Laundering Regulations (MLR) 2007 whereby, they are not able to obtain banking relationships with credit institutions. The approach taken by the PRA’s predecessor organization, the FSA, was recognized by the financial action task force (FATF) in the mutual evaluation follow-up report (December 2009) and the position has not changed in the new regulatory structure now in place. |
| EC 10 | A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. |
| Description and findings re EC 10 | EU-wide legislation on home-host relationships:
For the information received by a non-EU authority, provisions on ex-ante consultation or expost information on supervisory actions taken on the basis of such information are contained in some of the MoUs signed with non-EU authorities and, more generally, represent an established working modality for the U.K. authorities in their interaction with their non-EU counterparts. |
| Assessment of Principle 13 | Compliant |
| Comments | The U.K. authorities, in their capacity as both home and host supervisors of cross-border banking groups, regularly share information and cooperate with foreign authorities for effective supervision of groups and group entities. Foreign banks operating in the United Kingdom are subject to the same standards as those required of domestic banks. |
| Principle 1 | Responsibilities, objectives, and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.12 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.13 |
| Essential criteria | |
| EC 1 | The responsibilities and objectives of each of the authorities involved in banking supervision14 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. |
| Description and findings re EC 1 | The CRD requires MSs to ensure that National Competent Authorities (NCAs) assess compliance with CRD and CRR (Arts. 4–7), and that such function is separate and independent from the functions relating to resolution (Art. 4). Art. 5 requires MSs to coordinate internally if there are more than one NCA, and Art. 6 requires MSs that NCAs cooperate within the European System of Financial Supervision (ESFS) and European Systemic Risk Board (ESRB). The PRA and FCA are the NCAs for the United Kingdom. They have responsibility for the supervision of banks, the PRA for prudential matters and the FCA for conduct matters. The PRA supervises around 1,700 firms and groups, including over 900 deposit-takers (banks, building societies and credit unions) and nearly 700 insurers of all sizes (general insurers, life insurers, friendly societies, and mutuals).15 The FCA is the conduct supervisor for approximately 56,000 firms across all industry sectors (including all deposit-takers) and the prudential supervisor for approximately 24,000 firms not regulated by the PRA, including a large number of investment firms subject to the CRD. The responsibilities and objectives of the PRA and FCA are set out in the FSMA 2000, which is public (http://www.legislation.gov.uk/ukpga/2000/8/contents). In discharging its general functions, the PRA is required to act so far as reasonably possible in a way which advances its general objective of promoting the safety and soundness of PRAauthorized persons (S2B FSMA).16 This general objective is to be advanced primarily by: (i) seeking to ensure that the business of PRA-authorized persons is carried on in a way which avoids any adverse effect on the stability of the U.K. financial system; and (ii) seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system. The emphasis on bank failures in terms of their impact on financial stability supports the PRA’s ‘no zero-failure’ policy (i.e., that it is not the PRA’s role to ensure that no firm fails, which is also explicitly stated in S2G FSMA),17 and helps to understand the PRA’s apparent degree of risk appetite and consequent supervisory approach. In its public discourse the PRA often uses the term ‘risk appetite’ (e.g., in the programmatic document on its approach to banking supervision), even though there is not a defined and articulated process leading to a clear identification of the PRA’s risk appetite and of its implications at executive level. As announced in the 2015 annual report (p. 21), the PRA is reviewing its Target Operational Model, risk appetite, oversight and mitigation. PRA’s general safety and soundness objective is expressed also through the Fundamental Rules, contained in the PRA Rulebook. They set PRA’s general expectations with respect to banks’ conduct, adequacy of financial resources, risk strategy and risk management, organization and control, openness and cooperation with the PRA, preparedness to resolution. The PRA also has a secondary competition objective. This requires that when discharging its general functions in a way that advances its objectives, the PRA acts in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. In discharging its general functions, the FCA is required to act in a way that is compatible with its strategic objective and advances one or more of its operational objectives (S1B FSMA). The FCA’s strategic objective is to ensure that the relevant markets function well. The FCA’s operational objectives are:
In discharging its general functions, the FCA and PRA are also required to have regard to the regulatory principles specified in FSMA S3B, which include:
Much of the detail involved in the PRA’s and FCA’s execution of their responsibilities is included in secondary legislation and regulators’ rules, including the PRA and FCA Handbooks of Rules and Guidance and the Regulated Activities Order (SI 20001/544). This Order sets out the specific activities which firms must receive PRA or FCA permission to carry on. The FSMA establishes a number of coordination mechanisms for the PRA and FCA (see EC 3). There are also specific requirements in FSMA as to how the PRA and FCA will coordinate regulatory processes where both authorities are involved, such as rulemaking and enforcement. This ensures that both authorities have appropriate input into the process. Examples of hard requirements for cooperation include the duty to consult on rules (S138I and S138J of FSMA), imposition of a requirement by either regulator (S55L and S55M of FSMA), and the definition of “appropriate regulator” for enforcement purposes (S204A of FSMA). On April 1, 2013, the FPC was established on a statutory basis as the United Kingdom’s macroprudential authority, following two years of operating on an interim basis. The FPC has a primary objective to contribute to the achievement of the BoE’s financial stability objective “to protect and enhance the stability of the financial system of the United Kingdom.” The law gives the FPC two main types of power: first, it can make Recommendations, on a comply or explain basis, to the microprudential regulators (the PRA and the FCA) to take measures to mitigate risks in relation to any aspect of their regulated entities (but not focused on a specified individual entity).19 The other set of powers that the FPC has is to give directions to the PRA and FCA to deploy specific macroprudential tools prescribed by HMT. The FPC can currently direct the PRA to use: the CCB, which allows the FPC to change capital requirements above normal microprudential standards in relation to all loans and exposures of banks to borrowers in the United Kingdom; the SCR, which are more targeted and allow the FPC to change capital requirements on exposures to three specific sectors judged to pose a risk to the system as a whole: residential property (including mortgages), commercial property and other parts of the financial sector; the limits on residential mortgage lending, both owner-occupied and buy-to-let, in terms of loan-to-value ratios and/or debt-to-income ratios (including interest coverage ratios in respect of buy-to-let lending). The BoE is the United Kingdom’s resolution authority for banks, building societies, central counterparties and certain investment firms. The BoE and the relevant prudential supervisor will make the decision to put a firm into the resolution regime, having consulted HMT. The Banking Act clearly sets out the roles and powers of the respective authorities. HMT (as part of the U.K. government) is responsible for proposing any amendments to FSMA, which must be passed by parliament before they can become law. The statutory framework recognizes the importance of there being a credible and publicly available framework in place to avoid regulatory and supervisory gaps. In the banking regulatory framework of the EU, the EBA is a competent authority for the purposes of functioning of colleges of supervisors, whilst not bearing any supervisory responsibilities. The European Commission is in charge of regulatory matters for the whole EU, but has no supervisory powers. |
| EC 2 | The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. |
| Description and findings re EC 2 | In discharging its functions, the PRA, as the prudential supervisor for all deposit-takers, is assigned the primary objective of promoting the safety and soundness of PRA-authorized persons (S2B FSMA). The PRA also has a secondary competition objective, which does not conflict or override the primary objective. This requires that when discharging its general functions in a way that advances its objectives, the PRA acts so far as reasonably possible in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. |
| EC 3 | Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile 20 and systemic importance.21 |
| Description and findings re EC 3 | In the United Kingdom, banks are required to meet the Threshold Conditions set by FSMA (Schedule 6) and comply with rules made by the PRA and FCA, in order to be authorized and to continue to be authorized. The Threshold Conditions include, in particular, the obligation to have adequate financial resources. While they are not requirements directly applying to firms in the same way that rules do (i.e., a failure to meet Threshold Conditions cannot be used as a basis for fining a firm), the Threshold Conditions impose requirements on the regulator in relation to the authorization and on-going supervision of the firm, giving them power to act and forming the basis of the trigger for resolution of a bank. The PRA routinely sets Pillar 2A capital for credit, market, counterparty and operational risks where Pillar 1 capital requirements are found to underestimate risk. The PRA also sets Pillar 2A capital for IRRBB, credit concentration risk and pension obligation risk, which are not captured under the Pillar 1 regime. It may also set capital for other risks depending on their materiality to the firm.22 The sum of Pillar 1 and Pillar 2A requirements represent the individual capital guidance (ICG), i.e., the amount of capital a bank should hold at all times; the PRA expects banks to meet Pillar 2A with at least 56 percent of CET1 and no more than 25 percent of Tier 2 Capital, i.e., reflecting the composition of Pillar 1 capital. Firms may be expected to hold additional Pillar 2B capital (PRA buffer) to ensure that they continue to meet minimum capital requirements during a stressed period (as estimated under either the concurrent stress test (CST),23 for the largest banks, or own stress tests, for the remaining ones). Where the PRA assesses a firm’s risk-management and governance (RM&G) to be significantly weak, it may also set the PRA buffer to cover the risks posed by those weaknesses until they are addressed. Another component of the PRA buffer is meant to cover losses that may arise under a severe stress scenario and is informed by the results of stress test exercises (either the CST, for the largest banks, or own stress tests, for the remaining ones). In addition, the PRA can take into account other factors when carrying out the buffer assessment, including a bank’s systemic importance. Given the potential overlap between the risks covered by the PRA buffer and those addressed by the capital conservation and systemic buffers set forth by CRD, the PRA buffer is generally set as the excess—if any—over and above the CRD buffers. Both the PRA and FCA also have the power to alter or revoke rules, and to modify or waive rules in particular cases (FSMA S138A). Where the PRA or FCA proposes to make rules, it must publish a draft of the proposed rules in the way appearing to it to be best calculated to bring them to the attention of the public. The draft rules must be accompanied by a cost-benefit analysis; an explanation of the purpose of the rules; an explanation of the reasons why they believe that making the proposed rules is compatible with its general duties under FSMA; and a notice that representations may be made about the proposals within a specified time (S138I of FSMA). The PRA and FCA have strong enforcement powers, including the power to issue unlimited financial penalties and publicly censure firms and individuals. The regulators’ enforcement powers are set out in S66 FSMA (in relation to individuals) and in Part XIV FSMA (S205 and S206) (in relation to firms). If the PRA identifies any breach of the PRA’s rules, it could take steps to enforce against the firm which is in breach. There are a wide variety of enforcement powers available to the PRA and the fines that can be imposed are substantial (see EC 6 for further explanation). |
| EC 4 | Banking laws, regulations, and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. |
| Description and findings re EC 4 | The current CRD/CRR framework, adopted in 2013, represents the third reincarnation of the CRD originally issued in 2006, then modified and issued as CRD II in 2009 and updated again in 2010 (CRD III) each time following a public consultation process. EBA technical standards and guidelines are also subject to formal public consultations. The PRA and FCA update their rules and their guidance on a regular basis to take account of market changes.24 Updates are also made as and when necessary to implement new EU rules in the form of Directives. However, significant portions of the prudential framework for U.K. banks is directly applied under EU Regulations (the CRR), which are made and amended by the European authorities and are not implemented through PRA rules. Where either regulator proposes to make rules, it must publish a draft of the proposed rules in the way appearing to it to be best calculated to bring them to the attention of the public. The draft rules must be accompanied by a cost-benefit analysis; an explanation of the purpose of the rules; an explanation of the reasons why making the proposed rules is compatible with the regulator’s general duties under FSMA; and a notice that representations may be made about the proposals within a specified time (S138I FSMA). This affords the industry and others an opportunity to comment on proposed rule changes before they are made. |
| EC 5 | The supervisor has the power to:
|
| Description and findings re EC 5 | CRD Art. 65 requires MSs to provide NCAs to have information gathering and investigatory powers for the exercise of their functions. Art. 97 expects NCAs to have the ability to conduct supervisory review and evaluation to comply with CRD and CRR. The PRA and FCA have full access to a bank’s Board, management, staff and records by virtue of their powers to gather information under S165 of FSMA and to appoint persons to conduct investigations under S167 and S170 of FSMA. PRA Fundamental Rule 7 requires a firm to deal with its regulators in an open and cooperative way and to disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice. Failure to provide information required by either regulator in an investigation without reasonable excuse can be punished by the court in the same way as being in contempt of court. Knowingly providing materially false or misleading information to the PRA constitutes a criminal offence. Furthermore, destroying, concealing, falsifying or otherwise disposing of a document which is or may be relevant for an investigation will constitute a criminal offence where a person was aware or suspected that the regulators were likely to conduct any such investigation (S177 and S398 FSMA). The PRA and FCA may apply for a warrant to enter into the premises of a bank and obtain documents or information of a specified kind, where they suspect that a requirement to provide information is not being complied with or the documents or information would be removed, tampered or destroyed if such a requirement were imposed (S176 of FSMA). Any person who intentionally obstructs the exercise of any rights conferred by a warrant will be guilty of an offence. These powers can be exercised by the PRA in relation to U.K. incorporated firms (including U.K. subsidiaries of overseas firms) as well as in relation to U.K. branches of overseas firms (in the case of an EEA firm, in line with the allocation of responsibilities between the home and host supervisor under European law). In principle, the investigatory powers can be used in other jurisdictions, although the ability to enforce them in other jurisdictions may be limited by overseas legal requirements. However, a failure to cooperate with such an inspection may involve a breach by a firm of PRA Fundamental Rule 7, which requires firms to deal with regulators in an open and cooperative manner and may call into question the firm’s compliance with the Threshold Conditions for authorization. |
| EC 6 | When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to:
|
| Description and findings re EC 6 | CRD provides a common framework where NCAs are expected to have the power to withdraw the authorization granted to a credit institution (Art. 18), to impose penalties (Art. 64), to require an institution to take corrective actions (Art. 102), and for the NCAs to require corrective actions (Art. 104). The EU framework for resolution is established in the BRRD. The PRA and FCA have powers under FSMA to take action against banks that do not comply with the requirements set out in FSMA, the secondary legislation under FSMA, and in their rules. Corrective action and revocation of license: In cases where the bank is failing or likely to fail to satisfy Threshold Conditions (including the requirement to conduct business in a prudent manner, considering the effect that carrying on such a business or the bank failing can have on the stability of the U.K. financial system), the regulators may change the bank’s permission on their own initiative under S55J of FSMA (own initiative variation of permission (OIVOP)). They may also exercise this power to meet any of their regulatory objectives. An OIVOP may include withdrawing a bank’s authorization, and limiting its ability to accept deposits. In addition the FCA or the PRA may impose requirements on banks, including a requirement to do or not do a specified action (S55L and S55M of FSMA). Imposition of sanctions: Where a bank has contravened a requirement imposed on it by or under FSMA, the PRA or FCA may take disciplinary actions under Part XIV of FSMA which may include:
The BoE is the designated resolution authority for the United Kingdom. There are two key conditions that must be met before a firm can be put into resolution. The first condition is that the firm must be failing, or likely to fail. This assessment is made by the prudential supervisor (the PRA, or the FCA for those firms regulated solely by the FCA), having consulted the BoE as resolution authority. The second condition is that it must not be reasonably likely that action will be taken—outside resolution—that will result in the firm no longer failing or likely to fail. This assessment is made by the BoE as resolution authority, having consulted the PRA or FCA, and HMT. |
| EC 7 | The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. |
| Description and findings re EC 7 | The CRD (Art. 4) requires MSs to empower their NCAs to monitor the activities and obtain the information needed from FHCs and MFHCs. It also provides a legal framework to conduct consolidated supervision (Arts. 111–127). The PRA supervises large complex groups on a consolidated basis, even where the holding company is technically not a regulated legal entity. Where parent companies and their affiliates are ‘credit institutions’ or ‘investment firms’ (as defined in Art. 4 of CRR), they are supervised under the CRD and required to comply with general prudential requirements specified in the CRD/CRR. Parent companies that are holding companies fall outside of the scope of the CRR. The Financial Services Act 2012 gave the PRA and the FCA two new powers over ‘qualifying parent undertakings,’ i.e., U.K.-based parent companies of U.K.-authorized entities, which are not themselves authorized entities (see FSMA S192B and S192C). These powers are: (i) a power to give directions to individual qualifying parent undertakings, requiring them to take specific actions or to refrain from taking specific actions; and (ii) a power to make rules requiring qualifying parent undertakings to provide to either regulator information or documents of a specified description. Both regulators have issued policy statements on use of the power to issue directions over qualifying parent undertakings. The PRA’s power of direction over qualifying parent undertakings can be used by the PRA to require qualifying parent undertakings to provide information/documents in respect of activities of companies affiliated with such parent undertaking. The PRA’s specific rule making power could be used to impose rules requiring all qualifying parent undertakings to provide specified information to the PRA on the request of the PRA. This could be for the purpose of obtaining information from the qualifying parent undertaking in respect of affiliated companies to determine the impact of such companies on the safety and soundness of the relevant PRA authorized bank or the banking group. However, to obtain information on companies affiliated with the banking group, the PRA may also choose to use its information gathering powers over the PRA authorized entity. These rules require the PRA authorized entity to permit the PRA to have access to any document that the PRA reasonably requests (Rule 4.1 of the Information Gathering Part of the PRA Rulebook). |
| Assessment of Principle 1 | Compliant |
| Comments | The new financial regulatory architecture introduced by the Financial Services Act 2012 has formally separated the prudential and conduct supervision functions on deposit-takers, assigning the former to the PRA and the latter to the FCA. This somehow addresses one of the main concerns raised by the previous FSAP mission, i.e., an unclear and ultimately unbalanced allocation of effort and resources between the two macro-objectives, with the prudential one eventually crowded out by an increasing emphasis on conduct issues. The Act provides greater clarity by dividing these mandates and assigning them to two separate agencies, each one subject to specific accountability requirements; it is less clear whether it also addresses in a substantial way the unbalanced allocation of resources (see CP 2). The 2012 law also reformulates the two agencies’ objectives, assigning to the PRA a primary objective and defining it more clearly than it was the case for the FSA: while the FSA was tasked with four statutory objectives (market confidence, consumer protection, reduction of financial crime, and—from 2010—financial stability), with no guidance on how to deal with the trade-offs among them and no explicit mention of the safety and soundness of banks, the PRA has, as its primary objective, that of promoting the safety and soundness of PRA-authorized persons. It also has to act in a way that facilitates effective competition in the markets for services provided by PRA authorized persons. This represents a secondary objective: while the PRA must consider the effect on competition when exercising its general functions in areas such as rule making, general policy, and Supervisory Statements (SS) and codes, in any circumstance in which there is a conflict between the promotion of competition and the PRA’s primary objective, the action that promotes the primary objective will have to take precedence. The FSA had also set for itself a number of principles related to good regulation that it had committed to ‘have regard to’ when discharging its functions. Among them: the international character of financial services and markets and the desirability of maintaining the competitive position of the United Kingdom; and the need to minimize the adverse effects on competition that may arise from anything done in the discharge of its functions. These were also rightly cited in the previous FSAP as elements likely to weaken the supervisor’s focus on prudential issues.25 The PRA objective function is formulated exclusively in terms of statutory objectives and is accompanied by a more narrative document (‘The PRA’s Approach to Banking Supervision,’ April 2014), which reconfirms the hierarchy of its primary and secondary objectives and describes how it has organized itself to achieve them. The law also states that the PRA’s general objective is to be advanced by seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system and clarifies that the PRA is not expected to ensure that no PRA-authorized person fails: this helps to understand the PRA’s apparent degree of risk appetite and its supervisory approach (see CP 8), which entails a relevant allocation of resources to the supervision of the largest, systemic banks, at the price of a significantly less intense and intrusive approach on the medium and small banks. While the prioritization adopted by the PRA makes sense from a financial stability perspective, it may raise concerns regarding reputational risk for the supervisor: as the recent financial history in the U.K. has demonstrated, a failure doesn’t need to concern a systemic bank for the trust of general public in the banking system to be undermined. Nor a supervisor can necessarily afford the risk of being perceived, ex-post, as having not been sufficiently intrusive—and, ultimately, effective—in the case of failure by a less-than-systemically important bank, even absent any relevant consequence for financial stability. The disruption to financial services and the losses on non-insured deposits caused, for example, by the failure of a mid-size regional bank could affect enough customers to garner public scrutiny and potentially discredit the supervisor’s reputation and credibility, should the intensity of its previous supervisory action be perceived as insufficient. Further considerations on the PRA resourcing are presented in CP 2. The FCA has a strategic objective (good functioning of financial markets) and three operational objectives that do not appear to conflict with or override the main one: securing an appropriate degree of protection for consumers; protecting and enhancing the integrity of the financial system; and promoting effective competition in the interests of consumers. Since April 2013 the FPC operates as the United Kingdom’s macroprudential authority, with the primary objective of contributing to protect and enhance the stability of the U.K. financial system. The law gives the FPC the power to make recommendations to the PRA and the FCA to take measures to mitigate risks in relation to any aspect of their regulated entities (but not focused on a specified individual entity) and to give directions to the PRA and FCA to deploy specific macroprudential tools prescribed by HMT (like the CCB, the SCR, and the limits on residential mortgage lending in terms of loan-to-value ratios and debt-to-income ratios). The experience with the deployment of macroprudential tools by the PRA/FCA under the direction of FPC is still recent and immature: the countercyclical and sectoral buffers have not been activated yet, while limits on residential mortgages have been applied in a limited form (the PRA and the FCA were required to ensure that mortgage lenders limit the proportion of mortgages at loan to income multiples of 4.5 and above to no more than 15 percent of their new mortgages). There is then limited evidence, until now, about either the effectiveness of the tools in achieving their aim or the operational burden imposed on the microprudential regulators by the enactment of the macroprudential measures: at this stage it seems that cooperation, especially between the BoE and the PRA, is favoring the dialogue between specialists and, ultimately, the deployment of the potential synergies stemming from having both the macro and micro dimensions of prudential supervision under a single roof (‘one bank’). The ‘trade’ of resources between the two sides also appears as fairly balanced, so far: the financial stability experts of the BoE contribute with their view of the macroeconomic and macrofinancial situation, while the specialists and supervisors from the PRA provide their more on-the-ground expertise and active collaboration (e.g., in running the CSTs). The concern, expressed by the previous FSAP, that “the new macroprudential overlay [might] divert resources from effective core supervision” does not seem to have materialized, so far. But this statement needs to be reassessed dynamically: the CST is already absorbing a significant amount of time, energy, and resources, and its further evolution, if not accompanied by an accurate program in terms of recruiting, staff retention, and training, might end up exacting an excessive toll on the micro side of prudential supervision. The powers over parent undertakings, assigned to the PRA and the FCA in 2012, appear as broadly adequate to allow the two authorities to assess the impact of non-regulated parent and affiliated companies on banks, though they would not allow them to exercise on such entities the same powers they have on regulated entities: for example, the APR and, from March 2016, the SMR would not apply to the directors of a non-financial holding—unless, of course, they also have directive/managerial roles in the controlled regulated entity. However, the new powers look broad enough and, when coupled with the extensive powers of requesting information to regulated entities that the PRA and FCA already had, they should allow them to obtain the information needed to assess the impact that parent companies (and, through them, affiliated companies) can have on the safety and soundness of a bank or banking group. |
| Principle 2 | Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. |
| Essential criteria | |
| EC 1 | The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. |
| Description and findings re EC 1 | The independence of the PRA and FCA, the supporting governance and accountability arrangements are set out in statute (the FSMA 2000), and in the articles of association of each body which are publicly disclosed (see also EC 3). The PRA is established as a company limited by shares with the BoE as the sole shareholder. The majority of its Board members are, by law, independent nonexecutives. The Court of the BoE (which is its governing body) approves the PRA’s budget. The FCA, established as a private company, has operational independence in conducting its activities, notwithstanding its ultimate accountability for performance of its statutory objectives to the government and parliament. Both the FCA and PRA are financed by fees they are directly empowered to levy on industry by statute, subject to consultation, and neither body is subject to budgetary control by central government. The PRA is required to publish this budget and any variation, and is responsible for annual reporting. The government has no involvement in the day to day operation of the regulators and has only very limited powers of direction in circumstances specified in legislation. Briefly, HMT may direct the regulators as follows:
The last point, in particular, refers to the new powers of investigation brought in through the Financial Services Act 2012. Under this Act, the FCA, and PRA are required to investigate and make a report to the Treasury, to be laid before parliament, where there has been a serious failure in the system of financial regulation, or in the operation of that system, and certain conditions as set out in legislation are met. The Act also provides the Treasury with the power to direct either the FCA or PRA that conditions for an investigation appear to have been met if, for example, it disagrees with the regulators assessment. It is also possible for the Treasury to direct either regulator to carry out an investigation solely on the grounds it believes it would be in the public interest, and there has been (and is) no investigation by the regulators into the event in question. The Treasury has announced the intention to use this power only once to date, in November 2013, by ordering an independent investigation into the events at the Co-op BoE and the circumstances surrounding them. However, as the FCA and PRA also announced the intention to launch formal enforcement investigations on the case, the Treasury clarified that “The independent investigation under the Financial Services Act will therefore not start until it is clear it will not prejudice any actions the relevant authorities may take, including the potential FCA and PRA enforcement investigations.” The PRA has concluded its enforcement action against two former senior Co-op BoE employees but, at the time of the assessment, the FCA made it clear that they were not at the stage where it was clear that there would be no such prejudice. Consequently, no HMT investigation had started yet. The nature of the legal provision and the evidence drawn from the only case when it was applied lead to interpret it as an instrument for ex-post accountability in cases of potential regulatory failure, rather than as a potential source of ex-ante interference in supervisory action. |
| EC 2 | The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. |
| Description and findings re EC 2 | Schedule 1ZB of FSMA includes the requirement for the BoE’s Governor to be Chair of the PRA and the Deputy Governor for Prudential Regulation to be Chief Executive of the PRA. Both the governor and deputy governor for Prudential Regulation are appointed by the Queen under Section 1(2) of the BoE Act 1998, on the recommendation of the Prime Minister and Chancellor. The governor and deputy governors for Prudential Regulation and Financial Stability are members of the PRA Board ex officio. They can be removed from office by the BoE, with the consent of the Chancellor of the Exchequer, if considered unable or unfit to discharge their functions as members. All appointed members of the PRA Board must be appointed by the court of directors of the BoE with the approval of HMT para. 6 of Schedule 1ZB FSMA). The grounds for removal of an appointed member are set out in FSMA (para. 14 of Schedule 1ZB) and include the grounds of incapacity or serious misconduct and significant conflicts of interest. Schedule 1ZA of FSMA includes details of the FCA’s constitution; this includes a requirement (para. 2 of Schedule 1ZA) that the chairman and other members of the FCA’s governing body must be appointed, and be liable to removal from office, by the Treasury (two members are required to be jointly appointed by the Treasury and the Secretary of State). The requirements include provision detailing the circumstances in which the Treasury may remove the chairman or other members from office (para. 4 Schedule 1ZA). As for the PRA, these include the grounds of incapacity or serious misconduct, and significant conflicts of interest. From April 1, 2013, the Treasury appoints the Chairman of the FCA for a minimum term of five years and the CEO for a minimum term of three years. According to the BoE Act, the Chair of the PRA (BoE Governor) is appointed by the Queen for a term of eight years (though the current governor has indicated he intends to serve for five years). The CEO of the PRA is appointed by the Queen for a term of five years from April 1, 2013. There are no legal provisions requiring that the reason(s) for removal of the head(s) of the supervisory authorities be disclosed. Appointed members of the Boards of both organizations are generally appointed for a standard minimum term of three years. In some cases initial appointments have been for less than three years to stagger changes in the nonexecutive membership. |
| EC 3 | The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.26 |
| Description and findings re EC 3 | The PRA and FCA objectives are set out in the legislation as summarized in EC 3 of Principle 1. The PRA’s approach to supervision is published. The PRA is accountable under FSMA for its performance against its statutory objectives through the power, assigned to HMT, to appoint an independent person to review the economy, efficiency and effectiveness with which the PRA has used its resources in discharging its functions (S2O). This power had never been used by the Treasury at the time of the assessment. HMT can also require the PRA to undertake an investigation into any “relevant events,” where HMT considers it to be in the public interest and the PRA has not undertaken, or is not undertaking, an investigation already (S77 of the Financial Services Act 2012). As said in EC 1, an investigation of this kind has been announced and immediately suspended to wait for the outcome of investigations to be conducted by the PRA and FCA. FSMA also requires that the PRA:
The FCA is accountable under FSMA for its performance against its statutory objectives through a separate but similar structure:
In addition, the Treasury Select Committee of the house of commons, from time-to-time considers the performance of the PRA and FCA in carrying out their functions under FSMA, and requires the senior executives of the PRA and FCA to appear before it. Lastly, the recipients of PRA and FCA decisions may challenge those decisions before the Upper Tribunal, where this is expressly stated by FSMA or, otherwise, via judicial review. |
| EC 4 | The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. |
| Description and findings re EC 4 | The PRA’s supervisory internal governance is operated through the PRA Regulatory Decision Making Framework Guide. The guide provides all staff with information on all relevant processes and provides clear guidance on how to take decisions at a level appropriate to the significance of the issue. When the guide is updated this is communicated to all staff. The PRA has a dedicated Secretariat which supports and manages PRA’s internal governance and its associated committees. The Secretariat works with the entire business to schedule decisions in a timely manner within a centralized forward agenda and for pre-scheduled meetings. If there is a need for decisions to be taken in an emergency then the Secretariat have procedures in place to arrange ad-hoc meetings or, if appropriate, decisions can be made considered by written procedure. The PRA Board reserves to itself certain decisions, including supervisory decisions in relation to the largest and most systemically significant firms but delegates other decisions to the CEO of the PRA; in practice he is advised in relation to these decisions by the Supervision, Risk and Policy Committee. Details of these delegations are set out in “Delegations and Matters Reserved to the Board” which is published on the BoE website. The PRA policy on conflict of interest of the “appointed members” of the PRA Board is public. At the FCA there is a process for escalation of supervisory decisions in place and the criteria around decisions for escalation are set out and available to all Supervisors. There is a framework in place for business as usual (BAU) supervisory decisions such as sign-off of the Firm Evaluation (which sets out the supervisory approach for the coming regulatory period); Interim Review, Deep Dives findings letters, Risk Mitigation Programs, etc. Supervisory decisions outside of BAU are first escalated to the Divisional Supervisory Risk Committee (DSRC), a subcommittee of the Executive Regulatory Issues Committee (ERIC). Decisions may be escalated from DSRC to the FCA’s Executive Committee (ExCo) if appropriate. ExCo is the FCA’s final decision making body. The executive team is made up of the nine members of the ExCo, including the CEO, chief operating officer (COO), director of supervision and authorization, the director of enforcement and market oversight, and the director of strategy and competition. It discusses issues across all areas of the organization and is responsible for implementing the strategy set at Board level. The FCA’s Board sets ExCo’s strategy annually and gives ExCo its decision making powers. The Board is informed of certain ExCo decisions for further sign-off, e.g., significant spending decisions; changes to the FCA’s Handbook. Directors are required to declare any conflict of interest (S175 of the Financial Services Act 2012). The interested director absents him or herself from the discussion of matters relating to the conflict and is excused from review of papers prepared by, or for, the directors to the extent they relate to such matters. |
| EC 5 | The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. |
| Description and findings re EC 5 | All staff in the PRA are covered by the BoE’s recently updated Code of Conduct. This document, which was rolled out in June 2015, brings together policies which previously existed in different places. The policies were also updated as a part of this process. The Code includes sections on records management and Information security as well as a broader range of policies around the management of potential sources of conflict of interest and impartiality (see http://www.bankofengland.co.uk/about/Documents/humanresources/ourcode.pdf). The FCA’s Code of Conduct is also public (see http://www.fca.org.uk/your-fca/documents/code-of-conduct). |
| EC 6 | The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes:
|
| Description and findings re EC 6 | The PRA and FCA have powers to require the payment of fees, with the cost of banking supervision being met by an annual fee (authorization being charged for separately). Their fee charging power is set out in FSMA (PRA in para. 31 of Schedule 1ZB and FCA in para. 23 of Schedule 1ZA). In making such rules, the PRA and FCA are required to follow the consultation procedures in S138I and M138J of FSMA. Budget and business planning takes place on an annual basis. The PRA budget includes provision of technology to equip staff with tools to carry out their roles. This is divided into ongoing support costs and investment in new technology. Much of the investment budget is targeted at adoption and implementation of European and national legislation. Travel budget to enable effective onsite work, cross-border cooperation and participation in relevant domestic and international meetings is also provided in the budget, and targeted at areas with a high requirement for travel such as Policy and International Banking areas. FSMA (S166) gives the PRA and the FCA power to require any regulated firm or member of its group, to provide it with a report by a skilled person.27 The PRA commissions the report and the firm concerned pays for a skilled person to produce it. This provides both the specialist resources and necessary expertise to review areas of concern identified within a firm and/or the effectiveness or remedial action a firm has taken. The PRA’s pay policy with regards to market position is that it aims to pay median against the private sector, and upper quartile against the public sector in order to attract, retain and motivate the key skills required within the BoE. The PRA’s salary scales are reviewed every two years. The identification of skills required and activity to rectify any skill gaps is conducted on an annual basis in the following ways:
In order to strengthen leadership across the organization, the PRA introduced developmental reviews for all senior leaders and reviewed its succession planning approach. The PRA also reviewed its leadership training and introduced 360 feedback for all managers. The PRA is doing work to articulate different technical and managerial career paths across the BoE—including when to think about building breadth versus depth. Applying for an internal job vacancy is the core promotion route for all staff. Additionally there is a promotion framework for experts, which can be applied to roles where there is a business requirement for longer than average tenure, and deep technical or professional experience. This process has typically been relevant for risk specialist roles, and involves a set of clearly defined promotion criteria. The most recent FCA fees consultation paper (CP 15/14) consulted on the proposed fees to raise the FCA’s Annual Funding Requirement (AFR) for 2015/16. CP 15/14 was published at the same time as the FCA’s 2015/16 Business Plan which set out how the AFR will be used to undertake the work program to achieve the FCA’s statutory objectives in 2015/16. The Business Plan includes the budget to:
S166 of FSMA gives the FCA and the PRA the power to obtain an independent view of aspects of a firm’s activities that cause them concern or where they require further analysis. The appointment of a skilled person can either be by the regulated firm or directly by the FCA. In each case, the FCA sets the scope of the review and the costs are borne by the regulated firm. The 2014/15 FCA Annual Report (Appendix 1) sets out details of the reviews undertaken, the skilled persons appointed and costs. The FCA budget and business planning process includes the determination of:
In the discussion with the supervisors and specialists and from the analysis of the documentation provided, the assessors perceived and found evidence of a situation of strain for staff, especially—but not only—as regards specialist resources. |
| EC 7 | As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. |
| Description and findings re EC 7 | PRA supervisors bridge gaps in skill sets and knowledge through accessing training made available both through the central learning and development team and through local team-level training frameworks. The identification of skills required and activity to rectify is conducted on an annual basis. This includes a training needs analysis facilitated by the central team with input from across the supervision business areas; and a learning and development analysis conducted by individual supervisors and team managers through performance management. The FCA’s Annual Planning cycle includes people capability plans for each area looking at short and medium term capability needs. The supervisory function is represented on the ‘FCA Academy’ Advisory Group that directs investment in learning. |
| EC 8 | In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. |
| Description and findings re EC 8 | The frequency and intensity of the PRA’s supervisory activity varies across firms. The level of supervision principally reflects the PRA’s judgment of a firm’s potential impact on the stability of the financial system, and therefore its systemic importance; its proximity to failure and its resolvability. Those firms that are unlikely, individually, to create disruption to the wider financial system are subject to a baseline level of supervisory activity to ensure that they meet key prudential standards, whereas for higher-impact firms, the PRA makes use of a fuller selection of its supervisory tools. The PRA uses quantitative and qualitative analysis to allocate firms to five ‘categories’ of impact 1 to 5; 1 representing most significant firms with a capacity to cause major disruption to the U.K. financial system and 5 representing firms with a capacity to cause almost no disruption to the U.K. financial system. Supervisors also consider a firm’s proximity to failure when drawing up its supervisory plan. The PRA’s judgment about proximity to failure is captured in a firm’s position within the PIF; the framework aids supervisors in handling banks in times of stress. The supervisor assesses the firm against the PRA risk model to determine an overall assessment of the firm and a relative PIF rating. Additional work is performed, where necessary, to provide information on particular areas of concern, taking into account a firm’s resilience and resolvability, the prevailing market and economic conditions, and the business model of the firm. Supervisory concerns influence the PRA’s future supervisory program for a firm. For example, concerns about management, or systems and controls, influence the PRA’s attitude to the growth of a business, including via acquisition, or to new appointments to significant influence functions (SIF). The FCA considers risk to be the combination of impact and probability. It combines these impact and probability factors to obtain a measure of the overall risk posed to its statutory objectives. It then uses this measure to prioritize risks and make decisions on what its regulatory response should be. It also uses it to set its strategic aims and outcomes and to allocate resources based on its regulatory priorities. All firms are allocated a conduct categorization (C1 for the largest down to C4 for the smallest) on the basis of an impact score. Resources are then allocated on the basis of the conduct classification. For banks and building societies the impact scores are driven by total assets and liabilities and the number of depositors. The FCA then applies an additional weighting on the basis of sector. For example, retail banks’ impact score is higher than the score for investment banks as the FCA considers impact on retail consumers to be a significant additional factor in considering the risk posed by firms. C1 and C2 firms are allocated to a dedicated team of supervisors who undertake proactive supervision of these firms. The supervisory strategy is then set at a firm specific level by the Supervisory team on an annual or bi-annual basis. This includes deciding what proactive engagement meetings to undertake, what deep dives to do, etc. C3 and C4 firms do not have a named supervisor and are not subject to the same level of proactive supervision. Instead they are supervised on a cluster or thematic basis and when risks crystallize. Banking and insurance groups with the largest retail customer footprint (e.g., major U.K. retail bank and wholesale firms with the most significant market presence) are rated C1; there are normally between 10 and 12 C1 groups. In December 2014 the FCA announced a revised supervisory strategy to enable a more market-focused approach to identifying risks and supervising firms (see CP 8–EC 1). |
| EC 9 | Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
| Description and findings re EC 9 | FSMA provides that both the PRA, FCA and any person who is, or is acting as, a member, officer, or member of staff of either body is not liable in damages for anything done or omitted in the discharge, or purported discharge, of the PRA’s or FCA’s functions (para. 25 of Schedule 1ZA and para. 33 of Schedule 1ZB). There have been no examples where PRA staff have been liable for damages. However, this protection does not apply if the act of omission is shown to have been in bad faith, or unlawful as the result of S6(1) of the Human Rights Act (HRA) 1998.28 The regulators cover the legal costs of defending their staff in legal actions against them in relation to their work as PRA or FCA employees. They both have the power to require the payment of fees, to cover the costs of defending its actions. |
| Assessment of Principle 2 | Largely Compliant |
| Comments | The U.K. framework is compliant with the requirements of independence, accountability and legal protection for supervisors set in this principle. In particular, HMT powers of direction on the regulatory authorities do not appear to affect day to day supervision and there is no evidence that they have been used to constrain supervisory independence. While there are no legal provisions requiring that the motivation for removal of the head of the supervisory authorities be disclosed, there is no reason to think that such an extreme event would not attract intense public scrutiny in a system, like the British one, characterized by reasonably transparent and accountable public institutions. An element of limited compliance has been identified in the resourcing arrangements, especially for the PRA. In the discussion with the supervisors and specialists and from the analysis of the documentation provided, the assessors perceived and found evidence of a situation of strain on staff, especially—but not only—as regards specialist resources (e.g., see CP 16). This is certainly caused by the convergence of new and challenging projects, like the preparatory works for the structural reform (ring-fencing policy) and the SMR. It is a condition shared by many other supervisory authorities around the world, because of the intense effort to implement the vast post-crisis regulatory reform agenda. But in the case of the U.K. authorities, the strain on resources is intensified by the same nature of the U.K. financial sector and, in particular, by the status of London as global financial marketplace that attracts activities often at the frontier of financial innovation and demands an exceptional effort for the authorities to keep up with the evolution of risks in the firms they supervise. This strain is not expected to abate in the next future, as the authorities are likely to be increasingly absorbed by their ordinary supervisory schedule; by new promising—but demanding—activities (e.g., the CST, especially if it will extend to a wider range of firms); and by the challenges posed by the emergence of new risks (e.g., cyber risk). The dynamic nature of the London marketplace also entails a high degree of competition in the recruitment of particularly skilled resources (like the risk specialists). The PRA’s intent to pay median against the private sector is a reasonable policy, but does not ensure the level of staff retention that it would need: it is not uncommon for recent entry-level hires to consider a few years’ worth of experience at the supervisory authority as a springboard for a more profitable career in the private sector. The assessors found indirect confirmation of a potential difficulty by the supervisors (especially the PRA) in managing the consequences of their high churn rate in observations raised by a number of market participants: in particular, of a frequent rotation of their main counterparts (e.g., lead supervisors) and of the low relative seniority of the PRA personnel they sometimes find at meetings (e.g., senior managers interviewed by staff with five or less years of experience). It must be recognized that following the move to replace the single FSA with two focused regulators in the PRA and FCA, the cost of regulation and supervisory resources have increased. As reported in the recent NAO report into Regulating financial services, the “combined cost of their ongoing activities in 2013–14 is GBP 664 million–GBP 127 million (24 percent) higher than the 2012–13 cost of the FSA.” The combined budgets for 2015/16 of the PRA and FCA (based on AFR) is GBP 739.4 million. However, at least in the case of the PRA, the increase is in large part due to fees linked to the implementation of special projects, such as the structural (ring-fencing) reform. The PRA has committed itself to set its budget at a level “no higher than the flat real cost of operation” as it seeks to ensure that it is operating as efficiently as possible.29 While this is a commendable commitment by an authority accountable to the public and called to supervise a financial sector that is still dealing with the consequences of its past excesses, it entails a constant quest for resource optimization and the risk of potentially weakening the supervisory action. The question arises of whether a flat real cost of operation for the prudential supervisor of hundreds of firms (among which four global systemically important banks) is compatible with the perspective of a financial sector that, in the perception of the same authorities, is in the condition of growing further in real terms. The PRA also seems to be aware of these tensions and willing to address it through the ongoing revision of its Target Operation Model. Overall, the assessors realize that this is an extremely complex and almost intractable issue and do not think that they can recommend any easy solution (although some specific suggestions for measures partially addressing it are offered in some of the following CPs). Nonetheless, because of the size and complexity of the U.K. financial sector and of its centrality in the network of international financial connections, it represents an issue of globally systemic nature. As regards the technological equipment of the PRA, the assessors found—within their limited observation window—a generally satisfactory situation in terms of IT systems. But they also perceived a certain difficulty in flexibly aggregating data to respond to relatively simple requests; if confirmed, this would cast a shadow on the availability of flexible analytical capacity to appropriately feed the management information (MI) that supervisors and senior managers need. |
| Principle 3 | Cooperation and collaboration. Laws, regulations, or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.30 |
| Essential criteria | |
| EC 1 | Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. |
| Description and findings re EC 1 | Art. 5 CRD establishes that MSs must have coordination measures with all domestic authorities responsible for supervision of “credit institutions, investment firms and financial institutions.” FSMA establishes a number of general coordination mechanisms between the PRA and FCA:
The PRA has never exercised, to date, its veto power over FCA action. There are also specific requirements in FSMA as to how the PRA and FCA will coordinate regulatory processes where both authorities are involved. This includes a duty to consult on relevant policy initiatives. In practice this collaboration often occurs at working level with oversight by directors through a policy coordination committee which meets quarterly. This ensures that both authorities have appropriate input into the process. In order to ensure a joined up and holistic approach to the supervision of firms, the FCA and the PRA have a series of MoUs in place. These are publicly available documents and include:31
The overarching MoU between the FCA and PRA sets out the requirement to establish domestic supervisory colleges for individual dual-regulated firms and groups to ensure that information is shared efficiently between the two regulators and that each has a complete overview of the firm. This approach is set out in Section 25 of the FCA/PRA MoU: http://www.bankofengland.co.uk/about/Documents/mous/prastatutory/moufcapra.pdf. In accordance with the MoU, FCA, and PRA directors meet quarterly to discuss policy coordination. This ensures that collaboration is thorough, constructive and at the appropriate level. Both the PRA and FCA report on performance against the MoU on a quarterly basis. This was most recently conducted in July 2015. This reporting identifies areas of risk in the PRA/FCA relationship, which can then be addressed at the policy coordination meeting or at working level if appropriate. The most recent policy coordination meeting, held in July 2015, included discussion of EU engagement, FSCS and the implementation of the SMR. Where the FCA and PRA firm classifications are not commensurate with each other, the minimum frequency of colleges is based on the higher of the firm’s FCA and PRA classifications unless the FCA and PRA Supervisors agree to base it on the lower classification. The PRA and FCA also work closely with the BoE and HMT to ensure the soundness of the U.K. financial system. The legislation provides for the co-operation of the PRA and the FCA with the BoE (S3Q), requiring both to take appropriate steps to cooperate with the BoE in the BoE’s pursuit of its financial stability objective. The BoE and PRA work closely with the FCA in the collection and management of regulatory data. Much regulatory data for PRA firms continues to be collected by the FCA. This includes reporting via the FCA’s GABRIEL system, the submission of firms’ controllers and close links reports and the reporting of changes to firms’ standing data.32 Coordination between the PRA and the FCA is assisted by the membership of their CEOs on each other’s Board. The FCA, PRA, and BoE are also members of the FPC. This is vital in supporting the flow of information across the different bodies and forging an understanding of approaches and likely reactions to events. At a working level, dedicated teams are responsible for co-coordinating analysis, and sharing information, across the FPC, FCA, and PRA. The CEO of the FCA is a voting member of the FPC and the FPC has the authority to make recommendations on a comply-or-explain basis to the FCA. There is also a MoU between HMT, the BoE, and the PRA on how they intend to coordinate the discharge of their functions in relation to financial stability or the public interest (S65 of the Financial Services Act 2012). Under the terms of the coordination MOU, the FCA, and PRA share data on firms, both dual regulated, and in some cases non-dual regulated, in order to maintain a complete view of the market. Performance against these requirements is reviewed quarterly at CEO level and proactive action taken to address issues as appropriate. Both organizations are required to publish a summary of coordination performance in their annual reports. An international coordination MoU sets out how HMT, the BoE, the PRA, and the FCA will ensure their engagement in international organizations is coordinated effectively (S66 of the Financial Service Act 2012). In their meetings with market participants the assessors recorded an overall positive opinion on the coordination and cooperation between domestic authorities: in the case of that between the PRA and FCA, it was perceived as better than initially expected. |
| EC 2 | Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. |
| Description and findings re EC 2 | CRD Art. 6 establishes that NCAs should cooperate with the other authorities within the ESFS. CRD Art. 7 establishes that NCAs should consider the impact of their decisions on the financial stability of other EU members. CRD Art. 50 establishes that NCAs should cooperate with each other supplying information on management and ownership of institutions, and all information that can facilitate supervision and monitoring. CRD Art. 55 establishes that MSs and EBA can conclude Cooperation agreements with non-EU authorities to exchange information. CRD Arts. 56 and 57 establish the cases where exchange of information between authorities within the EU and outside the EU (see EC 3). CRD Art. 112, more specifically, describes the obligation of coordinating supervisory activities by the consolidating supervisor within the EU. CRD Art. 115 determines that cooperation arrangements need to be in place between the consolidating supervisor and the other NCAs. CRD Art. 116 establishes that the consolidating supervisor must establish colleges of supervisors. Including ensuring cooperation with relevant third country supervisors. The article describes the general tasks of a college. Level 2 regulation, directly applicable to all EU member countries: EBA drafted, and the EC issued, a regulatory standard (Regulation 524/2014) that specifies the information that NCAs must exchange with each other according to Art. 50. The EC issued an implementing regulation (Regulation 620/2014) that outlines operational procedures and sets out standard forms and templates for information sharing requirements, which are likely to facilitate the monitoring of institutions that operate through a branch or through the exercise of the freedom to provide services. EBA regulatory technical standards (RTS) and implementing technical standards (ITS) on operational functioning of colleges of supervisors (published in December 2014, not yet approved by the EC). In order for the PRA (and FCA) to carry out effectively their supervisory activities, it is necessary for them, at times, to share and receive confidential information with overseas authorities. Such information sharing must take place only where professional secrecy obligations are in place that is equivalent to those set out in certain EU Directives. The PRA (and FCA) are party to a number of Memoranda of Understanding (MoUs) with overseas authorities that facilitate such information sharing. There exist also the less formal agreements, known as ‘Exchange of Letters’ (EoLs). Neither MoUs nor EoLs are legally binding. Prior to April 1, 2013, the FSA was party to a series of MoUs (and EoLs) with overseas authorities; a number of these were jointly signed with the BoE. Under transitional provisions in the Financial Services Act 2012, the FSA’s MoUs continue in effect with the relevant successor U.K. authority/authorities (i.e., PRA, FCA, and/or BoE). Such MoUs underpin the supervisory relationship and cooperation that exists between the PRA (and the FCA) and its counterparts. They are instrumental in ensuring that supervisory colleges are able to function effectively, with the free flow of non-public / confidential information that facilitates effective supervision. The FCA maintains close contacts with most supervisory authorities, building even further on these relationships through its membership of various international committees, including International Organization of Securities Commissions (IOSCO), FSB, International Association of Insurance Supervisors (IAIS) and FATF. It is also a member of the European Securities and Markets Authority (ESMA) and actively engages with the EBA and EIOPA in coordination with the PRA. The FCA has MoUs in place with many supervisors around the world. These formalize the way the cooperating with each other. The FCA participates in supervisory colleges to ensure international co-ordination amongst supervisors of global groups. |
| EC 3 | The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. |
| Description and findings re EC 3 | CRD Arts. 53–62 address exchange of information and professional secrecy for prudential supervision. Art. 53 establishes that “confidential information which such persons, auditors or experts receive in the course of their duties may be disclosed only in summary or aggregate form, such that individual credit institutions cannot be identified, without prejudice to cases covered by criminal law; except in the case the bank has been declared bankrupt, confidential information which does not concern third parties involved in attempts to rescue that credit institution may be disclosed in civil or commercial proceedings, shall not prevent the competent authorities from exchanging information with each other or transmitting information.” Art. 55 of CRD, regarding cooperation with non-member countries, establishes that information can only be provided if it is subject to professional secrecy requirements equivalent to those of the EU. Arts. 56 and 57 establish that, provided secrecy requirements are maintained, exchange of information in the discharge of supervisory functions is allowed with(i) other supervisory authorities; (ii) macroprudential authorities; (iii) “reorganization bodies;” (iv) deposit protection schemes; (v) liquidation authorities; and (vi) auditors. Authorities must communicate to EBA the names of all authorities that may receive information. Confidential information (i.e., any information which relates to the business or affairs of the person or firm in question unless already public or anonymized) that the PRA or FCA may receive in the course of carrying out its functions is subject to the restrictions on disclosure out in S348 FSMA. However, S349 FSMA and the FSMA (disclosure of confidential information) Regulations (SI 2001/2188) provide particular “gateways” which allow the PRA and FCA to lawfully disclose confidential information to certain persons and bodies specified in these Regulations. The PRA and the FCA are able to disclose information to EEA and non-EEA regulatory authorities only for the purpose of the discharge of the functions of those authorities as regulatory authorities. So the PRA/FCA must take steps to ascertain that a possible recipient will only use the information for those purposes, in order to satisfy themselves that they have power to share the information. The confidential information restrictions in S348 FSMA then apply to any recipient of the information (they follow the information around, so to speak). Persons or bodies to whom the PRA or FCA discloses confidential information are subject to the restrictions set out in S348 FSMA. In the EEA, supervisors are also subject to the restrictions on the use and disclosure of confidential information received from another authority which are set out in the single market directives, such as the CRD IV or the EU BRRD. As regards non-EEA authorities, the terms of the MoUs typically stipulate that confidential information disclosed by the disclosing authority may only be used by the recipient authority for supervisory purposes, and contain terms relating to the confidential treatment of that information by the recipient authority. |
| EC 4 | The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. |
| Description and findings re EC 4 | CRD Arts. 53–62 address exchange of information and professional secrecy for prudential supervision. Art. 54 of CRD states that authorities receiving confidential information from NCA and auditors shall use it only in the course of their duties and only for any of the following purposes: (i) to check that the conditions governing access to the activity of credit institutions are met and to facilitate monitoring, on a non-consolidated or consolidated basis, of the conduct of such activity, especially with regard to the monitoring of liquidity, solvency, LE, and administrative and accounting procedures and internal control mechanisms; (ii) to impose penalties; (iii) in an appeal against a decision of the competent authority including court proceedings; and (iv) in court proceedings initiated pursuant to special provisions provided for in Union law adopted in the field of credit institutions. Art. 57 details the capacity of information exchange with members and non-member authorities responsible for liquidation, protection schemes, and auditors. Art. 59 details that information can be transmitted to parliamentary enquiry committees, courts of auditors, and other entities in charge of enquiries in the MS, under certain conditions (proper mandate, need to know, professional secrecy requirements, agreement of the originating NCA). Information obtained from onsite inspections cannot be disclosed without the express consent of the NCA who performed the inspection. The PRA and FCA (in common with other public bodies in the United Kingdom) make available to the public information relating to their regulatory functions. This is subject to two important exemptions. First, personal data is excluded; it continues to be subject to the Data Protection Act 1998 regime. Secondly, information subject to statutory restrictions on disclosure is excluded. This includes confidential regulatory information, as defined in S348 of FSMA, which is not publicly available (see also response to EC 3). FSMA and the FSMA (disclosure of confidential information) Regulations do not impose an obligation on the PRA or FCA to disclose particular information to other bodies (except when regulatory action or litigation is being taken under or for the purposes of FSMA). The PRA and FCA are however under a statutory duty to co-operate (including the sharing of information) with overseas regulators and with other persons in relation to the prevention and detection of financial crime. In these Regulations, Regulation 4 sets out the cases in which disclosure may be made for criminal proceedings and investigations, while Regulation 5 sets out the cases in which disclosure may be made in civil proceedings. Essentially, disclosure in the latter is permissible only in cases which relate to the statutory functions of the PRA and FCA. The PRA would strongly resist disclosure and as a matter of courtesy the PRA would, where appropriate, let a supervisory authority know where information had been disclosed and circumstances surrounding that disclosure. Where the information comes from an EEA competent authority, the PRA would regard notification of onward disclosure as falling within the obligation on competent authorities to cooperate closely with each other under Art. 117 CRD. In cases where the PRA is required to disclose such information, the PRA can request that the information be heard by the court in camera. |
| EC 5 | Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. |
| Description and findings re EC 5 | BRRD sets the framework for interaction between competent and resolution authorities in recovery planning (Arts. 6 and 8), resolution planning (Arts. 11 and 14), early intervention (Art. 27), assessment of conditions for resolution (Art. 32 and EBA guidelines on determination of failing or likely to fail), notifications obligations (Art. 81), and resolution colleges (Art. 88). For cooperation with nonmembers, Art. 88 says that the resolution authorities of third countries where a parent undertaking or an institution established in the Union has a subsidiary institution or a branch that would be considered to be significant “were it located in the EU” may, at their request, be invited to participate in the resolution college as observers, provided that they are subject to confidentiality requirements equivalent, in the opinion of the group-level resolution authority, to those that apply to EEA authorities. Art. 90 establishes that information provided by third-country resolution authority can only be transmitted onward with the consent of the third-country resolution authority. Arts. 93–98 establish cooperation with non-EU countries. Art. 97 establishes the cooperation with third-country authorities regarding resolution, which allows EBA to conclude non-binding arrangements with foreign authorities, based on which individual resolution authorities or NCAs may conclude non-binding cooperation arrangements with these countries. Member countries must notify EBA of arrangements with third-country authorities. The EU resolution authorities may refuse to recognize enforcement of non-EU member countries resolution proceedings if there are adverse effects on financial stability, adverse fiscal effects in the EU, or if depositors in the EU would not receive the same treatment as the depositors in the non-EU country. (Art. 95). The United Kingdom implemented the requirements of the BRRD from January 1, 2015. The BoE as the U.K. resolution authority has the responsibility for the resolution of a failing bank, building society and certain investment firms and their group companies, under the Banking Act 2009.33 The resolution regime covers PRA-regulated firms and certain FCA-regulated investment firms incorporated in the United Kingdom. The regime sets out the objectives that the BoE must pursue when it carries out a resolution, as well as the formal responsibilities under the Act to consult the other U.K. authorities—the PRA, the FCA, and HMT—when placing a firm into the resolution regime and when choosing which of the regime’s tools to use. The Act provides a clear framework for use of the regime, with defined roles for each authority. In practice, all of the authorities will co-operate closely both in the run up to, and during, a failure. The roles are:
A core aspect of the PRA’s approach is to ensure preparedness for either recovery or resolution of a failing firm.34 The PRA’s rules help the BoE in its role as the resolution authority by requiring firms to provide key data to be used in resolution plans which will set out how the firm will be resolved in an orderly manner without causing systemic disruption. The assessors reviewed an MoU meant to facilitate rapid info exchange and cooperation and liaison, to address info sharing in crisis/emergency situations between supervisory authorities for recovery and resolution planning purposes (bilaterally and/or through any Crisis Management Group (CMG) to which both parties are members and at least one party is the home authority); to offer mutual support in the supervision of branches (in particular, in relation to home state supervision of recovery and resolution plans). |
| Assessment of Principle 3 | Compliant |
| Comments | The U.K. authorities appear to have established fairly effective cooperation and collaboration arrangements between domestic authorities; this, in particular, has allowed to mitigate the feared coordination failures generated by the switch from a single supervisor (the FSA) to the twin-peak regulatory architecture (PRA and FCA). International cooperation has also progressed both at bilateral (MoUs) and multilateral level (colleges of supervisors, CMG, and resolution groups). |
| Principle 4 | Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. |
| Essential criteria | |
| EC 1 | The term “bank” is clearly defined in laws or regulations. |
| Description and findings re EC 1 | Although legislation does not define the term “bank,” the FSMA 2000 (Regulated Activities) Order 2001 (“FSMA 2000”) sets out definitions of activities subject to regulation under the Act, including the acceptance of deposits. So while the relevant legislation does not define the term “bank,” it does define activities that are subject to regulation. For more detail, the PRA Rulebook’s Glossary does define a bank as “(i) a firm with a part 4A permission to carry on the regulated activity of accepting deposits and is a credit institution, but is not a credit union, friendly society, or a building society; or (ii) an EEA bank.” |
| EC 2 | The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. |
| Description and findings re EC 2 | FSMA 2000 (Regulated Activities) Order 2001 defines activities subject to supervision, including the acceptance of deposits. The PRA supervises all banks and building societies under its authority using the same prudential regulatory regime, though some differences may exist in terms of what applies to each kind of institution. The PRA applies a special prudential regime to credit unions, which is outlined in the Credit Union Sourcebook. |
| EC 3 | The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. |
| Description and findings re EC 3 | Under the Companies Act 2006 and “Company, Limited Liability Partnership and Business Names (Sensitive Words and Expressions) Regulation” 2014, any use of the word “bank” or a derivative thereof requires review by the FCA, which has the ability to reject the use of the name “bank” or a derivative in a firm’s name if it could create confusion for the public. |
| EC 4 | The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.35 |
| Description and findings re EC 4 | All institutions with the ability to accept deposits are subject to supervision by the PRA. Any institution seeking to take deposits from the public must receive permission under Part IV of FSMA 2000 or be exempt from that requirement. As an example of the latter case, firms chartered in EEA jurisdictions as banks are permitted to establish a branch in the United Kingdom or to provide cross-border banking services under the “passporting” regime within EU law. |
| EC 5 | The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. |
| Description and findings re EC 5 | The PRA and FCA maintain the Financial Services Register as a public record that shows details of firms, individuals and other bodies that are, or have been, regulated by the PRA and/or the FCA. Separately the PRA publishes lists of banks and building societies and branches of foreign banks on a monthly basis on its website. |
| Assessment of Principle 4 | Compliant |
| Comments | Although the name “bank” is not defined in U.K. laws, the use of this name and the related concept of “building society” are strictly controlled through legislation and the PRA’s and FCA’s rules. Accepting deposits is clearly identified as an activity requiring authorization, and only firms authorized to accept deposits may use the name “bank” or “building society.” Consequently, U.K. authorities are in compliance with this core principle. |
| Principle 5 | Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base).36 Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. |
| Essential criteria | |
| EC 1 | The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. |
| Description and findings re EC 1 | The PRA is the authorizing agency and is the lead regulator in the U.K. Institutions seeking to engage in an activity regulated by the PRA and FCA must apply to the PRA for authority to do so under S55A (2) of FSMA 2000. The PRA can approve an applicant only with the consent of the FCA and the application is managed jointly by both agencies. Since the date of the transfer of authority from the legacy FSA to the PRA and FCA (April 1, 2013, also known as the “legal cutover date”), 13 banks have received either authorization to provide services as a new bank or variations of existing authorizations; of these successful applications, three were authorizations for non-U.K. banks to establish branches in the United Kingdom. An exception exists for EEA banks that operate in the United Kingdom through a local branch on a European “passport” and that have a home regulator from another EEA member jurisdiction. Such firms are automatically authorized to do business in the United Kingdom under Schedule 3 to FSMA 2000 once the firm has completed the necessary notification procedure. As part of the authorization process, either the PRA or the FCA may impose conditions or limitations that become binding at the point of authorization. After a firm receives authorization to conduct regulated activities in the United Kingdom, both the PRA and the FCA have the power to remove or amend the firm’s Part 4A permission to receive deposits. These conditions or limitations can be exercised by either supervisor after consulting with the other U.K. regulator. Part XIII of FSMA 2000 provides a separate regime for the imposition of requirements or restrictions on passported firms, though this power is generally limited by the allocation of responsibilities to the home state regulator. |
| EC 2 | Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. |
| Description and findings re EC 2 | For an applicant to receive Part 4A permi ssion to accept deposits and therefore become a bank, the applicant must meet five “Threshold Conditions” set by the PRA and another four set by the FCA; together, these conditions and supporting requirements form the criteria for licensing banks. Each supervisor decides whether the applicant firm meets its individual set of Threshold Conditions; the PRA makes the final decision on the application after the FCA has given its consent to the PRA to authorize the applicant. The
The FCA’s Threshold Conditions for banks are comprised of the following:
Some overlap exists between the two agencies’ criteria, and the FCA has indicated that its approach will have due regard to its statutory objectives to protect consumers; protect and enhance the integrity of the U.K. financial system; and promote effective competition in the interest of consumers. If information on an application is deemed to be knowingly false, the PRA can cancel a firm’s Part 4A permission under S55J(1)(c)(ii) FSMA 2000. Assessors reviewed two examples of the FCA’s communications to the PRA providing its consent to approve applicants’ authorizations, including an example of the FCA’s consent to approve an application subject to specific conditions or limitations. Assessors reviewed as well an internal PRA document outlining a new bank authorization and summarizing the PRA’s and the FCA’s analysis, as well as examples of actual Approved Persons Assessments and Recommendations Memos for firms seeking authorization. These documents gave the assessors greater insight into the U.K.’s authorization process and suggested that the two supervisory agencies do rely on the criteria outlined above in evaluating applications. |
| EC 3 | The criteria for issuing licenses are consistent with those applied in ongoing supervision. |
| Description and findings re EC 3 | Under FSMA S513(3), firms must meet the Threshold Conditions when first seeking authorization and then on an ongoing basis. Assessors reviewed examples of New Bank and New Branch Authorization Assessments and Recommendation Papers detailing the PRA’s internal review, including assessing compliance with the PRA’s Threshold Conditions and noting FCA’s conclusions. |
| EC 4 | The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.37 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. |
| Description and findings re EC 4 | Both the PRA’s and the FCA’s Threshold Conditions include provisions that both regulators must be satisfied in respect of the controllers and “close links”38 to the applicant, and that those close links do not prevent effective supervision of the applicant on either a solo or consolidated basis. This forms the basis of the assessment of the ownership structure of the bank. Both regulators also assesses the close links the firm has with other entities. As noted above under EC 3, firms must meet these Threshold Conditions both upon authorization and then on an ongoing basis. The EBA is currently developing regulatory standards to specify what obstacles constitute a barrier to effective supervision, as required under Art. 8(2) of CRD IV. |
| EC 5 | The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. |
| Description and findings re EC 5 | The EBA’s guidelines address the suitability of major shareholders in paras. 1–2 of Art. 14 of CRD IV. Major shareholders are defined in the EBA’s guidelines as those who have qualifying holdings or, if no qualifying holdings exist, the twenty largest shareholders. In the United Kingdom, the “Threshold Conditions” for the PRA and FCA require the assessment of controllers and “close links” (defined in EC 4 above) to an applicant firm to evaluate the transparency of its ownership structure. Neither the EBA nor the U.K. supervisors have issued guidance specific to the suitability of ultimate beneficial owners. Instead, the EBA and U.K. supervisory agencies reference requirements (set out in the CRD and in future RTS) to evaluate the suitability of major shareholders of a company or any entity or individual who is to become a shareholder, which could include ultimate beneficial owners. In the United Kingdom, if a major shareholder, or a beneficial owner, does not meet the criteria, they may not maintain a controlling interest in the firm and ultimately the firm may fail to meet the threshold condition for suitability (Threshold Condition, para. 5E).39 The assessors reviewed licensing applications containing an analysis of controllers and close links (and of their other relevant holdings), intelligence information on the applicants and an analysis of the nature and source of capital resources. |
| EC 6 | A minimum initial capital amount is stipulated for all banks. |
| Description and findings re EC 6 | PRA applies the minimum required capital of GBP 5 million (Art. 12, CRD), with limited exceptions, as permitted under EU rules, for “small specialist banks.” |
| EC 7 | The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.40 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. |
| Description and findings re EC 7 | Under the “Threshold Conditions,” the PRA and FCA must be satisfied that non-financial resources (e.g., Board members) possess the requisite skills, knowledge, and experience relative to the business model of the firm and the ExCo’s structure and composition. In addition, both regulators have the power under FSMA S59 to require individuals in identified roles with a significant influence on the affairs of a firm (SIF roles) to seek approval before taking up their position. Such individuals are known as ‘Approved Persons.’ Approval is granted only if the PRA as prudential regulator and the FCA as conduct regulator are both satisfied that an individual is fit and proper. PRA SIF roles include all members of a firm’s Board, and the heads of the finance, risk and internal audit functions. The PRA and FCA consider the collective skills, knowledge and experience of a prospective firm’s management body to determine whether the firm has adequate resources. A draft SS issued for consultation in May 2015 underscores the collective responsibilities shared by Board members; it’s been published in its final version in March 2016. FSMA also gives the regulators power to dictate which factors determine an individual’s fitness and propriety (S61), and to issue statements of principle and a Code of practice that will apply to individuals performing the functions specified under S59. The fit and proper test for approved persons (‘fit’ as defined in the PRA Rulebook) sets out the minimum standards for becoming and remaining an approved person at a regulated firm. Each individual that performs a “Controlled Function” is assessed and approved if they meet the following ‘fit and proper’ criteria:41
|
| EC 8 | The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.42 |
| Description and findings re EC 8 | The PRA and FCA require firms to submit a 5-year business plan. They also consider plans to outsource any functions and what controls the firms will place over those arrangements. FCA also considers controls and systems in place, competence of management, and adequacy of AML policies and procedures. |
| EC 9 | The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. |
| Description and findings re EC 9 | Supervisors require 5-year financial forecasts, own assessments of capital required (stress testing), source of funds to support business activities, liquidity needs, and financial information on principal shareholders. |
| EC 10 | In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. |
| Description and findings re EC 10 | PRA and FCA have full powers and responsibilities over subsidiaries of overseas firms (whether EEA or non-EEA), and those firms must meet all Threshold Conditions. For branches of EEA banks, those firms can “passport” deposit-taking activities into the United Kingdom without an authorization necessary from U.K. authorities. The authorized firm must inform its home country supervisor, and the home supervisor may object to a firm’s passporting into another EEA MS if it doubts the administrative structure or financial situation of the firm. The home country supervisor must inform the firm and the relevant host country authorities of its decision within three months. For U.K. branches of non-EEA banks, the PRA evaluates equivalence of home country regulator and, if not judged equivalent, will refuse authorization for a branch. Where judged equivalent, the PRA collaborates with the home country supervisor through supervisory colleges. Annual updates are required on applicant’s ability to meet prudential standards. |
| EC 11 | The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. |
| Description and findings re EC 11 | Bank must continue to meet Threshold Conditions and other rules and requirements set out in the PRA Handbook and Rulebook. Supervision can be intensive and not risk-based for up to five years. FCA approach is judgment-based and pre-emptive, depending on three pillars:
|
| Assessment of Principle 5 | Compliant |
| Comments | Based on a review of the United Kingdom and the EBA’s self-assessments for these criteria, subsequent questions raised with U.K. supervisors, and a review of sample licensing evaluations and decisions, U.K. supervisors are found to be compliant with Principle 5 regarding licensing. While neither the European nor U.K. requirements specifically identify separate processes for evaluating the compliance of ultimate beneficial owners with European and U.K. rules, the licensing applications reviewed by the assessors revealed that the analysis of the applicants is adequately deep and thorough (see EC 5). |
| Principle 6 | Transfer of significant ownership. The supervisor43 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. |
| Essential criteria | |
| EC 1 | Laws or regulations contain clear definitions of “significant ownership” and “controlling interest.” |
| Description and findings re EC 1 | Relevant laws and regulations promulgated by the EU have not offered a definition of “significant ownership.” The EBA notes that the EU has defined a “qualifying holding” as a direct or indirect holding in an undertaking that represents 10 percent or more of the capital or of the voting rights or that enables the holder to exercise a significant influence over the management of the undertaking (Art. 4(1)(36) of Regulation EU/575/2013 (CPR)). Art. 22B states further that a NCA may not set a notification or approval requirement that is more stringent than what is set out in the Directive. The U.K. regulations do define “significant ownership” and “controlling interest” in FSMA 2000, which sets out definitions for “control” based on the following guidelines:
|
| EC 2 | There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. |
| Description and findings re EC 2. | Under S178 of FSMA 2000, a person who decides to acquire or increase control over an authorized firm must give the PRA notice of its intention to acquire and obtain approval before it acquires or increases control. This notification concerns both changes in beneficial ownership (shareholding changes) and voting rights that could be held either directly or indirectly through parent and subsidiary undertakings. Failing to obtain approval prior to making an acquisition can constitute a criminal offense under U.K. law. Notification regarding increases in control requiring approval as ownership increases from one category to the next:
A person who decides to increase control over an authorized firm must give PRA notice of intention to increase control over that firm. Assessors reviewed examples of the PRA’s “Change in Control: Assessment and Recommendation Memos” that outlined the analysis conducted, including a review of how the authorization would alter ownership of the company, and found the examples indicative of the process described above. |
| EC 3 | The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. |
| Description and findings re EC 3 | The PRA may object under S186 of FSMA 2000 to the acquisition or ongoing ownership (meaning holdings above 10 percent or via significant influence) by a “controller” on the following grounds:
The FCA evaluates the effect that a proposed transaction may have on customers to ensure that the acquiring bank maintains or develops appropriate customer contact at the outset and that interactions with customers are appropriate. If it was determined that the change in control/significant ownership was based on false information, the PRA may deem this as evidence that the person does not have the required reputation to be a controller of a U.K.-regulated bank. |
| EC 4 | The supervisor obtains from banks, through periodic reporting or onsite examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. |
| Description and findings re EC 4 | Annual reporting is required of all controllers and close links44 as well as regarding possible changes in controllers and close links. As noted under Principle 5, EC 5, neither the EBA nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners. Instead, the EBA and U.K. supervisory agencies reference requirements (set out in the CRD and future RTS) regarding major shareholders of a company or any entity or individual who is to become a shareholder, which could include ultimate beneficial owners. Consequently, beneficial owners would be subject to scrutiny similar to other shareholders. In addition, banks are required to notify the PRA when they become aware of potential changes in their controllers or close links. The assessors found evidence of PRA analysis of change in control applications, with an appropriate drill-down into the legal structure of the acquiring entity up to the ultimate legal owners, and also of verifications (from open and closed sources) on the individuals and the families at the top of the controlling chain, all aimed at ensuring adequate information about all persons and entities in a position to exercise control over the target of the acquisition. |
| EC 5 | The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. |
| Description and findings re EC 5 | Under S191A of FSMA 2000, the PRA may object to a person’s control over a U.K. authorized firm and in some cases may launch criminal proceedings if the controller failed to seek approval in advance of a change; acquired control after receiving a “warning notice;” or breached an interim order. It is a criminal offense to acquire or increase control in an authorized firm without notifying the PRA first. Similarly, the PRA has the power under S191B to issue a “restriction notice” modifying the way in which control is exercised (e.g., prohibiting the voting, payment of dividends, or disposal of shares); this notice follows a warning notice objection to a controller. The PRA likewise can apply to the court for an order for the sale of shares following an objection to control under S191C. In addition, it is a criminal offence under S191F of FSMA 2000 to acquire or increase control without notifying the PRA first. |
| EC 6 | Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
| Description and findings re EC 6 | Under “Fundamental Rule” 7, firms must deal with the supervisor in an open and cooperative way and must disclose anything to the PRA for which the PRA would “reasonably expect” notification. This could include, for example, a development related to a controller that would call into question the controller’s integrity. A similar rule applies to the FCA. |
| Assessment of Principle 6 | Compliant |
| Comments | Based on a review of the U.K. authorities’ self-assessment, discussions with representatives of the authorities, and a review of sample analyzes made available to assessors during the review, U.K. authorities are in compliance with the core principal regarding the transfer of significant ownership. As noted under Principle 5, neither the EBA nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners. However the analysis of change in control applications revealed that the PRA requires adequate information about all persons and entities in a position to exercise control over the target of the acquisition. |
| Principle 7 | Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. |
| Essential criteria | |
| EC 1 | Laws or regulations clearly define:
|
| Description and findings re EC 1 | Chapter 2 of the Notifications Part of the PRA Rulebook requires that a firm give the PRA notice of: “(1) any proposed restructuring, reorganization or business expansion which could have a significant impact on the firm’s risk profile or resources, including, but not limited to: (a) setting up a new undertaking within a firm’s group, or a new branch (whether in the U.K. or not)…” While the detailed example refers to the establishment of a new undertaking, by analogy, failure to notify the PRA of any acquisition of another operating entity is likely to contravene the more general notification requirements. The same chapter also imposes an obligation of notification for “any action which a firm proposes to take which would result in a material change in its capital adequacy or solvency, including, but not limited to: (a) any action which would result in a material change in the firm’s financial resources or financial resources requirement.” Following the notification of an acquisition, the PRA can decide to prevent it, based on its statutory power to impose requirements on a bank, including a requirement to refrain from taking a specified action (S55M and 55N(1)(b) of FSMA. This power can be used to require a firm not to make a proposed acquisition or investment. Under S55M(7), the PRA must consult the FCA before imposing or varying a requirement. The PRA can therefore prevent an acquisition or investment if it judges that the acquisition or investment would be likely to lead to the failure of any Threshold Condition or if preventing the acquisition or investment would advance any of the PRA’s statutory objectives (including the safety and soundness of a PRA-authorized entity, which is the first of the PRA’s statutory objectives). U.K. supervisors have gone through this process once regarding a major acquisition in the past five years, namely in the case of Barclays seeking to acquire ING Direct. The assessor had access to the documentation regarding this operation and could verify that it was subject to intense scrutiny, in particular with respect to the adequacy of the acquirer’s financial resources. The supervisor’s judgment is backed up by prescribed criteria provided in explanations of what firms need to achieve in order to meet Threshold conditions and also a clear statement of the PRA’s objectives. Similar powers are given to the FCA under S55L. If the target entity is a bank, the acquirer must also obtain prior approval (see CP 6). |
| EC 2 | Laws or regulations provide criteria by which to judge individual proposals |
| Description and findings re EC 2 | The U.K. supervisors may impose requirements should a firm face a risk of failing to meet Threshold Conditions, especially regarding prudence; suitability; and the ability to supervise a new entity effectively (Threshold Conditions 3, 4, and 5, respectively). |
| EC 3 | Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.45 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. |
| Description and findings re EC 3 | PRA has statutory powers to intervene and prohibit an investment or acquisition if a firm might fail or be likely to fail to meet Threshold Conditions 3 (business must be conducted in a prudent manner), 4 (firm must be fit and proper) and 5 (firm is able to be supervised effectively). |
| EC 4 | The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. |
| Description and findings re EC 4 | The U.K. supervisors must determine the adequacy of financial and non-financial resources available to a firm to meet Threshold Condition 3 (prudence). |
| EC 5 | The supervisor is aware of the risks that nonbanking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. |
| Description and findings re EC 5 | Under Threshold Condition 3, a bank must have sufficient financial and non-financial resources to manage all risks to its safety and soundness. If resources are lacking, the supervisors may impose restrictions. If the supervisor considers that the bank does not have (or may not have in the future) the means to mitigate risks to its safety and soundness, the supervisor can mitigate these risks by imposing a requirement on the bank. Such a requirement would include preventing investment in a nonbanking activity (S55N(1)(b) of FSMA 2000). |
| AC 1 | The supervisor reviews major acquisitions or investments by other entities in the banking group to determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.46 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments. |
| Description and findings re AC1 | Under Threshold Conditions 3 and 5, the supervisors must review other acquisitions to ensure that the banking group maintains compliance with those requirements. Threshold condition 3 (“business to be conducted in a prudent manner”) requires a supervisor to consider a bank’s “membership of a group and any effect that membership may have” when determining the risks to which a bank is exposed.47 Threshold Condition 5 (“effective supervision”) requires a supervisor to consider whether a bank’s membership of a group “is likely to prevent the PRA’s effective supervision” of the bank.48 The supervisor therefore must review major acquisitions or investments by other entities in a banking group to make sure that these do not expose the bank to any undue risks or hinder effective supervision. To date, U.K. authorities have not yet had a case in which a U.K.-authorized bank was reviewed because another entity in the group made a major acquisition or investment. The authorities report that enhanced capital and liquidity requirements are in place for some firms due to their inclusion in a group. Threshold Condition 3 also requires a bank to be able to comply with requirements imposed or likely to be imposed on the bank by the PRA in the exercise of its functions. This means that the supervisor has to determine that any new acquisition or investment by another entity in the group does not hinder effective implementation of corrective measures in the future. The powers over ‘qualifying parent undertakings’ (i.e., U.K.-based parent companies of U.K.-authorized entities that are not themselves authorized entities) granted to the PRA and the FCA by the Financial Services Act 2012, can also be used in case of major operations conducted by a bank’s parent, as they allow the regulators to give directions to such undertakings, requiring them to take specific actions or to refrain from taking specific actions. |
| Assessment of Principle 7 | Compliant |
| Comments | While the U.K. legislation does not define the term ‘major acquisition,’ it sets forth notification requirements that result in an expansive definition: all firms supervised by the PRA must give the PRA notice of any proposed business expansion which could have a “significant impact on the firm’s risk profile or resources,” as well as of any action which a firm proposes to take which would result in a “material change in its capital adequacy or solvency, including, but not limited to, in the firm’s financial resources or financial resources requirement.” These criteria apply to any operation of significant impact, be it the acquisition of a bank or nonbank, EU or non-EU. Once notified, U.K. authorities have (especially through the application of the “threshold conditions”) the necessary powers to approve or reject requests to undertake major acquisitions that raise concerns about the risk that may result or the authorities’ abilities to supervise the firms. The supervisor must review major acquisitions or investments also by other entities in a banking group, to make sure that these do not expose the bank to any undue risks or hinder effective supervision. |
| Principle 8 | Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess, and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. |
| Essential criteria | |
| EC 1 | The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact, and scope of the risks:
The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. |
| Description and findings re EC 1 | No legislation sets out a specific methodology for determining and assessing a firm’s risks within the EU. NCAs are expected to develop their own approaches for assessing the risk profiles of individual firms. The legal basis for supervisors within the EU to review and evaluate firms is based on the CRD, which—in turn—the EBA has detailed through comprehensive procedures and methodologies for supervisory review and evaluation process (SREP) (EBA/Guideline (GL)/2014/13). SREP sets out four areas for analysis, namely (i) business model analysis; (ii) assessment of internal governance and institution-wide control arrangements; (iii) assessment of risks to capital and adequacy of capital to cover these risks; and (iv) assessment of risk to liquidity and adequacy of liquidity. The EBA SREP guidelines, which are based on a ‘comply or explain’ approach, take effect from January 2016; the PRA has committed to comply.49 The PRA’s approach to supervision depends on supervisors’ judgment, but prescribes a structure for evaluating relevant issues and forming judgments related to risks facing individual firms as well as risks that firms pose to the broader safety and soundness of the financial system. Three areas of focus comprise the PRA’s risk framework:
In terms of its methodology, applied to all banks, the PRA scores 8 elements (generally on a scale of 1 to 10) for each firm. The eight elements can be broken up into five groups of considerations, namely the “gross risk” associated with a particular firm; the “risk context” in which the firm operates; the “operational mitigation” a firm has in place to reduce the gross risks; the “financial mitigation” a firm achieves through its balance sheet resilience; and the “structural mitigation” against risks that a firm’s legal and operational organization may provide. Gross risk
Risk context
Operational mitigation
Financial mitigation
Structural mitigation
The PRA’s supervisory approach varies the frequency and intensity of supervisory activities based on a firm’s potential impact on financial stability; its proximity to failure (reflecting the PRA’s risk model and the PRA’s PIF); and its resolvability. For larger firms (Category 1 to 3), the PRA conducts this work through ongoing reviews, though the PRA does not necessarily evaluate each element each year. The supervisory cycle includes a “periodic summary meeting” (PSM) in which the scores for a firm are reviewed and capital and liquidity guidance is set; and a mid-point review for Category 1–4 firms. For Category 4 and 5 firms (the smallest), the PSM may encompass a group of firms simultaneously. Assessors had an opportunity to review documents prepared for past PSMs and mid-year reviews of firms in each Category from 1 to 5, and to meet with supervisors and others who participate. The FCA, in turn, operates a supervision approach that varies depending on a series of measures primarily related to the size of the firm. At the time that U.K. authorities submitted the BCP Self-Assessment, the FCA had assigned all firms to one of four impact categories, the first two of which required the FCA to undertake individual evaluations of the firms. Toward the end of 2015, the FCA changed its approach and now divides up all firms subject to its supervision into two categories rather than four. The new categories are based on the size, market presence, number of customers, and other characteristics. The first Category is called the “fixed portfolio,” which consists of firms for which the FCA appoints a named supervisor who oversees the FCA’s supervision of that firm. FCA staff confirmed that, at the time of the assessment, 26 banks, out of a total of approximately 110 firms, qualified for inclusion in the “fixed portfolio” Category. The remaining firms—which constitute the vast majority of firms supervised the FCA—form the “flexible portfolio” category, in which a specific supervisor is not assigned to oversee the FCA’s supervision. These firms are supervised in various ways, including through: thematic work; education and engagement; baseline monitoring; and through dealing with crystallized risk that exceeds the FCA’s risk appetite. For banking organizations that are subject to supervision on an individual basis by the FCA, the FCA’s approach includes a “firm evaluation,” which considers the nature and extent of risks that a firm poses to the FCA’s statutory objectives. The firm evaluation includes an analysis of 10 underlying risk groups, which include the external environment; the business model and strategy; the effectiveness of management and conduct culture; the effectiveness of front line functions; the client asset and financial crime framework; the effectiveness of governance and control functions; and prudential risk, among others. |
| EC 2 | The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. |
| Description and findings re EC 2 | To understand the risk profiles of the firms subject to its supervision, the PRA seeks to conduct assessments on a continuous cycle that increases in frequency and intensity commensurate with a firm’s potential impact on financial stability. The process nonetheless appears to be most developed for the largest systemically important firms (Category 1) than for the majority of firms, as the intensity and frequency of reviews, as well as the availability of expert supervisory resources—is greatly constrained for Category 2–5 firms (the majority). Even for Category 1 firms, the frequency and depth of probes can be more limited that the “CA” supervisory model may suggest, and U.K. authorities acknowledged that all eight elements of the PRA risk model may not be assessed in detail every year for Category 1–3 firms. While all elements of the PRA risk model are reviewed at least twice per year (in line with the PSM and the subsequent mid-year review), PRA supervisors note that detailed field work covering a Category 1 firm’s management of operational risk can require up to three years to evaluate all major areas of focus. Likewise, as noted elsewhere under CP 18, reviews of asset quality at Category 1 firms involve testing of actual loans and exposures, but the number of files reviewed can vary significantly. The overall process for evaluating a firm’s risk profile includes, among other components, reviews of a firm’s business models as well as evaluations of its capital. To establish a forward-looking view on the viability of a firm’s business model, the PRA requires firms to submit business plans for the next three to five years. Supervisors then evaluate the risks associated with these plans, seeking to understand how the firms generate profits; what issues could threaten their viability; what the firms’ potential to fail is; and what areas require additional review. To ensure that a firm has sufficient capital relative to its risk profile, the PRA conducts a SREP and considers risks that are not mitigated or not fully mitigated under the CRR (“Pillar 2A”) and risks to which the firm may become exposed in the future (“Pillar 2B”). In the course of its deliberations, the PRA evaluates the size of the Pillar 2A and Pillar 2B capital that a firm may hold and considers whether additional capital should be required. Supervisors may also apply temporary increases in capital requirements—called “scalars”—to cover unexpected losses that could arise from weaknesses that the firm has not yet mitigated. The PRA considers analyzes of a firm’s risk profiles, its individual risk elements, and all supervisory concerns are discussed at a PSM. At the PSM, the PRA’s relevant senior managers agree on the scoring of the risk elements, the individual capital and liquidity guidance that will be required of a firm, and the supervisory strategy for the firm going forward. |
| EC 3 | The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. |
| Description and findings re EC 3 | To assess compliance with Prudential Regulations and other legal requirements, the PRA undertakes “baseline monitoring” for all firms. This monitoring program includes reviewing regulatory returns from firms as well as other data gathered by the PRA in its supervision. The PRA employs automated surveillance systems that generate alerts and require supervisors to evaluate the issue(s) triggering the alert(s) and document decisions arising from the issues within 10 days. Baseline monitoring of regulatory returns is the primary way in which smaller firms (Category 3–5) are supervised. The U.K. authorities note that a “responsive” supervisory approach is adopted for these firms, with greater dependence on automated monitoring tools. For larger firms, such as Categories 1–3 firms, but also for smaller firms as required, the PRA may request additional information such as audit, Board packs, Asset-Liability Committee (ALCO) and risk committee reports, plus planned meetings. For firms posing greater risks to U.K. financial stability, the PRA’s baseline monitoring includes a planned schedule of meetings with senior managers and control function heads. The FCA, in turn, does regulate prudentially certain entities within banking groups and requires those firms to provide regular information in the form of regulatory returns to gain insight into compliance with rules such as the “Threshold Conditions.” The FCA coordinates its work with the PRA, which is the consolidating supervisor for all U.K. banking groups. In addition to its baseline monitoring and requests for additional documents, the PRA and FCA expect firms to report relevant issues as part of the “Fundamental Rules” and “Principles for Business.” For example, the PRA’s Fundament Rule 7 prescribes that “a firm must deal with its regulators in an open and cooperative way, and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.” |
| EC 4 | The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. |
| Description and findings re EC 4 | “External context” is scored as part of the annual PRA risk model, for which macroeconomic issues are taken into account. The PRA draws on work prepared by other areas of the BoE, including the views of the FPC; sectoral analyzes; or insight gathered by the market intelligence function, as examples. To take cross-sectoral issues into account, the PRA relies on its governing Board, whose membership is designed explicitly to ensure that the PRA’s strategy reflects the macroeconomic environment. The Governor of the BoE serves as chair of the PRA Board, as well as of the FPC and of the MPC, and the Deputy Governors for Markets and Banking and for Financial Stability likewise sit on all three groups. The Chief Executive of the FCA serves on the PRA Board as well. In terms of cross-sectoral developments, the chief executive of the PRA sits on the FPC and receives briefings on U.K. and international economies as well as insight into the nonbank sector. A reorganization of the BoE in 2014 furthermore sought to ensure that the three policy-setting committees benefit from the expertise of staff across the BoE. In addition, the annual stress testing that the PRA and FPC run jointly may help to capture macroeconomic risk. |
| EC 5 | The supervisor, in conjunction with other relevant authorities, identifies, monitors, and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. |
| Description and findings re EC 5 | Within the BoE, the FSSR Directorate provides support to the FPC and is responsible for identifying and evaluating risks arising from across the financial services sector. This includes: conducting a financial stability risk assessment and research across all sectors and markets; providing support to microprudential supervisors; identifying policy responses, including what macroprudential instruments the BoE may need and designing the strategy for their use; and delivering and developing the BoE’s stress testing framework. The FSSR produces a “quarterly risk pack” that focuses on trends and concentration of risks in the United Kingdom; quarterly capital and liquidity packs; a quarterly large exposure (LE) pack; and notes on special subjects. These notes are used more specifically for major U.K. banks. Supervisors review regularly capital and liquidity information for their firms; for smaller firms (Categories 4 and 5), these reviews may be done on a peer group basis. Overall, risks and trends within sectors and across the banking system are assessed by supervisors as part of the “External Context” element of the PRA risk framework, and key issues relevant to specific firms are identified in the annual PSMs and mid-year reviews. Significant risks and trends are communicated to relevant firms through a “Dear CEO” letter, and more broadly significant risks and trends are communicated via the bi annual FSR and speeches by the BoE and PRA staff. |
| EC 6 | Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. |
| Description and findings re EC 6 | The U.K. authorities are not seeking a “zero failure rate,” and they instead seek to avoid disorderly failures that might otherwise disrupt the supply of critical functions. To do so, the PRA collaborates with the BoE’s RD to ensure that a firm’s failure will not have a significant impact on the supply of financial services. Resolution is assessed as an element of the PRA risk model, and the PRA’s SS19/13 outlines what is required for a “resolution pack.” Both the PRA and the BoE have statutory objectives requiring action to ensure that institutions are resolvable, and can therefore be resolved in an orderly way, and an annual assessment of resolvability is required under law. The U.K. authorities consider an institution to be resolvable if the BoE finds that it is feasible and credible to take resolution action (using its stabilization powers) or it can pursue insolvency proceedings against an institution while avoiding any significant adverse effect on the financial system of any EEA sate or the continuity of the institution’s critical functions. The BoE determines the preferred resolution strategy, and the PRA contributes by helping to verify information submitted by the firm. The BoE coordinates resolution planning on a cross-border basis through CMGs. After the BoE has made a determination of a firm’s resolvability and—following formal consultation with the PRA and, where relevant, the resolution college—the BoE is required to share a summary of its resolution plan with the firm. The summary includes barriers to resolution and a request that the firm remove those barriers within four months. This process is not fully implemented yet given the time line for implementation of the BRRD. |
| EC 7 | The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. |
| Description and findings re EC 7 | The PRA considers proximity to failure when establishing its usual supervisory plans and relies on its PIF to express its judgment about the firm’s viability. The PRA relies on the PIF to achieve its goal of identifying and responding to emerging risks at an early stage and sets out five PIF stages, each representing a different level of risk of failure. Firms in Stages 1 and 2 are viewed as having the lowest to moderate risks, respectively, to their viability. Those in Stage 3 are viewed as having risk to their viability in the absence of any action by the firm. Firms in Stage 4 are viewed as having imminent risk to their viability, while those firms that are in the resolution phase are in Stage 5. When a firm moves into a higher PIF stage, indicating that the PRA believes the firm’s viability has deteriorated, supervisors are required to review their supervisory actions accordingly and in line with a list of appropriate actions detailed in the PRA’s Approach to banking supervision document. Senior management at firms, in turn, are expected to take appropriate action to reduce the likelihood of failure, and U.K. authorities will ensure preparedness for resolution. For firms assessed as being in PIF Stages 3 or 4, the BoE’s RD will add them to a watch list and begin assessing barriers to resolution through analysis and information-gathering; in Stage 4, the RD begins generating solutions to mitigate the identified issues. Two key conditions must be met before a firm can be put into resolution. First, the firm must be failing or likely to fail; for example, supervisors may assess that the firm is failing or likely to fail to meet its Threshold Conditions for authorization in a manner that justifies the withdrawal of its authorization. Second, it must be reasonably likely that no action will be taken outside of the resolution regime that will result in the firm no longer failing or being unlikely to fail. The decision to place a firm in resolution does not, on its own, allow use of all of the resolution tools. To use the stabilization tools, it must be necessary to do so, having regard to the public interest in achieving the objectives of resolution. The BoE will consult with the PRA, FCA, and HMT and then determine whether the public interest test is met by assessing the probable impact of the firm’s failure. If the assessment indicates that the use of the insolvency procedure would not meet the resolution objectives, the stabilization tools may be used. It should be noted that the PRA is currently evaluating the PIF to ensure that it complies with the Early Intervention Measures under the BRRD. From the FCA’s perspective, when a bank is in difficulty, the FCA engages with the BoE RD, HMT, and the PRA to consider the resolution contingency plan for the firm. The FCA considers in particular depositor protection, continuity of access, possible changes to terms and conditions, and completion of ongoing redress and remediation programs. In addition, the FCA seeks to provide confidence in the adequate regulatory protection of client money and safe custody assets (client assets) and sets out requirements for firms to have readily information to facilitate the prompt return of client money and safe custody assets in a resolution event. |
| EC 8 | Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. |
| Description and findings re EC 8 | If bank-like activities are taking place outside the supervisors’ firewall, the PRA notifies the FPC for evaluation. Under the BoE Act 1998, the FPC has the power to make recommendations to HMT on regulated activities. The committee is able to provide advice or recommendations to the Treasury on what activity should be regulated; which activities should be designated for Prudential Regulation by the PRA; and which categories of firms outside the scope of its regulation from which the PRA may collect information specifically for the purpose of promoting financial stability. When firms are operating outside of the regulatory regime, the FCA’s Enforcement and Markets Oversight Division has a dedicated Unauthorized Business Division that investigates suspected breaches of the general prohibition and/or contravene restrictions on financial promotions. |
| Assessment of Principle 8 | Largely Compliant |
| Comments | The U.K. authorities have made important progress in adopting a more rigorous and hands-on approach to supervision since the prior FSAP. The current FSAP took place during a period of continued development and transition, and offers a good stock-take of the state of the supervisory approach today as well as the outlook for its development in the future. Overall, the goal of U.K. authorities’ current supervisory approach is consistent with the objective of promoting and preserving systemic resilience. To be both effective and efficient, U.K. authorities made two important decisions.
These two decisions have influenced the shape of the U.K.’ supervisory approach in several important ways. The concentration of supervisory attention and resources on capital and liquidity in systemically important firms may have reduced the availability of attention and resources for other risk-management work within those firms. This is not to say that supervisors are doing little or no work in monitoring and evaluating risk-management in firms; on the contrary, supervisors today may be undertaking more hands-on work in evaluating risk-management practices within systemically important firms than was true in the past. Still, U.K. supervisors seem to have tipped the balance of their work toward evaluating the adequacy of those two important forms of financial resources that promote balance sheet strength. This could increase the risk that the supervisor is less aware of problematic practices and how risk is evolving in the firm. Moreover, the focus on systemically important firms may have reduced the availability of attention and resources for smaller and less systemically important firms, requiring supervisors to rely to a greater degree on automatic triggers to notify them of significant changes in risk profiles. Supervisors are compensating for the limitations by relying more on monitoring regulatory returns, data, and key ratios and trends, including mortgage lending growth; their goal is to identify outliers among smaller firms that may be experiencing unusual growth or challenges relative to their peers. Still, U.K. supervisors acknowledge that they have adopted a more responsive approach to the supervision of smaller firms. Supervisors are aware of these challenges that the current approach introduces and seek to mitigate the risk through several ways.
Still, the current approach potentially leaves open gaps. As noted below, the reviews of risk-management in even the largest firms take place over a period of years, which could leave the system exposed to undetected issues that emerge in the short run given how dynamic and competitive the largest firms tend to be, risk profiles can evolve quickly; supervisors that are less engaged in evaluating internal developments and practices could face surprises. The approach likewise appears to focus more on the risk of failure and less on slowly emerging malaise in firms, which could cause a slow drag on the financial system or the economy, although the PIF does give the authorities a means for monitoring and addressing both rapid and slow burning risks. Discussions with industry observers and participants also noted an underlying theme of inconsistencies in how supervisory teams communicate messages and recommendations to firms. Some said that the teams communicated clearly their concerns and what they expected firms to do. Others said that some teams were less clear about next steps that are expected or that the tone of the communication in face-to-face meetings was more favorable than the subsequent written communication. Assessors had an opportunity to review PSMs and other communications with firms; they noted, in general, that supervisors tended to describe key risks and concerns clearly. In a few cases, however, what the firm was expected to do was less clear other than to respond to the supervisor’s letter. Finally, the more reactive approach adopted for smaller firms increases the likelihood that smaller institutions in a particular geographic region, or classes of institutions across the financial system, could develop similar exposures over time and face similar challenges simultaneously. Outlier analysis can fail to spot broad growth in risk within many firms at the same time: if all are building up risks in the same manner, the supervisor may be less able to identify the relative increase in risk across firms. Customers dependent on similar or smaller firms could face credit crunches and other challenges at the same time. While supervisors should expect firms to behave prudently and manage their businesses appropriately, U.K. supervisors continue to rely substantially on setting out supervisory expectations for firms to follow and on the firms to inform their supervisors when they find areas in which they do not meet expected standards. Overall, the foundation for U.K. supervisors’ expectations are articulated in the “Threshold Conditions” and in the PRA’s “Fundamental Rules” and FCA’s “Principles for Business.” The approach is based on holding firms and their senior management accountable for their compliance with rules and regulations and for conducting their business in a prudent, safe, and sound manner. While supervisors may well probe and test statements more than before, especially in the largest firms, in the IMF’s view, U.K. supervisors could undertake more independent probing to ensure firms’ prudence and propriety. Given recent concerns about weaknesses in conduct and culture, it is important that U.K. supervisors continue to probe firms’ compliance, safety, and soundness more carefully and intensely than before the crisis. The U.K. supervisors nonetheless appear cognizant of these risks and, as noted above, have adopted reasonable mitigants, though some have yet to be deployed (such as the SMR). Consequently, at this time, the gaps that may exist no longer appear to be severe, warranting an upgrade since the prior FSAP’s assessment to “largely compliant” for this component. |
| Principle 9 | Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. |
| Essential criteria | |
| EC 1 | The supervisor employs an appropriate mix of on-site and off-site supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between onsite and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. |
| Description and findings re EC 1 | The PRA seeks to conduct its supervision through “CA,” aiming to update is overall evaluations of a firm’s condition, the risks it faces, and the risks it poses. For each firm, the PRA operates an annual review cycle. While the PRA seeks to evaluate each risk element annually, it may emphasize some over others such that all elements should be evaluated at least once every three years. The PRA takes stock of its assessments on annual basis through a PSM, followed six months later by a mid-point review. These check points are overseen by more senior managers, who evaluate decisions and recommendations that the supervisors make in order to ensure effectiveness and appropriateness of their supervision. In formulating its views, the PRA draws upon a broad set of information and data. Supervisors require firms to submit regulatory returns; it draws on information in public disclosures; and it may request additional, firm-specific information such as MI or forecasts. Because of the importance of the data in informing its views, the PRA may periodically validate the data, either through onsite inspections or through the employment of third parties. To support this information-gathering and analysis, the PRA requires firms to participate in meetings with supervisors. For the largest, most systemically important firms, the PRA employs a dedicated team of supervisors for each firm who conduct both onsite and offsite work, drawing on specialists from outside of the team when necessary. The team coordinates and conducts all on- and offsite supervision. Firms judged to pose lower levels of risks may be subject to less intensive supervision, drawing on supervisors who may oversee on- and offsite work for groups of institutions. The PRA’s work increases in frequency and intensity such that its engagement is higher with those firms with the most significant potential impact relative to those with less significant potential impact. At the firms with the greatest potential impact, the PRA conducts a mix of onsite testing or inspections as well as “baseline monitoring,” which includes offsite monitoring and analysis and discussions with managers and staff at the firms. PRA staff indicated that reviews of some risk elements, such as operational risk, can require up to three years to complete a cycle of reviews at one large firm. For exposures to credit risk, PRA staff indicated that they review credit risk measures and sometimes engage in testing by reviewing a variable number of loan files, etc. At firms with lower potential impact, more of the work centers on baseline monitoring and analysis, as fewer risk specialist resources are generally available. The FCA relies on a range of on- and offsite tools that it applies on a risk-based basis to firms depending on their size and risk profile. The FCA has decided to focus most of its firm-specific supervisory resources on the large and higher-risk banks in the United Kingdom. The FCA’s approach to supervision relies on three pillars, and the largest banks are subject to all three pillars, namely: proactive work, such as meetings with banks’ senior management (Pillar 1); reactive work to deal with emerging or “crystallized” risks (Pillar 2); and thematic or cross-firm work across arrange of banks (Pillar 3). In addition, the FCA prepares a periodic overall assessment (“firm evaluation”) for larger firms. Smaller banks are subject primarily to Pillars 2 and 3 work only. |
| EC 2 | The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. |
| Description and findings re EC 2 | As part of the PRA’s annual supervisory cycle, supervisors take part in an internal PSM, which includes proposing a schedule of work and an overall supervisory strategy for the firms. The results of the PSM include activities that the supervisors expect to undertake and how these activities relate to the conduction of the firm. The seniority of members of the PSM varies depending on the potential impact of the firm, with the most significant firms being discussed at senior governance committees. For the largest Category 1 firms, Executive Directors and senior staff are typically involved in the PSM; for smaller firms, the PSM may consist of heads of supervisory departments or local supervisory line management. This stratification of firms and PSM members allows for greater consistency in decision making as PSMs for firms within a group of peers share PSM members, giving visibility across the population and allowing for the level of supervisory activity to be coordinated in a more consistent manner. As noted above in EC 1, once the supervisory plan is agreed at the PSM for the largest, most systemically important firms, the relevant team conducts all on- and offsite work. For firms judged to pose lower levels of risk, a team may coordinate and conduct the supervision of more than one firm. The FCA’s approach to key pieces of firm-specific work is set out in various “How To” guides, such as carrying out a firm evaluation; carrying out an interim view; carrying out a deep-dive assessment; and assessing whether an issue is outside supervisors’ risk appetite and therefore requires supervisory intervention. Established procedures exist for supervisors carrying out thematic work to discuss their findings with firm supervisors. |
| EC 3 | The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable and obtains, as necessary, additional information on the banks and their related entities. |
| Description and findings re EC 3 | The PRA draws upon a variety of information and data to form supervisory judgments, and requires firms to submit sufficient data—of appropriate quality—to inform their judgments about material risks. The PRA periodically seeks to validate firms’ data, either through onsite inspection by PRA staff or by third parties. Supervisors gather and analyze some information on a regular basis through regulatory returns; they consider as well as information in the public domain, such as firms’ annual reports and disclosures. Other information-gathering practices are described above (see, for example, EC 1). For regulated entities that are parts of international groups, the PRA will work with other regulators via supervisory colleges and other means of communication to achieve a more-collaborative approach to supervision, including sharing and reviewing supervisory information where appropriate. Across the financial services sector, the PRA works with the FCA and the FRC where appropriate to improve the quality and usefulness of information disclosed on firms’ safety and soundness. The FCA likewise receives information from a range of sources—including from firms directly, as well as from across the FCA, from other supervisors, from customer complaints, from letters from members of parliament, and from publicly available sources. While FCA supervisors do not routinely assess the reliability of information supplied by banks, they are empowered to investigate the accuracy of the information or to require a third-party to do so where they have reasonable grounds to question the reliability of the information. |
| EC 4 | The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as:
The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. |
| Description and findings re EC 4 | The PRA reviews its judgment of the risk to firms’ safety and soundness, communicates these judgments to firms, and requires them to take action to address them. The PRA uses a variety to tools to do so, including all listed in the essential criterion. Assessors had an opportunity to review recent selected analyzes and reports similar to each of the examples cited above. In this regard, evaluating a firm against the PRA risk model includes analysis of financial statements, business model analysis, stress testing, and analyzes of corporate governance, among others. As described early under BCP 8 above (supervisory approach), the PRA relies on its PSM process to aggregate its views and consult internally and with the FCA to determine key messages. It then sends an annual letter to each firm’s Board, outlining key risks that are of greatest concern and on which it requires action, which it subsequently expects to verify for itself. The PRA sends individually tailored letters to all firms except those with the lowest potential impact (usually Category 4 and 5), where a standard letter outlines issues the supervisor has identified relative to all firms in that group, unless specific issues have been identified for a particular firm. For Category 1 firms, the deputy governor for the PRA and senior PRA staff attend major U.K. banks’ Board meetings to present the PSM messages. The PRA communicates other issues identified between annual letters and requires the firm to take action. The PRA undertakes horizontal peer reviews on a systematic basis for small firms. For larger firms, such as Category 1 firms, the PRA performs horizontal peer reviews on a particular risk issue. It considers Pillar 2 capital assessments concurrently across all Category 1 firms to ensure consistency in its assessments and judgment. The FCA is responsible for identifying risks to consumers at individual banks and across the banking system as whole that arise from banks’ conduct and risks to market integrity. Given the significant impact of the costs of redress exercises and conduct-related fines in recent years, the FCA has regular dialogue with the PRA to ensure that the PRA can take estimates of future cost into account in their assessment of bank and systemic stability. |
| EC 5 | The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. |
| Description and findings re EC 5 | FSSR within the BoE is responsible for identifying and assessing risks to financial stability from across the banking system as a whole and defining the BoE’s strategy for responding to them. For example, the PRA conducted a CST of eight major U.K. banks and building societies in 2014. Given that only one firm had fallen below that year’s threshold at the trough of the scenario, that capitalization of the financial system had strengthened further over 2014, and that the PRA had formed plans with the stress tested firms to build capital further, the FPC reached the view that the system’s resilience had improved since the capital shortfall exercise the prior year. The FPC judged that no system-wide, macroprudential actions were needed in response to the stress test. For 2015, the PRA expects all Category 1 to 4 firms to adopt the published scenario in their own stress testing. Beyond stress testing, AQRs form part of the PRA’s continuous assessment (CA) of business risk, enabling supervisors to form judgments about the quality of assets and to identify current and potential threats to a firm’s assets through concentrations, legacy risks, and market and evaluation issues. SRS may undertake sector reviews; assessments of appropriateness of valuation, provisioning, and forecasts; and assessment of risk measures, including of portfolio stress tests (see CP 17 and 18). In terms of communicating other emerging risks, the BoE publishes papers on financial stability themes; these publications are designed to offer new insight into risk management, to promote risk reduction policies, to improve financial crisis management planning, or more generally to report on particular aspects of the BoE’s systemic financial stability work. In addition, the FPC prepares and publishes a FSR twice a year. In this report, the FPC outlines its outlook for U.K. financial stability, the resilience of the U.K. financial system, the current risks to financial stability, and actions it is taking to remove or reduce those risks. The FCA communicates its views on conduct matters to individual banks or to the wider industry as appropriate, including the desired regulatory action. As an example, following a firm evaluation, the FCA sets out its views on the firm in a letter to the firm’s Board and it meets the Board to discuss its views and the required actions. |
| EC 6 | The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. |
| Description and findings re EC 6 | As part of the PRA’s CA of a firm, the supervisor evaluates a bank’s internal audit function. PRA staff meet with the audit function periodically (for Category 1 firms, it can be monthly or more, as needed, though this may vary between supervisory teams), review audit reports, and seek to understand how audit findings have been addressed. The assessment of internal audit may influence the PRA’s overall assessment of the firm and can affect the assessment of the risk-management and controls element within the PRA risk model and the PIF stage of the firm. Where the PRA feels it can rely on an internal audit function’s work, it may use firms’ internal audit functions to identify and measure risks. The FCA, in turn, engages in periodic dialogue with the internal audit function in firms that it supervises on an individual basis. A primary goal is to understand the scope of the function’s work and the extent to which it will provide insight into the conduct risks within a firm. |
| EC 7 | The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, nonexecutive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. |
| Description and findings re EC 7 | The PRA’s supervision involves engagement with firms at all levels of seniority, and the Board as a whole should expect regular dialogue with the PRA, either in groups or on an individual basis. Supervisors assess the collective Board and senior management effectiveness in setting strategy as part of the management and governance element of the PRA risk model. The exact work that the PRA undertakes varies in frequency and intensity in line with a firm’s potential impact and other factors. For a U.K. bank with a high level of potential impact (Category 1), a supervisor may hold quarterly meetings with regular heads of individual business units and meetings with nonexecutive directors (NEDs) of the firm every six months. For smaller firms (Category 2–4), meetings may be less frequent. The precise timing and structure of meetings are discussed and agreed as part of the PRA’s annual supervisory review process (the PMS). For banks that the FCA supervises on an individual basis, the FCA has a program of regular “Proactive Engagement” meetings with key Board members (such as the senior independent director and chair of key Board committees) and with senior management. These meetings are intended to help FCA supervisors understand the bank’s strategy, the conduct risks that are emerging, and how the firm is addressing those risks. The minimum number and frequency of Proactive Engagement meetings is prescribed and is also informed by judgment about the risk inherent in the firm. |
| EC 8 | The supervisor communicates to the bank the findings of its on- and supervisory analyzes in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. |
| Description and findings re EC 8 | For the PRA, on- and offsite analysis feeds into the annual PSM process, and the PRA sends an annual letter to each firm’s Board outlining the key risks that are of greatest concern and on which it requires action. The PRA expects to verify itself that the action is taken and communicates to the Board how it intends to do so. For supervisory reviews conducted throughout the year, such as specialized examinations of particular issues, the PRA communicates its findings through both verbal discussions with the firm and often with written communications such as letters to management. As noted above under EC 5, the FCA likewise sends a letter to a firm’s Board following its completion of a firm evaluation. |
| EC 9 | The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. |
| Description and findings re EC 9 | After sending its annual letter to each firm’s Board, the PRA records the issues it in its “Risk Management System” and includes details and an expected completion date for the firm’s mitigating action. Senior management within the PRA receive reports on open issues and actions, and supervisors may run reports for the firms they supervise to allow for timely follow-up. Corrective actions are reviewed at the PSM and subsequent mid-year review to ensure completion; if the actions have not been completed, supervisors may escalate the concern to the appropriate level within the PRA and include those concerns in a post-PSM letter sent to the firm’s Board. Supervisors may rely on firm attestations—which are written and signed statements indicating that the firm has corrected a matter—as a supervisory tool to ensure that a firm has remediated PRA-identified issues. Attestations may enable supervisors to implement a judgment-based approach to supervision and to place responsibility on the firm to comply. Supervisors at the FCA are empowered to determine which issues and risks require corrective action by a bank. Supervisors determine the extent of monitoring of a banks remediation, taking into account such factors as the significance of the issue and the bank’s track record in resolving past issues. Supervisors can furthermore escalate concerns about a firm’s response to senior managers at the FCA. |
| EC 10 | The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. |
| Description and findings re EC 10 | Both the PRA and the FCA expect firms to keep their supervisors informed of relevant developments about which the supervisor would expect to be notified. As noted earlier, the PRA sets this expectation through Fundamental Rule 7, and the FCA relies on a similar expectation that firms deal with supervisors in an open and honest way. With regard to the PRA, the fundamental rules are supported by more detailed PRA rules and the directly applicable requirements in the CRR (Regulation 575/2013. A PRA-authorized firm must comply with these requirements and must know what they mean for its business. A failure to comply may be relevant to a firm’s ongoing compliance with the Threshold Conditions, and may result in enforcement or other actions. |
| EC 11 | The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. |
| Description and findings re EC 11 | The U.K. authorities consult with external parties especially in two sets of circumstances. First, the PRA makes use of external auditors to inform supervisory assessments and has set out expectations in how such discussions should be managed in its SS entitled, “the relationship between the external auditor and the supervisor: a Code of Practice.” The statement notes that supervisors and auditors should seek an open, cooperative, and constructive relationship on topics of relevance to both parties. In the case of Category 1 firms, the PRA has explicit expectations for supervisors to meet bilaterally with the largest firms’ external auditors twice per year and “trilaterally” with the external auditors as well as the chair of the audit committee of the firm’s Board of Directors at least once per year. Second, both the PRA and the FCA have the ability to require the provision of a report on a firm by a “skilled person” under S166 of the FSMA 2000. These skilled persons may be engaged when the supervisor believes that a particular expertise may be necessary to evaluate an issue at a firm; when the supervisor wishes to gain an independent perspective on an issue; or when the supervisor believes that resource constraints or other supervisory priorities preclude the supervisor for conducting such work. The assessors had an opportunity to review such reports prepared by skilled persons and found the reports in general to be thorough and serious evaluations of specific issues in the target firms. |
| EC 12 | The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. |
| Description and findings re EC 12 | A central function within the BoE, the regulatory data group (RDG), processes and monitors regulatory data using various information systems. The PRA and FCA jointly rely on GABRIEL, which is a portal through which supervised firms submit regulatory forms. The RDG relies on automated solutions such as the “Alert Manager System” to identify any areas of follow-up for supervision, such as unusual changes in financial measures. Assessors viewed demonstrations of several such systems and had an opportunity to speak with staff about how the systems are used to monitor firms’ condition, track supervisors’ evaluations of issues, and inform the supervisory process. |
| Additional criteria | |
| AC1 | The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. |
| Description and findings re AC1 | Under the Financial Services Act of 2012, the NAO was made the statutory auditor of the FCA and the PRA as of April 2013. The NAO performs review the supervisors’ activities and performance and makes public its findings. Both the PRA and the FCA maintain internal audit functions within their respective organizations that may review each respective supervisor’s programs and performance periodically. Both supervisory agencies have also developed internal review functions. The PRA, for example, relies on an internal supervisory oversight function (SOF) that provides the PRA Board with assurance on the quality and effectiveness of supervision. It is not necessarily an audit or compliance function and instead supports the development of supervisory strategy within the PRA, as well as the exercise of sound supervisory judgment internally, by focusing on how the PRA engages with the firms it supervises. When necessary, the SOF can also supplement supervisory resources to address urgent priorities. The SOF is made up of about 26 staff, most of whom have prior supervisory experience. It reports directly to the PRA Board. Similarly, the FCA created a specialist review function in 2010 to assure the quality and effectiveness of its supervision of major banks and other firms. It serves as part of the FCA’s second line of defense, forming part of the FCA’s Risk and Oversight Division, and evaluates supervisory strategy, the use of supervisory tools, and supervisors’ understanding of risks. |
| Assessment of Principle 9 | Largely Compliant |
| Comments | Overall, U.K. authorities appear to have taken a more active approach to using supervisory tools especially in the portfolio of the largest and most systemically important firms. Still, vestiges of concerns identified during the prior FSAP persist. Themes carrying over from the prior FSAP relate to the depth of onsite work, especially testing and the potential reliance on “skilled persons” in place of deploying supervisory resources onsite. Another theme remains the relatively low level of application of supervisory tools to smaller firms. While it does appear that prudential supervisors are engaging in more “hands-on” supervisory work at the largest firms, some reviews and periodic “deep dives” appear to be more cursory than might be expected in firms of such significance. For example, PRA staff indicated that AQRs are conducted several times per year at Category 1 firms; these reviews can be varyingly staffed and scheduled, but can entail visits lasting few days, with three or four risk specialists and relying on the review of a limited number of loan files. In addition, staff related to the assessors insight into a variety of “conversations” that take place onsite at the largest firms, often led by experts from the supervisory risk specialists (SRS) department. Such regular dialogue is indeed an important part of contemporary supervision of large firms; however, the PRA may be able to draw greater confidence about the information gathered through such conversations by validating the information described to the supervisors. It remained unclear to the assessors how much supplemental testing and validation supervisors undertake following these regular meetings with senior executives and business leaders at the largest firms; it is consequently an open question whether supervisors are simply trusting their counterparts at the firm. To gain supplementary insight into significant issues at firms, supervisors from both the FCA and the PRA repeatedly referred to the potential use of S166 “skilled persons” reviews as a powerful tool for supplementing ordinary supervision. These views should be evaluated in the context of the CP’s admonition against “outsourcing” prudential responsibilities to third parties (EC 11). The benefits that staff cited for employing such external resources are not unpersuasive. Staff cited their sense that skilled persons can bring special insight that can carry extra weight with firms given their expertise; that skilled persons can provide an independent view to bolster the supervisors’ views; and that skilled persons may be able to perform some reviews faster and with greater focus than supervisors could, or that these external parties may be able to allow supervisors to focus scarce resources and time on other priorities. It should also be noted that firms bear the costs of skilled-persons reviews, which may also be beneficial in managing the costs and resources associated with special reviews, and that supervisors remain engaged through regular dialogue with the skilled persons and the firms. Assessors at the prior FSAP noted that S166 reviews and “deep-dive” reviews “cannot be really seen as an onsite supervision system with transaction testing, even on a on a select basis.” Assessors at the current FSAP continue to share those concerns. Supervisors shared informal statistics indicating that S166 reviews are not employed frequently in the largest firms. Assessors understand that supervisors are not seeking to outsource supervisory responsibility to third parties, yet are concerned that relying on such tools can reduce the sense that such skills and expertise need to be developed and maintained within the supervisor staff so that the authorities can deploy expert judgment more frequently and more consistently across the broad population of firms they supervise. S166 reviews convey real benefits in situations requiring particular expertise or significant resources; supervisors should employ such resources with care, as U.K. authorities agree that the use of external consultants should not be viewed as a way to reduce the need for supervisors to develop appropriate skills and knowledge. Finally, while supervisors have developed a suite of tools that are important to evaluating safety and soundness and firms’ condition and performance, the use of these tools is highly concentrated in the largest and most systemically important firms. Some onsite reviews and testing does seem to take place in Category 2 firms, though the assessors could not confirm that this was more than sporadic. Supervisors acknowledged that a more reactive approach has been adopted for smaller firms, with automated “baseline” monitoring serving as the primary tool for conducting day-to-day supervision. |
| Principle 10 | Supervisory reporting. The supervisor collects, reviews and analyzes prudential reports and statistical returns50 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. |
| Essential criteria | |
| EC 1 | The supervisor has the power51 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss (P&L), capital adequacy, liquidity, LE, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. |
| Description and findings re EC 1 | Art. 65(3) of the CRD requires competent authorities—which are the PRA and the FCA in the United Kingdom—to have all information gathering and investigatory powers that are necessary for the exercise of their functions, including the specific powers set out in 65(3)(a). The EU harmonized supervisory reporting requirements—provided for in the CRD and EC regulations on reporting—encompass a comprehensive range of information for the supervisor to perform a risk assessment, including:
As per the CRR, reporting is due both on a consolidated (prudential) and solo level and it covers on- and off-balance sheet items. All banks are required to prepare and deliver common reporting (COREP). The reporting requirements are defined by EBA ITS on supervisory reporting, which were introduced in Q1 2014 and are being phased in over a number of years. Frequency varies between reporting from monthly (liquidity) to quarterly and semi annual or annual for some individual templates. COREP data must be reported on both a solo and consolidated basis by all firms covered by the CRR, while FINREP is mandatory only for international financial reporting standards (IFRS) institutions at consolidated level (though NCAs can extend to GAAP firms on consolidated level). Solo level reporting remains national discretion. NCAs can require regular reporting outside the scope of the ITS on supervisory reporting. COREP covers capital adequacy, liquidity, LE, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, and market risk; while FINREP covers, inter alia, on- and off-balance sheet assets and liabilities, and P&L. The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise of its functions under FSMA (S165) and also from those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the United Kingdom (S165A). The PRA also has the power under FSMA to make rules, and has made rules, requiring firms that it regulates to submit regular reporting (for example, the main regulatory reporting rules are known as Supervision (SUP) 16.12 in the PRA Handbook, soon to be moved over to the PRA Rulebook as the Regulatory Reporting Part). FINREP data for solo entities and for firms that do not report according to FINREP are collected on a regular basis using PRA-specific supervisory reporting templates. As well, under the PRA’s S55M FSMA powers, the PRA may impose a requirement on a regulated firm, which could include a regular reporting requirement, including, inter alia, on- and off-balance sheet assets and liabilities and P&L items for non-FINREP reporters and interest rate risk. |
| EC 2 | The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. |
| Description and findings re EC 2 | According to the CRR (Art. 99(2)), FINREP reporting templates for supervisory purposes are required to be based on the IFRS at the consolidated level (see EC 1). At the solo level, reporting can be based on local Generally Accepted Accounting Principles (GAAP) and national discretion can be exercised to require IFRS for solo reporting of FINREP. Reporting instructions are included in Commission Implementing Regulation (EU) No. 680/2014 that contains detailed instructions for the submission of supervisory reporting. FINREP reporting is based on IFRS and adapted also for national GAAPs. To ensure consistency and comparability of information, the ITS indicates that firms should use the same accounting framework for both own funds and FINREP. FINREP reporting templates for supervisory purposes are required to be based on the IFRS (see EC 1) for firms that meet that meet the criteria of CRR (Art. 99(2)). As the United Kingdom has not exercised the national discretion, under Art. 99(3) CRR, to require FINREP reporting, also to those firms that do not meet the criteria of CRR Art. 99(2), they report P&L and balance sheet data using U.K.-specific FINREP templates. The PRA asks firms to submit regulatory returns—including COREP and its own supervisory reporting returns–using their normal accounting practice or applicable accounting framework at that time. For most firms, the relevant framework is IFRS or U.K. GAAP (but some firms use other national GAAP frameworks, e.g., U.S. GAAP). Reporting instructions for U.K. regulatory returns, including information about the accounting standards to be used, are available on the BoE’s website. For example, Annex 25A of SUP 16 provides guidance on the completion of returns required SUP 16.12. On April 7, 2015 the PRA published a note setting out the basis under which it will accept regulatory returns during the transitional period for first-time adopters of FRS 102 that are currently applying old U.K. GAAP (meaning pre-FRS 102 U.K. GAAP). General Prudential Sourcebook (GENPRU) 1.3 sets out general rules and guidance as to how a firm should recognize and value assets, liabilities, exposures, equity, and income statement items. These are consistent with IFRS and U.K. GAAP accounting standards (whichever applicable) |
| EC 3 | The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. |
| Description and findings re EC 3 | Art. 24 of the CRR specifies that the valuation of assets and off-balance sheet items shall be effected in accordance with the applicable accounting framework. Art. 76 of the CRD requires that the management body will devote sufficient time to the consideration of risk issues as well as the valuation of assets, the use of external credit ratings and internal models relating to those risks (see para. 2). The RTS for prudential valuation (EBA/RTS/2014/06/rev1) establishes approaches for prudential valuation adjustments as required by the CRR for traded instruments (simplified and core approaches). The final draft has been published and is pending approval by the EC. The PRA requires banks to establish and maintain systems and controls sufficient to provide prudent and reliable valuation estimates under GENPRU 1.3.13 in the PRA Handbook. The onus to comply is on the banks themselves. For the largest firms, the PRA assesses compliance at a high level through desk-based reviews of firm’s MI (prepared offsite via extensive analysis of MI sent by the bank and supported by a two to three hour meeting with the firm). Risk specialists conduct assessments of major firms’ valuation frameworks in various forms, including via high level semiannual CA reviews, thematic reviews, and assessments of applications for internal models approaches (IMA) permissions. The aim of the review is to evaluate the effectiveness of banks’ governance frameworks, policies, and controls around accounting system valuations. Accounting experts review major firms’ disclosures in conjunction with front line supervision. The PRA can require banks to make adjustments to their reporting for capital adequacy/regulatory reporting purposes when it determines that valuations are not sufficiently prudent. Where any concerns are identified the PRA may undertake additional work. Supervisors can also use powers under FSMA (S166) to require external experts (“skilled persons”) to review aspects of the processes for determining valuations. Banks may be required to address any deficiencies. Where the supervisor does not consider banks’ governance structures and control processes suitable, then it applies add-ons/scalars to account for the uncertainty concern. The PRA can take enforcement action in response to poor reporting. The PRA adopts a risk-based approach and, hence, risk specialists focus on the more systemically important (Category 1) firms and on the positions that supervisors have identified as having material valuation risk. A systematic approach for reviewing all mark to market positions has not been established. As the smaller firms do not typically have assets that mark-to-model and do not have trading books, many of the more difficult problems in the area of valuations do not apply to them. However, where it is relevant to a small bank, the supervisor seeks specialist support and cover as part of their supervisory strategy if they consider it to be a material risk. For example, supervision and valuation specialists have conducted valuation reviews of material Category 2–4 firms that have trading books. Supervisors also discuss on a frequent basis with the firm and external auditors. Valuations are picked up as part of the meeting with the external auditors; however these meetings focus on accounting valuations rather than regulatory valuations. The United Kingdom has an established prudent valuation approach, which has led to developing, both reporting requirements and technical standards for prudent valuations. Starting December 2010, relevant U.K. firms have been required to report prudent valuation adjustments in quarterly reports. U.K. firms are required to deduct prudent valuation adjustments from capital. Other ongoing reforms include changes to U.K. GAAP, which will increase the emphasis on fair value accounting for those firms that use U.K. GAAP. Unrealized gains or losses currently concealed in assets that are valued at historic cost will be revealed. |
| EC 4 | The supervisor collects and analyzes information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. |
| Description and findings re EC 4 | The EBA ITS on supervisory reporting sets out the frequency at which COREP and FINREP returns have to be collected. The required frequency depends on the nature of the information requested; for example, banks report liquidity data on a monthly basis; comprehensive capital adequacy and FINREP data on a quarterly basis; and some FINREP templates on a semiannual or annual basis. CRD Art. 104(1)(j) enables the PRA to impose additional or more frequent reporting on a firm or firms similar risk profiles, including reporting on capital and liquidity positions. Accordingly, the PRA requires the highest impact firms to report capital data (including projections) on a monthly basis (via the Capital+ return), and liquidity data both more frequently (weekly) and with greater detail (e.g., banks’ funding plans). COREP and FINREP also provide for proportionality—reducing reporting requirements for smaller firms, as do the reporting requirements set out in SUP 16.12 of the PRA Handbook. For example, materiality thresholds ensure that less detail is required to be reported for firms below a certain size and/or positions below a certain monetary value. PRA-specific returns are also required to be reported at a frequency appropriate to the nature of information and size of firm. The reporting frequencies for PRA handbook returns are set out in SUP 16.12.6. Detailed firm data are collected to support the annual stress testing cycle, which currently focuses on systemic U.K. firms. Most of these data are reporting annually, but some are collected on a more frequent basis. Where additional risk is identified (e.g., during a stress), then the supervisor may request information of increased detail/frequency as they consider appropriate. In April 2015, the PRA published policy statement PS8/15 setting out a rule requiring incoming firms and third country firms to submit a branch return on a six-month basis. The branch return will provide the PRA with information about the U.K. activities of these firms. The reporting burden imposed on firms by new nonmandatory data collections is reviewed by PRA/FCA governance structures to ensure that it is proportionate and that the data are collected at an appropriate frequency. Typically, returns are allocated to supervisors for review based on their area of focus and expertise, for example: capital and leverage; credit risk; market risk; operational risk; LE; and/or liquidity risk. The review process is currently focused on COREP data and the PRA handbook returns. FINREP data will be incorporated into the process as soon as practical. Reviews are carried out in line with the relevant reporting frequency and conducted at group level and/or solo level aligned with the PRA’s overall supervisory approach. For example, liquidity returns are reviewed based on liquidity subgroups, rather than on a solo level. The reviews are based on time series of key data judged to be reliable high-level indicators of a changing risk profile. This includes regulatory limits, such as LE limits and capital ratios. Any supervisory observations of material movements or actions taken with the firm are recorded as part of the process. Supervisors of the major U.K. deposit takers draw extensively on firms’ own MI as well as regulatory data. The PRA receives monthly MI from firms considered complex and of high impact. The PRA receives MI as and when it needs it from smaller and less complex firms. Building societies and credit unions that are rated as Category 2–4 firms are currently subject to the same frequency and level of review although the PRA is exploring alternative options in this area. For international banks, the requirements to review regulatory data are more detailed and more frequent for larger firms than for smaller firms, which reflect the PRA’s risk-based approach. Review processes are complemented by automated alerts against defined criteria (e.g., breach of LE rules), which are notified to supervisors in the e-mails announcing receipt of the data items. Supervisors acknowledge the alert within five days of it being generated, and within 10 days record a decision as to what action (if any) should be taken. Possible actions could include no action, following up with the firm via a phone call or other means (e.g., to sanitize the data), through to informing a decision to take a S166 action (when the data issues are deemed to be more serious and/or persistent). Alerts are closed off when the actions are complete. The internal capital adequacy assessment process (ICAAP), which is reviewed annually for larger firms and biennially for smaller firms, also contains firm data of a more detailed and granular nature than is obtained through the regular cycle of regulatory reporting. Regulatory data is also used to produce peer analysis e.g., capital, liquidity and LE of the largest eight U.K. banks—which is used by supervisors to supplement their individual analysis, identify outliers, and trends. As part of the PRA’s project for utilizing the broader data collection under CRD IV, the PRA is developing an IT project to expand the PRA’s analytical tools to support analysis of the regulatory data. |
| EC 5 | In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). |
| Description and findings re EC 5 | Standardized regulatory returns under the U.K. and EU regulatory framework COREP, FINREP, and SUP 16.12 define reporting dates and periods and reporting requirements for all firms meeting a verifiable set of criteria. Different balance sheet and P&L collections exist for solo and consolidated entities (for FINREP reporters) and between FINREP and non-FINREP reporting firms. This difference in the financial reporting regimes that apply to solo and consolidated entities, and between firms that use IFRS and local accounting standards is being addressed as part of the PRA data-stocktaking exercise, which is considering the feasibility of replacing existing financial reporting under U.K. GAAP (balance sheet and P&L returns with less granularity and no accounting, sectoral, or geographical breakdown) with reports that are consistent with the FINREP templates. COREP reporting is required to be on a calendar quarter. All other reporting requirements, including FINREP, allow firms to follow their own reporting cycle based on the firms’ year-end. |
| EC 6 | The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal MI. |
| Description and findings re EC 6 | Art. 4 of the CRD regarding designation of powers to the NCA provides the legal basis for supervisors to have access to all relevant information from banks as well as entities in the wider group. Para. 3 states that MS shall ensure that appropriate measures are in place to enable the NCA to obtain the information needed to assess the compliance of institutions, and of FHCs and MFHCs. Para. 5 states that MS shall also ensure that internal control mechanisms and administrative accounting procedures of the institution permit the checking of their compliance with such rules at all times. Art. 65(3) CRD requires competent authorities—which the PRA is for purposes of CRD IV in the U.K—to have all information gathering and investigatory powers that are necessary for the exercise of their functions. The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise by the PRA of its functions under FSMA (S165) and also from entities in the wider group, including those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the U.K. (S165A FSMA). Fundamental Rule 7 of the PRA Rulebook requires firms to be open with the PRA, and provide it with information that it can reasonably expect for the performance of its regulatory duties. SIG1 (Information Gathering) of the PRA Rulebook gives the PRA rights of access to relevant staff and information at firms which it supervises. The PRA requests firms to report the information it requires for supervisory and resolution purposes on a regular and/or ad hoc basis, as it deems appropriate. For example, the most systemically important U.K. headquartered firms provide detailed FINREP data via firm data submission framework (FDSF) templates that are used for stress-testing purposes. MI—including Board and Board committee papers—are regularly received and reviewed as well as other information required to enable supervisors to identify and assess risks. |
| EC 7 | The supervisor has the power to access52 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. |
| Description and findings re EC 7 | Art. 65 of the CRD provides the legal basis for the supervisor to have unfettered access to the managing body (Board), senior management, and staff as required to discharge the mandate of the NCAs (see para. 3). The PRA has power to require credit institutions that it regulates to submit any information or documents reasonably required in connection with the exercise by the PRA of its functions under FSMA (S165) and also from those it does not directly regulate (such as third-party service providers or managers of investment funds) if relevant to the financial stability of the U.K. (S165A FSMA). Fundamental Rule 7 of the PRA Rulebook requires firms to be open with the PRA and provide it with information which it can reasonably expect for the performance of its regulatory duties. SIG1 (Information Gathering) of the PRA Rulebook gives the PRA rights of access to relevant staff and information at firms which it supervises. Supervisors regularly meet with senior executives and Board members as part of their CA program and under the PRA powers to mandate meetings with holders of SIFs within a bank. For all Category 1–4 firms, there is a planned schedule of meetings with senior management and control function heads, with increased frequency for more systemically important firms. Supervisors attend firm Board meetings to present the findings of PSMs. For Category 2–4 U.K. banks, supervisors meet with the executive and some NEDs annually during the SREP and L-SREP process. Supervisors also meet the entire Board together or individually as part of a biennial review of Board-level governance. |
| EC 8 | The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. |
| Description and findings re EC 8 | Art. 4 CRD requires that MS empower NCAs to obtain the needed information. Art. 67 paras. (e) to (m) establish the capacity for the NCA to enforce compliance with the requirement that information submitted for regulatory purposes is accurate and timely. Section SUP 16.3 of the PRA Rulebook sets out general requirements for firms to submit reports as required by the relevant parts of SUP 16 on a timely basis. The PRA Rulebook (Notification 6) states that a firm must take reasonable steps to ensure that all information it gives to the PRA in accordance with a rule is complete and accurate. If a firm is unable to obtain the information required, then it must inform the PRA that the scope of the information provided is, or may be, limited. If a firm becomes aware, or has information that reasonably suggests that it has or may have provided the PRA with information which was or may have been false, misleading, incomplete, or inaccurate, or has or may have changed in a material particular, it must notify the PRA immediately. The notification must include: details of the information which is or may be false, misleading, incomplete, or inaccurate, or has or may have changed; an explanation why such information was or may have been provided; and the correct information (if the correct information is not available, it must be provided as soon as possible afterwards). S398 of FSMA makes it an offence for a firm knowingly or recklessly to provide the appropriate regulator with information which is false or misleading in purported compliance with the appropriate regulator’s rules or any other requirement imposed by or under the Act. An administrative fee of GBP 250 used to be levied on firms for late or incomplete regulatory reporting (SUP 16.3.14R). The fee was an administrative charge levied in order to recover the costs of pursuing late returns and was not meant to be used as a penalty or a deterrent. Following a consultation, it has been deleted. Failure to submit a report in accordance with the SUP 16 or the provisions of relevant legislation may also lead to the imposition of a financial penalty and other disciplinary sanctions. Under FSMA, the PRA has powers to intervene where there is persistent late or incomplete reporting, for example, by commissioning a S166 report. There are instances where the PRA has used S166 powers in response to poor reporting over the past couple of years. The PRA holds senior management responsible for the accuracy of their firm’s regulatory reporting, just as the PRA holds them responsible for everything else that happens on their watch. The production and integrity of the firm’s financial information and its regulatory reporting under the regulatory system is one of the prescribed responsibilities set out in the PRA’s SMR, which came into force in March 2016. The PRA takes into account the quality and timeliness of firm’s CRD regulatory returns when assessing firm’s risk management & controls; and may require firms submitting poor-quality data to take mitigating actions or increase capital and liquidity add-ons. The assessors found evidence of the used of skilled person reports (S166 FSMA) to investigate serious and/or persistent quality issues in the supervisory reporting. The reports produced by the skilled persons appear thorough in the analysis and detailed in the recommendations, facilitating the PRA’s follow-up. As the cost of the investigation is borne by the regulated entity, a wise use of skilled persons could set the right incentives for banks’ management to devote the needed attention to data quality in general and to the quality of regulatory reporting in particular. As the SMR only came into force in March 2016, the mission could not assess its effectiveness in ensuring that the responsibility for the production and integrity of the firm’s financial information and of its regulatory reporting is assigned to the appropriate level of the bank’s senior management. |
| EC 9 | The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.53 |
| Description and findings re EC 9 | There are multiple lines of defense to determine the validity and integrity of data. Validation rules for COREP and FINREP reporting are set out in the EBA ITS, and are automatically applied on submission. Validation rules are also automatically applied to the existing PRA Handbook returns (i.e., those set out in SUP 16.12). Following receipt of the validated data, the PRA’s RDG carry out a program of plausibility checking (comparison to previous periods and using available information), focusing on data sets that supervisors indicate are of greatest importance, such as capital adequacy, liquidity, and FINREP returns. The RDG use their plausibility checking processes to motivate regular dialogue with firms with a view to getting clarification on and improving data quality. Firms are asked to resubmit their data at the relevant reporting level (i.e., consolidated or unconsolidated or solo levels) where the data are materially incorrect. In extremis, this dialogue can be formalized by using S166 powers to instigate a review of a firm’s supervisory reporting. The S166 powers are used to require external experts to review certain aspects of a bank’s operations and the PRA has powers over their selection. The s166 powers have occasionally been used to test the completeness and accuracy of regulatory returns in compliance with PRA rules. All queries arising from plausibility reviews are initially sent to supervisors for their input/feedback. Following feedback from supervisors, unresolved queries are sent onto firms for resolution. |
| EC 10 | The supervisor clearly defines and documents the roles and responsibilities of external experts,54 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. |
| Description and findings re EC 10 | Powers under S166 FSMA are used to require external experts to review certain aspects of a bank’s operations and PRA has powers over their selection. When contracting directly with a skilled person, the PRA uses a panel of suitable suppliers to tender the S166 review; equally, where the firm has been directed to contract with a skilled person, the PRA directs the firm to the skilled persons in the relevant lot(s) on the panel. Skilled-person firms are subject to a robust set of criteria to be included on the Panel, which helps ensure a consistent and high quality approach to conducting skilled person reviews. As part of the tender process, the PRA scrutinizes the existence of potential conflicts of interest and the skill set of the proposed team with reference to the curricula vitae (CVs) in the proposal and the total proposed days by grade of staff. The panel of suitable suppliers was established from April 1, 2013 by both the PRA and FCA; see http://www.bankofengland.co.uk/pra/Documents/supervision/activities/skilledpersonpanel.pdf. |
| EC 11 | The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. |
| Description and findings re EC 11 | The PRA uses external experts when commissioning reviews under its S166 powers to require the provision of a report on a firm by a skilled person. When contracting directly, the PRA enters into a legal contract with the skilled person which requires the skilled person to communicate to the PRA information on or opinion on matters of which they have become aware in their capacity as a skilled person reporting on the firm, as set out in the section use of skilled persons 3.1(1)(b) of the PRA Rulebook. The skilled person is also expected to “maintain an open line of communication” with the PRA and to inform the PRA of “any significant developments as and when they occur.” Where a firm is directed to contract with a skilled person, the firm has an obligation to require the skilled person to communicate with the PRA in line with use of skilled persons. The PRA’s SS, reports by skilled persons (SS 7/14) lays out expectations of skilled persons, regard to communication. According to SS 7/14, the PRA expects the skilled person normally to give a periodic update on progress and issues during the engagement directly to the PRA. It may also be appropriate for the skilled person to communicate matters of material significance to the PRA set out in the rule on use of skilled persons 3.1(1)(b) without first informing the firm. |
| EC 12 | The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. |
| Description and findings re EC 12 | For CRR-mandated reporting, the EBA reviews the ITS through question and answer (Q&A) processes, which the PRA is engaged with. For nonharmonized reporting, all new data collections are subject to the PRA’s data governance processes. Ad-hoc data collections (those that are not enshrined in EU legislation and/or the PRA Handbook) approved by the PRA’s data governance body are subject to sunset clauses that mean that the need for those data collections has to be reexamined. Supervisors agree the information they want firms to provide on a periodic basis. This is normally undertaken during the PSM process. The PRA is currently undertaking its first iteration of internal data stock takes. The guiding principles for the review include rationalizing the number of data collections and in particular reducing duplication, imposing proportionality with greater rigor, and where possible standardizing definitions and also aligning them with those used in the CRD data collections. The approach the PRA is taking to the data stock take is to create an inventory of existing data collections—by 14 broad data/risk categories (for example, balance sheet and P&L, capital and leverage, etc.) and to compare these with data requirements identified across the PRA and the relevant areas of the BoE. The gaps and/or redundancy that are revealed by this comparison inform the proposals for any changes to data collected. The process should be completed by 2016. Implementation of any new data reporting will be phased, and will take account of other significant initiatives such as the introduction of the new International Accounting Standard (IAS) IFRS 9 in 2018 and, in the U.K., structural reform in 2019. It is likely that, in future, stock takes will take place via a rolling review across the risk categories, and be aligned with developments in international or internal data requirements. There is already a well-established precedent of reviewing statistical data in the BoE on this basis, where a rolling review of each reporting form takes place within a five-year cycle. |
| Assessment of Principle 10 | Compliant |
| Comments | The collection of data for supervisory reporting has generally improved since the previous FSAP, as recognized also by several industry representatives. This is, at least partly, the results of the U.K. adoption (like for all the other MSs) of the EU-harmonized reporting framework, which is more structured than the pre-existing U.K. approach, and may lead to greater consistency and an increased ability to assess exposures and risks across firms. The creation of a PRA data governance group is also improving the decisions supervisors make about what data to gather (and which ones to discontinue) and how to make use of it. Opportunities remain for U.K. supervisors to develop better data on credit exposures and performance (see CP 17): as noted in the assessment, this does not necessarily mean that supervisors should support the creation of a central credit register; nonetheless, supervisors should consider more ways to enhance their ability to monitor and interpret trends in credit and in credit markets across the industry. When the harmonized reporting is based on the FINREP scheme, which applies only to banks under the IFRS accounting regime, the U.K. authorities should set up similar (though proportionate) reporting schemes for non-FINREP banks, at least with respect to the most relevant risk categories (see CP 20). |
| Principle 11 | Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. |
| Essential criteria | |
| EC 1 | The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. |
| Description and findings re EC 1 | Supervisors maintain communications with the firm’s management and hold key meetings during the PSM process; the results of risk assessments are formally communicated to the firm in a letter, along with required actions to mitigate the risks identified. The firm is then subject to monitoring and further meeting or visits to evaluate progress on those items. To propose significant corrective actions, the PRA has published for staff and the public the “PRA Regulatory Decision-Making Framework” that sets out an overview of the process through which the agency makes decisions. This tool, for example, differentiates the decision-making process for addressing issues in firms that require statutory notice, such as decision to vary a firm’s permission to engage in regulated activities, versus decisions that may not require statutory notice. Given their implications for a firm’s business or for the PRA’s objectives, decisions to require corrective actions or sanctions that require statutory notices typically involve a more senior level of management in the PRA, up to the PRA Board. This framework appears to be helpful to ensure that decisions to sanction or to use corrective powers on firms are handled consistently and appropriately across the PRA, with a prescribed level of review and sensitivity. |
| EC 2 | The supervisor has available55 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations, or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. |
| Description and findings re EC 2 | The FCA and PRA have the legal powers under FSMA 2000 to take an appropriate range of remedial actions against banks, including imposing penalties. In addition to using formal tools, informal tools, such as reaching voluntary agreement with a firm through negotiation or persuasion, are also available. The tools available to supervisors range from making recommendations for remedial action, imposing individual requirements under S55L and S55M of FSMA, to actions that involve restricting a firm’s activities, such as withdrawing or varying a firm’s permission to carry certain regulated activities. |
| EC 3 | The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. |
| Description and findings re EC 3 | The EU provides regulations to address breaches against threshold requirements and also to intervene at an early stage. The conditions for the use of the “early intervention” are “where an institution infringes or, due, inter alia, to a rapidly deteriorating financial condition, including deteriorating liquidity situation, increasing level of leverage, NPLs or concentration of exposures, as assessed on the basis of a set of triggers, which may include the institution’s own funds requirement plus 1.5 percentage points, is likely in the near future to infringe the requirements of the CRD and CRR. MS shall ensure that competent authorities have at their disposal, without prejudice to the measures referred to in Art. 104 of Directive 2013/36/EU where applicable, at least the following measures:”
In the U.K., HMT used its powers to amend Schedule 6 of the FSMA 2000 and issued the FSMA 2000 Order 2013 (the Threshold Conditions Order). Under this order, Threshold Conditions were set out for firms authorized and supervised by the FCA; FCA-specific conditions for firms authorized by the PRA and subject to dual regulation; and PRA-specific conditions for insurers and for other PRA-authorized persons. The PRA can use its power to impose requirements under S55M of FSMA 2000, to vary the bank’s permissions under S55J at an early stage based on whether a bank is or was likely to breach the Threshold Conditions set out in the Order. The FCA and PRA have powers under Part 4A of FSMA 2000 to intervene at an early stage to require a bank to take action to prevent it breaching regulatory threshold requirements or to limit activities appropriately. In addition to the above, the PRA’s PIF requires supervisors to assess at least annually (and in response to development) each firm’s proximity to failure and sets out expectations for the supervisor’s responses at each of five stages.56 |
| EC 4 | The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. |
| Description and findings re EC 4 | The PRA’s power under S55M to impose requirement may be used to impose more stringent prudential limits upon banks. The FCA has a parallel power to impose requirements under S55L; however, in dual-authorized firms for which the PRA is the prudential supervisor, the FCA applies requirements related to conduct. The PRA or the FCA may require corrective action to be taken, impose requirements, withhold approval of new activities or acquisitions, or all other responses enumerated in EC 4. |
| EC 5 | The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. |
| Description and findings re EC 5 | The PRA and FCA may apply sanctions to individual approved persons, including those within a firm performing a SIF, where they breach FCA or PRA rules of conduct or are knowingly involved in a breach by the firm of the PRA or FCA’s rules or requirements. Sanctions may include making public statement of the misconduct; imposition of fines; and suspension from performing their approved functions. Where the PRA or the FCA considers that a person is not “fit and proper” to carry out functions in a regulated firm, it may withdraw the person’s approval to do so, or prohibit the individual from carrying out any functions in a firm for such period as it considers suitable. |
| EC 6 | The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. |
| Description and findings re EC 6 | The PRA may use its powers to impose requirements on authorized firms under S55M to ring-fence the authorized entity from parents, subsidiaries, parallel-owned banking structures, and other related entities. Use of this power would, of course, be subject to EU law. The FCA may impose requirements under S55L FSMA 2000. Both supervisors may also direct U.K. parent undertakings to take certain steps, under S192C. |
| EC 7 | The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). |
| Description and findings re EC 7 | The PRA is responsible for determining that a banking institution is failing, or likely to fail, its Threshold Conditions. The BoE, following consultation with the PRA and others, is responsible for determining that it is not reasonably likely that action will be taken by or in respect of the institution that will enable the institution to meet those conditions. This situation opens up the possibility for the BoE to use the resolution process set out in the Banking Act 2009. See also the discussion of the resolution process under BCP 8, Supervisory Approach, for additional insight into the coordination that takes place between the PRA and the RD of the BoE. |
| Additional criteria | |
| AC1 | Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. |
| Description and findings re AC1 | S2B of FSMA 2000 sets out the PRA’s general objective to promote the safety and soundness of PRA authorized persons. S2B(3) of FSMA 2000 provides that this is to be achieved primarily by seeking to ensure that the business of PRA-authorized persons is carried on in a way that avoids any adverse impact on the stability of the U.K. financial system and by seeking to minimize the adverse effect that the failure of a PRA-authorized person could be expected to have on the stability of the U.K. financial system. These provisions have the cumulative effect of requiring supervisors to take corrective action in an appropriate and timely manner. The PRA’s PIF process sets out the key steps that should be taken to ensure a timely response. FSMA 2000 additionally provides for the possibility of independent inquiries into the PRA’s actions in certain circumstances, in particular, should it appear that events had occurred which had, or could have had, a significant adverse effect on the safety and soundness of one or more PRA-Authorized. Such inquiries may be triggered by HMT or by the PRA itself. |
| AC2 | When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. |
| Description and findings re AC2 | FSMA 2000 requires the PRA to consult the FCA (and in certain circumstances to obtain its consent) in a variety of regulatory contexts, including when authorizing a firm or approving an individual (FCA consent required); imposing a requirement or variation of permission (consultation required); making rules (consultation required); and taking disciplinary action against a firm or an individual (consultation required). |
| Assessment of Principle 11 | Compliant |
| Comments | The PRA and FCA have the tools necessary to require corrective actions of firms or to issue sanctions. If a firm appears to be in breach of a Threshold Condition, or is likely to breach a Threshold Condition, U.K. supervisors can impose requirements on the firm or vary its permissions. Generally the firm will be given an opportunity to take corrective action, but should the firm fail to do so, the PRA will consider (among other options) whether to trigger the first step toward beginning the resolution process articulated in the Banking Act 2009. In the prior (2013) FSAP, U.K. authorities received a recommendation that more proactive use of such tools would be aided by the development of a more formal early intervention framework. The creation of the PRA’s PIF, with five explicitly defined stages, provides U.K. supervisors with a more formal process and a supervisory tool that describe steps supervisors—and the RD of the BoE—must take as a firm’s condition deteriorates. |
| Principle 12 | Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.57 |
| Essential criteria | |
| EC 1 | The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks may jeopardize the safety and soundness of the bank and the banking system. |
| Description and findings re EC 1 | Arts. 97–98 of CRD determines the SREP, and establish that supervisors need to understand the risks the institutions are exposed to and the risks the institution poses to the financial system. There are no specific requirements concerning the supervisory review of the structure of the group and risks brought by nonbanking activities and group-wide management. The 2014 EBA Guidelines on common procedures and methodologies for SREP recommends supervisors include in their SREP process an evaluation that the banks have established an effective group-wide MI and reporting system applicable to all material business lines and legal entities, that the management bank has established consistent group-wide strategies including a risk-appetite framework; and that group risk-management covers all material risks regardless of whether the risk arises from entities not subject to consolidation. PRA To understand the overall structure of banking groups, and to ensure its familiarity with all material activities conducted by entities within wider groups, the PRA relies on a combination of CA—meetings with key control functions and which oversees overseas regional and country heads supervisory colleges, and bilateral contact with overseas regulators—and onsite reviews of selected overseas operations (see EC 4 below). The PRA monitors the contribution of all business lines (including nonbanking activities) to the consolidated financial performance and risk profile of the bank. Supervisors conduct thematic reviews of nonbanking activities, e.g., custody services. U.K.-regulated insurance activities within banking groups are supervised by a separate supervisory team in the PRA’s Insurance Department. To understand and assess group-wide risks, each high-impact banking group has a dedicated PRA supervision team. These teams carries out a CA program to assesses and respond to the risks posed by the group to the PRA’s objectives. Supervisory activities are organized around the PRA risk model (see BCPs 8 and 9). The SREP takes place in accordance with the CRD and the 2014 EBA ‘Guidelines on Common Procedures and Methodologies for SREP.’ For U.K. banks with activities elsewhere in the EEA, this involves a joint risk assessment and decision (JRAD) process, as required by CRD. Matters on which the CRD encourages joint decision include ratings of risk management, agreement on Pillar 2 capital add-ons, liquidity and recovery plans. As consolidating supervisor, the PRA collates input from host regulators and coordinates discussions and approval processes. The PRA tests the resilience of major banks’ capital ratios through its annual CST exercise. The 2015 stress test scenario includes greater stress in the locations and market segments where major U.K. international banks are active, in order to test the risks of contagion from international operations and markets activities to the U.K.-based groups. PRA supervisors have regular dialogue with the FCA on conduct-related matters, as these could affect safety and soundness through direct financial impact of fines or redress, through business restrictions or through reputational risk. In addition, PRA and FCA regularly conduct joint thematic reviews; current examples include ‘CBEST’ (a cyber vulnerability testing framework) and ‘Dear Chairman 2’ (a critical infrastructure and technology resilience exercise). As discussed in EC 6 (below), the PRA has implemented on several occasions ‘supervisory ring-fences’ or ‘specific supervisory measures’ in order to mitigate risks to safety and soundness of U.K. subsidiaries arising from other entities within the group. Other actions taken by PRA supervisors where contagion and reputation risks jeopardize the safety and soundness of the bank or of the banking system include monitoring daily liquidity of the entity, requiring regular updates from the firm and asking for notification before external announcements are made. The PRA may establish internal crisis groups encompassing relevant stakeholders from across the BoE. For instance, crisis groups may include relevant supervision directorates, markets directorate, legal directorate, prudential policy directorate and the RD. Crisis groups may also include the FCA. PRA supervisors will liaise closely with relevant international regulators, usually via supervisory college arrangements. FCA The FCA seeks to understand the structure of a banking group and the entities within it where risks to consumers and to market integrity may arise. The FCA’s supervision is not confined to the main bank within a group but instead covers all material business units and legal entities where these risks arise. This includes understanding how these risks are identified and managed across the group. It also includes periodically quantifying and making the PRA aware of the financial impact of redress and remediation exercises across the group, and where possible likely fines. The FCA communicates with the PRA regarding financial redress and remediation exercises in a number of ways, including:
|
| EC 2 | The supervisor imposes prudential standards and collects and analyzes financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, LE, and exposures to related parties, lending limits and group structure. |
| Description and findings re EC 2 | Art. 436 of CRR states that banks must disclose “an outline of the differences in the basis of consolidation for accounting and prudential purposes, with a brief description of the entities therein, explaining whether they are:
Prudential standards established by the CRD are imposed at different levels of consolidation:
CRR Art. 6 (1) states that: Parts 2 (Own Funds), 3 (Capital Requirements), 4 (LE), 5 ((Exposures to Transferred Risk); and 8 (Disclosure) are to be complied with on individual basis. CRR 6(4) applies Part 6 (Liquidity) on an individual basis and CRR 6(5) applies Part 7 (Leverage) on an individual basis. CRR 6(3) alters individual disclosure requirements for institutions that are part of consolidation groups. In addition, “parent institutions”58 must comply, on a consolidated basis, with Part 2 (Own Funds), 3 (Capital Requirements), 4 (LE), and 7 (Leverage) under CRR Art. 11(1) and with Part 6 (Liquidity) under CRR 11(3). Institutions controlled by a parent FHC or parent MFHC must comply, on a consolidated basis of the parent FHC or MFHC in a MS, with requirements on Part 2 (own funds), Part 3 (capital requirements), and Part 4 (LE) and Part 7 (leverage) under CRR 11(2) and with Part 6 (liquidity) under CRR 11(3). Consolidated financial statements are defined by the accounting standards. A NCA may require an institution to provide information on a consolidated basis if it its “necessary to obtain a comprehensive view of the risk profile of the activities of, and a view of the systemic risks to the financial sector or the real economy posed by” the institution, after consultation with EBA (CRR Art. 99), institutions other than those referred to in paras. 2 and 3 that are subject to an accounting framework based on Directive 86/635/EEC, the competent authority shall consult EBA on the extension of the reporting requirements of financial information on a consolidated basis to those institutions, provided that they are not already reporting on such a basis The PRA imposes prudential requirements on a consolidated basis for all U.K. consolidated banking groups, including U.K. subgroups that are parts of wider non-U.K. banking groups, in accordance with Art. 11 of the CRR. In addition, the PRA also imposes prudential requirements for all PRA-authorized entities on an individual (solo) basis in accordance with CRR Art. 6. Under CRR Art. 11(2), credit institutions and investment firms that are controlled by a parent holding company are required to comply with regulations on own funds, capital requirements, LE (which encompass lending limits) and Leverage on the basis of the consolidated situation of their parent holding company. The PRA has specific national rules on related parties transactions risks (PRA Rulebook RPS) (see BCP 20). These rules apply to U.K. banks, building societies and certain overseas firms. It is a function of the rules that all of a bank’s affiliates and their related parties, and therefore all members of its group, are covered by them. On-going reforms to implement the proposals of the independent commission on banking will affect group structure. In May 2015, the PRA issued Policy Statement (PS10/15), which covered legal structure arrangements of banking groups subject to ring-fencing; governance arrangements of ring-fenced bodies; and arrangements to ensure continuity of services and facilities to ring-fenced bodies. The U.K. government has stated its intention for ring-fencing to take effect from January 1, 2019. The PRA collects information on both a consolidated and solo basis for most of the areas discussed in this EC in accordance with the CRR and the EBA ITS on reporting (Commission Implementing Regulation (EU) No 680/2014). The CRR establishes reporting requirements for own funds (Arts. 99–101), for LE (Arts. 394), for liquid assets (Arts. 415–416), for stable funding (Arts. 427–428) and for leverage in (Art. 430). The PRA collects information on capital through COREP template COR001. This template also contains information on group structure, including the entities within banking groups. The PRA collects information on LE through COR002; on the net stable funding ratio through COR003 and on the LCR through COR004. The PRA also collects information via reporting systems developed at the U.K. level. It receives additional capital adequacy information via its “Capital+” reporting template, containing information on groups’ capital resources and capital requirements. This includes quarterly forecasts for three years ahead as well as well as data pertaining to the actual financial situation of the reporting group. For Category 1 groups, this data is received monthly after 10 working days, generally on a U.K. consolidation group basis. Less significant groups report this information less frequently, also on a U.K. consolidation group basis. The rules on related parties transaction risk (PRA Rulebook RPS) require firms to provide the PRA with details on aggregate exposures to related parties, if requested by the PRA (see BCP 20). Information on group structure is provided in accordance with PRA Handbook (SUP 16.4–6). This sets out requirements for reporting in relation to annual controllers reports, close links reports and organograms. CRR Arts. 7 and 8 allow derogations on the provision of information on an individual basis. The PRA does not ‘switch off’ regulatory requirements for individual banks as provided for in CRR Art. 7. Thus it does not allow derogations from individual entity reporting requirements under CRR Art. 7. CRR Art. 8 refers to derogation to the application of liquidity requirements on an individual basis. Supervisors routinely analyze the data mentioned above in order to inform their assessment of the risks posed to the safety and soundness of the bank. Supervisors review a firm’s regulatory returns and MI as regularly as it is received. For example, capital returns are received and reviewed monthly. Supervisors review banks’ regulatory returns to ensure that the firm is continuing to meet regulatory requirements. Supervisors look to identify any material deviations from the firm’s annual operating plan and any large variances versus the prior period. MI includes Board packs (e.g., group Board, regional Boards, risk committee, audit committee, asset & liability committee), financial information (performance versus plan, annual operating plan, ICAAP) and risk data (e.g., credit risk and market risk). Supervisors use this data to inform their view of the firm and to support meetings with senior management. Supervisors will ask for more granular MI in areas deemed to be higher risk. |
| EC 3 | The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. |
| Description and findings re EC 3 | To ensure that the management body of a U.K. bank is monitoring activities of overseas businesses, PRA supervisors rely on a combination of CA meetings (both with senior management at the parent bank and with overseas regional and country heads); supervisory colleges and bilateral contact with overseas regulators; and onsite reviews of selected overseas operations (see EC 4 below). This allows supervisors to determine whether there are any hindrances in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries, and whether local management has the appropriate expertise to manage its respective business in a safe and sound manner. When a bank operates in foreign markets as a branch of a U.K. bank, ultimate responsibility for cross-border operations and the strategic direction of the branch lies with the management body of the U.K. bank. The PRA expects overseas branches of U.K. banks to have in place governance and risk-management processes and policies on a par with those established by the management body of the U.K. bank (see BCPs 14 and 15, below, for more detail). When supervisors review a bank’s overseas entities, they will often consider the governance of the entity as part of their overall review. For instance, a review of the risk-management and controls of an overseas entity may include a review of whether the governance is appropriate and whether the escalation chain up to the group is effective. In cases where an overseas branch constitutes a ‘significant business unit,’ as expressed in the PRA Handbook (SUP 10A.9.5 G), responsibility for managing this unit can be allocated to a senior manager within the branch. Under the APR, the senior manager would have to be pre-approved by the FCA for performing Controlled Function (CF) 29: Significant Management Function. In order to be granted approval, the candidate must fulfill the fitness and propriety criteria of the FCA, as expressed in FIT 1.3. An important consideration in assessing the fitness and propriety of an individual is their competence and capability, as demonstrated by their professional experience and training. In July 2015, the PRA published final rules on a SMR that replaced the current APR (see BCP 14). Under the SMR, senior managers directly responsible for a ‘key business area’ would have to be pre-approved to perform senior management function (SMF) 6: head of key business area. A large branch may meet the conditions for key business area (although the PRA expects this would be quite rare). For an individual to become a head of key business area, the firm must ensure that the individual is fit and proper and capable of carrying out this SMF. The preapproval process can also involve an interview with the supervisor. Since its establishment, the PRA has embarked on a new work program (with reference to the assessments that were carried out by its predecessor organization, the FSA) of carrying out Home Country Equivalence Assessments that are submitted to the PRA’s Equivalence Committee for consideration. The Committee has identified a list of priority jurisdictions to be assessed. Assessments consider a jurisdiction’s compliance/observance with the Basel, IAIS, and IOSCO CP, as set out mainly in the IMF’s detailed assessment reports. Due, however, to the fact that the PRA’s own program of equivalence assessments does not always coincide with those of the publication of the FSAP (and other, e.g., RCAP) reports, especially when these are more than 2 years old since publication, this can result in the PRA reaching a ‘not equivalent’ or ‘partially equivalent’ equivalence determination. When the PRA cannot reach an equivalence determination due to the lack of recent reports (such as FSAP, RCAP, FSB peer review, etc.) it seeks to review the determination decision as quickly as possible, once more up-to-date information has been published. |
| EC 4 | The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. |
| Description and findings re EC 4 | CRD Title VII, Chapter 3, establishes the principles of coordination between home and host supervisors within the EU. EBA issued in 2013 (ITS) on joint decisions on institution-specific prudential requirements, which need to be reached by the consolidating supervisor and NCAs responsible for the subsidiaries, setting common procedures and templates. In addition, there are EBA guidelines on “joint Assessment of the elements covered by the SREP.” Art. 104 of CRD states that supervisors must have the power to require additional reporting and disclosures. The PRA conducts onsite visits of the foreign operations of U.K. consolidated banking groups. The choice of country visits is based on the business model analysis’ of banks’ annual operating plans, identification of operations with identified risks, and operations targeted for strategic investment and growth. In the past two years, the PRA supervision team for a large U.K. consolidated international banking group conducted onsite reviews in eight countries. When the PRA conducts onsite visits overseas, it first contacts the host regulators and invites them to join the onsite visits and to have meetings with PRA supervisors. The PRA also participates in joint reviews with other supervisors. This can involve PRA staff participating in host authorities’ reviews of U.K. banking groups’ foreign operations. The PRA does not have an explicit policy for assessing whether it needs to conduct onsite exams of a bank’s foreign operations. However, such guidance is implicit in the PSM guidance (see EC 8). PRA supervisors regularly issue ad-hoc reporting requests in response to new identified risks, including risks in foreign operations. For example, in recent years supervisors have started to collect quarterly information on large banks’ exposures (in-country and cross-border) to vulnerable euro area peripheral economies. The PRA has also regularly asked firms to conduct bespoke risk assessments, including exposures data, in respect of emerging geo-political risks. The scope of the FCA’s responsibilities for foreign operations is more limited than the PRA’s but the FCA has visited banks’ overseas operations where appropriate, including in relation to financial crime. |
| EC 5 | The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. |
| Description and findings re EC 5 | The PRA supervises large complex groups on a consolidated basis, even where the holding company is technically not a regulated legal entity. The PRA interprets its APR (and the SMR) to include directors of holding companies that have significant influence over the U.K. regulated entity, and subjects them to regulatory approval requirements. As part of the consolidated supervision of banks, the PRA is aware and has thorough knowledge of the activities carried out by parent companies and companies affiliated with parent companies. Where parent companies and their affiliates are ‘credit institutions’ or ‘investment firms’ (as defined Art. 4 of CRR), they are supervised under the CRD IV and required to comply with general prudential requirements specified in the CRD IV/CRR. CRR does not apply directly to parent companies that are holding companies, although they are included in CRR consolidation groups. The Financial Services Act 2012 gave the PRA and the FCA two new powers over ‘qualifying parent undertakings,’ i.e., U.K.-based parent companies of U.K.-authorized entities, which are not themselves authorized entities (see FSMA S192C and S192J). These powers are: (i) a power to give directions to individual qualifying parent undertakings, requiring them to take specific actions or to refrain from taking specific actions; and (ii) a power to make rules requiring qualifying parent undertakings to provide to either regulator information and documents of a specified description. The latter rule making power was extended by the Financial Services (Banking Reform) Act 2013 to include the ability to make rules applying to parent undertakings or ring-fenced bodies that are necessary or expedient for ring-fencing and the ability to make rules requiring parent undertakings to facilitate resolution, which may include (but is not limited to) requiring a parent institution to issue debt instruments and to provide services and facilities as necessary to enable a subsidiary or transferee to operate the business in a resolution scenario. EC 6 (below) discusses the supervisory actions the PRA takes when activities of parent companies or subsidiaries of parent companies have a material impact on the safety and soundness of a bank. |
| EC 6 | The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that:
|
| Description and findings re EC 6 | Under the FSMA 2000, as amended by the Financial Services Act 2012, the PRA has the power to require regulated entities to take action as appropriate in certain conditions. This includes powers to disallow unsuitable persons to control the regulated entity, ring-fencing of assets, imposing requirements on a regulated entity to refrain from acting in a particular way or to take specific actions as may be appropriate in the circumstances. Specifically, S55J FSMA enables the PRA to vary or cancel the permissions of PRA authorized entities to carry on regulated activities (‘Part 4A permissions’) if:
S55M FSMA further enables the PRA to impose requirements on entities that have applied to be granted or to change their permissions. Under S55N FSMA, requirements may be imposed by reference to the entities’ relationship with their group or other members of the person’s group. The PRA’s powers therefore enable it to limit the range of activities of consolidated groups, and the location where those activities are conducted, albeit indirectly via restrictions on the individual entities within those groups. As discussed in relation to EC 5 above, the PRA also has specific powers to intervene directly at the holding company level so as to have influence over the activities of unregulated entities which may be adversely affecting the firm. Regarding EC 6 (b), before a non-EEA branch or subsidiary is allowed to operate in the U.K., the PRA will consider the degree of equivalence that the entity’s home state’s supervisory regime has with the U.K. (and including with the EU Single Market Directives), to determine the reliance that the PRA can place on it. From this, the PRA will decide the type of entity (branch or subsidiary) that is permitted to operate in the U.K., the activities that it can participate in and the PRA’s own supervisory approach to the firm in question (see EC 3 above). Equivalence assessments will also determine the extent to which the PRA relies on ‘host’ supervisors in non-EEA jurisdictions where U.K.-authorized firms have established branches or subsidiaries. The PRA has implemented on several occasions ‘supervisory ring-fences’ or ‘specific supervisory measures’ in order to mitigate risks to safety and soundness of U.K. subsidiaries arising from risks created at their parents’ level. Such restrictions have been imposed in various cases including: cases of overseas parent becoming insolvent while group and U.K. banking subsidiary remains solvent on a consolidated basis; cases of foreign parent under threat of bank run or severe financial stress while U.K. subsidiary remains stable; cases of foreign parent facing risks of severe downgrade in capital quality while subsidiary remains financially healthy. These supervisory measures usually include restrictions on upstreaming of liquidity and capital from the subsidiary to the parent or other parts of the group and sometimes restrictions on intragroup LE limits below the usual limit (25 percent of eligible capital). These measures are normally agreed with the subsidiary which submits an application to implement the requirement on a voluntary basis. |
| EC 7 | In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.59 |
| Description and findings re EC 7 | All institutions are to be supervised and comply with all requirements both on solo and consolidated basis, unless there are waivers applied based on CRR Arts. 7–10. In case of cross-border groups, all entities subject to minimum capital requirements and supervision are covered in the Group risk assessment report and joint decision under Art. 113 of CRD and pursuant to the requirements of the EBA ITS on joint decision. In addition to supervising on a consolidated basis, the PRA carries out individual (‘solo’) supervision of all institutions in accordance with CRR Art. 6. Banks must comply with CRR regulations on own funds, capital requirements, LE, exposures to transferred credit risk, liquidity, leverage, and disclosure (where not part of a consolidation group) on an individual basis. The PRA has not exercised the discretion available to it under Art. 7 of the CRR to switch off solo prudential requirements. Where entities are subject to individual supervision, they are required to deduct from their capital their ownership shares in other financial sector entities. Art. 43 of the CRR requires institutions to deduct from their CET1 ‘significant’ investments in the CET1 of financial sector entities. Significant investments, defined in accordance with that article are ownership shares in excess of 10 percent of the CET1 of the entity in question; ownership shares in entities that have ‘close links’ to the entity owning shares; or investments in the CET1 of entities that are not included in the regulatory scope of consolidation but are included in the accounting scope of consolidation. Experience has shown that capital located elsewhere in a group cannot always be relied upon to be available to a bank facing stress. To address this issue (among other things), and so improve the resolvability of the individual firms, the PRA has exercised discretion under CRR Art. 49(2) to deduct from their own capital holdings of capital instruments issued by financial sector entities that are included in the scope of that institutions’ regulatory consolidation group. This is to ensure that capital is located in the regulated entities where it is needed. Supervising U.K. banking groups at both consolidated and solo levels enables supervision teams to understand the relationship between the bank and other members of the group, for instance, in terms of capital, liquidity, strategy, governance, and recovery and resolution planning. Supervision teams for U.K. banking groups are structured so that they cover both the consolidated group and the main U.K. regulated entity within the group (including the domestic and European branches and subsidiaries of that entity). |
| Additional criteria | |
| AC1 | For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies. |
| Description and findings re AC1 | Under S178 FSMA 2000 the PRA and the FCA have the power to prevent the acquisition of a U.K. bank if they are not satisfied with the fitness and propriety of the owner of the parent company. In considering the suitability of an acquirer, the PRA and FCA will consider the criteria specified in S186 FSMA 2000, which includes among other things: reputation, experience, and financial soundness. If the composition of the Board of the parent undertaking changes subsequent to approval being granted, the PRA or FCA may determine that the parent undertaking no longer fulfils the assessment criteria of S186 FSMA 2000. In such a case, then the PRA or FCA can object to the acquisition and require the parent entity to sell shares of the U.K. bank. These powers are complemented by a separate regime focused on individuals from parent entities that are actually involved in the running of the bank. As explained in the Handbook SUP 10B.6.1. R, a person who is a director, partner, officer or member of a parent undertaking or holding company of a U.K. bank and whose decisions or actions are regularly taken into account by the governing body of the bank can be brought into the scope of the APR as performing a ‘CF1: Director function.’ Nonexecutive members of a parent undertaking or holding company whose decisions or actions are regularly taken into account by the governing body of the bank, as per SUP 10B.6.3, may be brought into the scope of the regime as performing a ‘CF2: NED function.’ Individuals performing either CF1 or CF2 need to apply for pre-approval by the PRA, and, hence, fulfill the fitness and propriety criteria. Moreover, individual sanctioning powers and fines can apply in the case where individuals are approved by the PRA. As discussed in EC 2, the PRA issued final rules on a new SMR in July 2015. Under the SMR, individuals that qualify as performing CF1 and CF2 functions need to apply for approval for SMF7: Group Entity Senior Manager. |
| Assessment of Principle 12 | Compliant |
| Comments | The U.K. authorities supervise banking groups on a consolidated basis, covering all entities within the consolidated group for U.K. firms and at subconsolidated level for U.K. subgroups of wider global groups. Prudential standards established by the CRD are imposed at different levels of consolidation. Supervisors routinely analyze information collected on both a consolidated and solo basis in order to inform their assessment of the risks posed to the safety and soundness of the banking groups. |
| Principle 13 | Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. |
| Essential criteria | |
| EC 1 | The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. |
| Description and findings re EC 1 | EU-wide legislation and guidance on home-host relationships:
The CRR and CRD provide for different scopes of consolidated supervision:
RTS and ITS on operational functioning of colleges (finalized by EBA and submitted to the EC) set the rules for the establishment and functioning of colleges, including (Art. 4(1) of the RTS) the requirement that the consolidating supervisor proposes college membership to “the competent authorities responsible for the supervision of subsidiaries of an EU parent institution or of an EU parent FHC or of an EU parent MFHC and the competent authorities of host MSs where significant branches as [..] are established.” Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular to ensure adequate exchange of information. PRA home perspective The PRA has well-established bank-specific supervisory colleges for the four U.K. banking groups with material cross-border operations (HSBC, SCB, Barclays, and RBS). For one of these, the host authorities of two countries where the group has significant branches participate in the college. For U.K. banking groups with international operations that are not material, the PRA has conferred with EBA and potential college members to agree that college arrangements are not needed; however, it relies on MoUs or EoLs as a support for information sharing and cooperation with relevant host supervisors. The PRA reviews the membership of colleges annually, based on the firm data on the size of business activities in different jurisdictions, and taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. For the largest banks there are multiple colleges:
PRA host perspective For U.K. subsidiaries of EEA groups, European law requires that the PRA be invited by the consolidating European supervisor to participate in college activities and it is involved in joint decisions on prudential and recovery and resolution decisions concerning the subsidiary and the group (Arts. 113 and 116(6) of CRD4; see also the draft Art. 4 of EBA/RTS/2014/16). For significant U.K. branches of EEA banks, the PRA uses criteria set out in the PRA SS 10/14 as a basis for judging whether a branch has a critical economic function (CEF). Where a branch carries out a CEF, the PRA contacts the consolidating supervisor to inform him/her that it considers the branch as ‘significant’ under European law (CRD IV) provisions. Once agreed by the consolidating supervisor—or, in the case of nonagreement, once the branch is designated ‘significant’ on a unilateral basis by the PRA (as allowed provided for under Art. 51 and 116(6) of CRD IV—the consolidating supervisor is required to invite the PRA to become a member of the college to participate in entity and group risk discussions (and recovery and resolution planning to the extent it is relevant to the branch/host). At the time of the assessment, the U.K. authorities participated in 10 supervisory colleges of banks with significant branches in the U.K. For U.K. branches on non-EEA banks, the PRA follows SS 10/14 to determine whether the branch is outside risk appetite and would not be allowed to operate as a branch in the U.K. The risk appetite is formalized in a decision tree, in which the first check is whether the home state’s supervision is deemed sufficiently equivalent: if not, the branch is considered outside risk appetite, otherwise the PRA verifies whether the home state supervisor accepts responsibility for the branch. In case it does, if the branch of a non-EEA bank contains a CEF, then in addition to the equivalence and responsibility conditions, the PRA requires a high level of assurance over resolution for the branch to remain inside risk appetite and to follow the agreed split of responsibilities between home and host states. The PRA is currently undertaking these assessments on U.S. branches on a case-by-case basis. For non-EEA banks more generally, where the PRA is deemed a significant regulator by the home state regulator, or make requests to be invited, the PRA attends an annual supervisory college and a crisis-management college. The PRA is responsible for establishing and coordinating supervisory colleges for banking groups but the FCA is invited to participate where conduct issues, including financial crime, are relevant. The FCA has attended colleges for the major internationally active U.K. banks, including where appropriate attending colleges held overseas. |
| EC 2 | Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group60 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. |
| Description and findings re EC 2 | Art. 50 of CRD requires competent authorities of the members states to supply one another with all information on management and ownership of the institutions they supervise and all information useful to facilitate their monitoring, particularly with regard to liquidity, solvency, deposit guarantee, LE, administrative and accounting procedures, internal control mechanisms, and other factors that may influence the systemic risk posed by such institutions. Art. 51 of CRD states the conditions and procedures for the identification of a branch in a MS of a EU bank or banking group as ‘significant,’ the obligations on the home or consolidated supervisor to communicate to or consult with the host supervisor and to establish a college of supervisors. Art. 116 of CRD requires the consolidating supervisor, EBA, and the other competent authorities to exchange information (also of confidential nature, when needed) between each other and with EBA, within appropriate frameworks established by the colleges of supervisors. EBA RTS and ITS on information exchange between home and host competent authorities specify the kind of information that supervisory authorities are required to share, including:
Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular, to ensure adequate exchange of information. PRA home perspective In order to facilitate timely sharing of information, the PRA schedules regular college teleconferences between college meetings, both with the core and general college. Such teleconferences are also scheduled prior to the disclosures of market-sensitive supervisory outcomes, such as the EBA and PRA stress test results. Both the banks, the PRA and host regulators share information openly in the college setting. When setting the agenda for college meetings and teleconferences, the PRA consults with host regulators to identify their areas of interest and concern, and prepares (and asks the firm to prepare) presentations to address these concerns. College updates from PRA and host supervisors include information on the material risks and risk-management practices of the banking group, and each supervisor’s assessment of the safety and soundness of the entity/entities that they supervise. In recent years, the JRAD process, guided by the EBA, has provided an increasingly structured framework and process for home and host authorities to share confidential supervisory information about risks, the quality of risk management, capital, and liquidity and in 2015 also recovery plans. The PRA as home regulator compiles input of detailed SREP scores, Pillar 2 add-ons and risk assessment narratives from all EEA-competent authorities and from non-EEA regulators of significant entities, and then drafts a JRAD risk assessment document and individual capital/liquidity guidance letter for discussion, amendment, and approval by the EEA-competent authorities in the college. MOUs are in place with most of the host regulators in the core colleges where the United Kingdom is consolidating supervisor. EA regulators within the General Colleges are covered by EU confidentiality rules and information-sharing gateways. In those instances where MoUs have not yet been completed with all regulators, the PRA either obtains written consent from the firm and other regulators to allow information sharing at that college meeting, or (for global colleges) avoids sharing supervisory confidential information and leave it for the bank to present on its risk profile. PRA host perspective The PRA follows in full all European legislative requirements establishing information to be exchanged with home authorities and other host authorities within the college. This includes details on material risks and risk-management practices through EBA JRAD templates covering all material risk elements. This information is provided to all members of the college, including host supervisors of branches where the branch has been designated as ‘significant’ or where the host supervisor of the branch has been invited as an observer. Where the PRA is host to an EEA branch and it is not part of the college, it will receive information through a specific EBA template (the forthcoming branch information pack—EBA/RTS/2013/10 to be rolled out from April 2016) that outlines basic prudential solvency and liquidity information at a group level, but does not provide detail on the supervisory assessment of material risks or risk-management practices. Prior to this, the PRA received a branch report and relevant information from the home authority, if requested. The PRA supplements this with information provided by the home supervisor in bi-annual calls, when the home supervisor is willing to provide this. The PRA’s ability to exchange confidential information with non-EEA regulators is restricted primarily by S348 and S349 of FSMA 2000 and regulations made by HMT under that section. The regime implements EU Directive requirements. The PRA is required to satisfy itself that there is a legal gateway to share confidential information. This involves assessing whether the professional secrecy laws applicable to the relevant non-EEA supervisor are at least equivalent to those imposed on the PRA by European Directives. In addition to this ‘equivalence’ assessment, the PRA also applies two additional criteria to determine whether to establish a formal MoU:
When the PRA is satisfied that the three criteria are met, it is in a position to enter into a formal MoU with the relevant non-EEA supervisor. The PRA’s policy is to publish its MoUs. They can be found on http://www.bankofengland.co.uk/about/Pages/mous/default.aspx. For other countries, the PRA’s policy is to engage with the relevant supervisor under the home-host framework. The PRA establishes informal supervisory arrangements to share nonconfidential information and agree the key issues and responsibilities for each supervisor. In either case, the confidentiality safeguards provided under FSMA incorporate the requirements of professional secrecy contained in the EU Directives. In addition, under S169(7), the PRA can permit a representative of an overseas regulator to attend and participate in an interview conducted, using the PRA’s investigative powers, on behalf of the overseas regulator. S169(8) requires the PRA to be satisfied that confidential information disclosed in the course of the interview be subject to confidentiality safeguards equivalent to those provided under FSMA 2000. Where the framework is in place to allow the sharing of confidential information, the PRA will share details on their assessment of the safety and soundness of the relevant entity, as well as the material risks and risk-management practices. The PRA also utilizes frequent formal calls with the home state supervisors to share knowledge and views. The assessors reviewed some JRADs and a presentation by the PRA—in its capacity as host supervisor—at both a EU and non-EU supervisory college. |
| EC 3 | Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. |
| Description and findings re EC 3 | EU-wide legislation on home-host relationships:
EBA RTS and ITS on operational functioning of colleges contain provisions on information exchange and coordination between the consolidating supervisor and college members for a number of tasks: for performing group risk assessments and reaching joint decisions; with regard to the ongoing review of the permission to use internal approaches and non-material extensions or changes in internal models; on early warning signs, potential risks and vulnerabilities; with regard to non-compliance and sanctions; for the assessment of the group recovery plan; for the assessment of the group recovery plan; and with regard to group financial support agreements. PRA home perspective Core college meetings include as a standing item an update from each supervisory agency on its supervisory work program. This provides visibility between home and host supervisors and allows for identification of areas of shared focus/concern (and potential duplication), opportunities for information sharing, coordination and even joint supervisory activities, and for adjusting planned JRAD timetables and supervisory work plans to be able to incorporate more timely supervisory insights. Within the EU colleges, the JRAD process has resulted in greater collaboration and information sharing. PRA has participated in onsite supervisory reviews led by overseas host regulators, joint reviews of off-shored service centres and collaborated with local regulators on AQRs. PRA host perspective Arts. 112 and 117 of CRDIV require that home and host supervisors coordinate and plan supervisory activities. For non-EEA subs and branches, the PRA consistently undertakes joint working with the home state supervisors where either U.K. activities have a meaningful impact on the group (financial or people resources), or alternatively, the activities in the U.K. constitute a CEF. The PRA sets out in SS 10/14 the split of prudential supervisory activities with the Home State Supervisor in the case of the U.K. branch of a non-EEA bank. The PRA’s focus is specifically on any CEFs carried out by the branch, and its interconnectivity to U.K. financial stability. The assessors reviewed recent example of collaborative work with supervisors within and outside of the EU. FCA Where appropriate, the FCA co-ordinates supervisory activity and works collaboratively with other supervisors. For example, the Federal Reserve Bank has an interest in a major U.K. bank’s efforts to strengthen its AML controls both in the U.S. and globally. The FCA has therefore in the interests of efficiency co-ordinated with them to join some of the meetings which they have held with the bank and, to the extent permissible by law; both supervisors have exchanged information regarding the findings of supervisory reviews. |
| EC 4 | The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. |
| Description and findings re EC 4 | EU-wide legislation on home-host relationships:
Art. 48 of CRD entitles the EC to draft proposal (to be then submitted to the European Council) for the negotiation of agreements with one or more third (i.e., non-EU) countries regarding the means of exercising supervision on a consolidated basis, in particular, to ensure adequate exchange of information. PRA home perspective The PRA as home supervisor coordinates communication on behalf of the college to the U.K.-regulated banking group. This includes sending information requests for bank inputs into JRAD (where applicable), commissioning bank presentations to the supervisory colleges (to address agreed key risks and concerns raised by host regulators), communicating feedback from the college members (on supervisory views, areas of concern, and quality of firm presentations) to the bank, and formally communicating JRAD outcomes to the bank. While individual bank colleges may not formally have an agreed a communication strategy, the JRAD processes have provided an increasingly structured framework for colleges to reach a share view about an widening range of supervisory issues and for agreeing a coordinated communication to the banking group and its regulated entities. While non-EEA regulators are formally only observers for the JRAD, and can only be asked to provide inputs on a voluntary basis, the PRA seeks to fully reflect their views for banks with material operations outside the EEA. For U.K. banks with non-EEA colleges, the PRA summarized the views of the college, agrees this with college members, and provides feedback to the bank. In case of joint reviews the PRA participates in the writing of the final report and input into the letter or final communication to the firm. Given the absence of a formal framework for specific joint supervisory reviews (outside of the prescribed JRADs) input into bilateral joint work is typically provided on an informal basis with either the PRA or the host regulator formally leading the review and validating findings through their internal governance process. FCA The formal communication of issues arising from international colleges is led by the PRA, with input from the FCA; but the FCA has developed channels of communication with overseas regulators on matters relating to conduct where there is a shared interest, where appropriate. |
| EC 5 | Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. |
| Description and findings re EC 5 | EU-wide legislation on home-host relationships:
PRA home perspective As a home regulator, the PRA and the RD of the BoE establish cross-border CMGs for U.K.-based internationally active banks. These CMGs are used to review the resolvability of individual U.K. banking groups within the FSB resolvability assessment process (RAP) Framework, including identifying and addressing potential obstacles to resolution. Resolution plans and RAPs for major U.K. banking groups are at different stages of developments, with CMGs for some banks having agreed resolution cooperation agreements (CoAgs). The CMGs typically include core college members plus resolution authorities for the same jurisdictions. PRA also engages bilaterally with key host regulators on crisis preparation contingency planning to safeguard business continuity and financial stability in the face of specific risks. PRA host perspective As a host supervisor for EEA branches and subsidiaries, the PRA shares information in every case with the home supervisor and other hosts on crisis preparation and actions following EU legislative requirements on crisis management as set out in Arts. 87–92 of the BBRD. Recent examples of this were provided to the assessors during their visit. As a host supervisor for non-EEA branches and subsidiaries the PRA provides all relevant crisis preparation information when requested by the home authorities, and where the branch or subsidiary is material and/or the PRA considers a crisis situation is likely to occur, it contacts the home supervisor to look to ensure that this occurs at an early stage. The framework for sharing confidential information with non-EEA regulators is set out in the response to EC 2 above. |
| EC 6 | Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. |
| Description and findings re EC 6 | EU-wide legislation on home-host relationships:
The PRA requires banks to draw up group recovery plans and to submit group resolution packs. The PRA reviews the group recovery plan(s) for completeness, credibility, and compliance with BRRD and EBA guidelines, before sending a draft JRAD template to the relevant competent authorities for discussion, amendment, and agreement in the new resolution colleges. PRA supervisors support the resolution planning work of the BoE’s RD (which leads on the discharge of the BoE’s functions as resolution authority) with provision of supervisory data, risk assessment, and supervisory insights. More formally, the PRA shares the recovery plan with the resolution authority for its view on any actions that may impact resolution. The supervisory authority is also consulted on its view as to the resolvability of the firm (this is a formal and legal requirement), and on the use of any powers which require the firm to remove any impediments to resolvability. The PRA must also be consulted on the resolution plan being drawn up by the resolution authority. The PRA is also obliged to inform the resolution authority when a firm meets the conditions for early intervention (as defined in the BRRD) and of its decision of whether or not to take any supervisory action as a result. This occurs when there are risks to viability absent action by the firm or significant threats to a firm’s safety and soundness. The PRA also must notify the resolution authority if a firm is considered failing or likely to fail. The BRRD does not set a requirement on NCAs to notify a non-EEA resolution authority that a firm is failing or likely to fail. |
| EC 7 | The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. |
| Description and findings re EC 7 | EU-wide legislation on home-host relationships:
For the subsidiary of a foreign bank or FHC incorporated in third countries, Art. 127 CRD requires that the EU competent authority at the highest level of potential consolidation assesses whether the subsidiary is subject to consolidated supervision by a third country supervisory authority equivalent to the regime for consolidated supervision in the EU (including prudential and reporting requirements and the power to conduct onsite inspections). If the assessment leads to the conclusion that equivalence is not guaranteed, the subsidiary has to be subject to CRR and CRD or to other appropriate supervisory technique(s) apt to achieve the objective of consolidated supervision, including by requiring the establishment of a financial (or mixed financial) holding company with head office in the EU. All banks (both U.K. incorporated and overseas banks operating in the United Kingdom) are assessed by the PRA to the same prudential standards. This is set out in “The PRA’s approach to banking supervision.”61 The PRA has the same statutory objectives, whether it is regulating domestic or overseas banks. However, the PRA’s powers and requirements differ between U.K. incorporated firms and U.K. branches of EEA and third-country firms. As set out by the EBA above, for the cross-border operations of EEA banking groups, the United Kingdom’s powers and responsibilities are set by EU law, specifically CRR/CRD and BRRD, and standards and guidelines adopted by the EBA. These ensure that prudential, inspection, and regulatory reporting requirements are similar for all banks across the EEA. Banks from non-EEA jurisdictions may operate within the United Kingdom as branches or subsidiaries. The PRA has set out its risk appetite for when it will allow firms to operate as branches in PRA SS 10/14. This depends upon the nature and scale of the activities in the United Kingdom, whether the PRA has assessed the Home State Supervisor as sufficiently equivalent, and whether the home state supervisor accepts responsibility for the branch and the level of assurances on resolution provided to the PRA by the home state supervisor. Where the operation of a branch is within risk appetite, the PRA seeks to agree a formal split of supervisory responsibilities so as to be able to place reliance on the home state regulator for key aspects of the branch’s supervision. Where the operation of a branch is outside the stated risk appetite, the firm is required to operate within the United Kingdom as a subsidiary (where it is subject to the same prudential requirements as a subsidiary of a U.K. banking group). In placing reliance upon the home state supervisor, the PRA carries out a third-country assessment as set out in Principle 12 EC 6. Where a home state supervisor is considered to be equivalent and a branch is authorized the PRA’s objective is to ensure that it does not impact on the safety and soundness of the U.K. financial system in the same manner as if it were a U.K. banking group. Thus if the branch contained a CEF the level of scrutiny of those operations would be considerably more than for other branch operations where greater reliance would be placed on the home state supervisor. The PRA will require that the home state supervisor accepts its Prudential Regulations responsibilities for the branch and that there is a firm-specific split of Prudential Regulation responsibilities. The PRA’s policy is that all banks are subject to similar inspection and regulatory reporting requirements. As part of the implementation of the LCR, the PRA now requires liquidity information on a whole firm basis and has discontinued the ‘Whole Firm Liquidity Modification’ regime, which allowed overseas banks with U.K. branches to apply for a waiver of most of prudential sourcebook for banks, building societies, and investment firms (BIPRU) 12 rules, subject to certain conditions (including an equivalence assessment of the liquidity regime of the home state regulator of the applicant bank). |
| EC 8 | The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. |
| Description and findings re EC 8 | EU-wide legislation on home-host relationships:
Art. 47 CRD means that an EU-MS cannot treat a third-country branch any better than an EU entity. It is expected therefore that the third-country’s home state supervisor’s access cannot be better than any EU MS’s access to its branch. It does not necessarily mean that non-EU home supervisor is given onsite access to local offices (i.e., branches) of a banking group—nor does it mean that the 3rd country supervisor would be given parity of treatment with an EU-home country supervisor of an EU branch. In theory, if not in practice, the EU home authority would be allowed to explicitly restrict or prevent such access. PRA Rules require firms to provide it with access to their business premises.62 The PRA regularly conducts onsite supervisory reviews of U.K. banks’ operations in other countries. Where the PRA is the home supervisor it arranges these onsite reviews through the head office of the bank under review. The PRA follows a protocol to notify host supervisors of intended visits, and also inviting them to join in the meetings, if they wish. FCA The FCA has where necessary visited the overseas operations of certain major U.K. banks in order to assess the quality of customer due diligence AML controls in relation to U.K. requirements. The FCA notifies the relevant home supervisor in advance of such visits and typically shares the findings. For example, The FCA has within the past two years visited several overseas operations of a major U.K. bank for these purposes, including Brazil, Turkey, the U.A.E., Hong Kong SAR, Macau, and Switzerland. |
| EC 9 | The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. |
| Description and findings re EC 9 | EU-wide legislation on home-host relationships:
NCAs should demonstrate that they actually ban shell banks and supervise booking offices in a manner consistent with internationally agreed standards. One of the Threshold Conditions is that “the firm must be capable of being effectively supervised by the PRA.” Furthermore firms are required to have a sustainable and viable business model and be capable of accreting capital through the business cycle. All these would preclude a bank that was a ‘shell bank’ or ‘booking office.’ There are no shell banks in the United Kingdom. On the supervision of booking offices reviewers were given access to confidential papers that set out PRA expectations. Shell banks are effectively prevented from operating in the U.K. through S16 Money Laundering Regulations (MLR) 2007 whereby, they are not able to obtain banking relationships with credit institutions. The approach taken by the PRA’s predecessor organization, the FSA, was recognized by the financial action task force (FATF) in the mutual evaluation follow-up report (December 2009) and the position has not changed in the new regulatory structure now in place. |
| EC 10 | A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. |
| Description and findings re EC 10 | EU-wide legislation on home-host relationships:
For the information received by a non-EU authority, provisions on ex-ante consultation or expost information on supervisory actions taken on the basis of such information are contained in some of the MoUs signed with non-EU authorities and, more generally, represent an established working modality for the U.K. authorities in their interaction with their non-EU counterparts. |
| Assessment of Principle 13 | Compliant |
| Comments | The U.K. authorities, in their capacity as both home and host supervisors of cross-border banking groups, regularly share information and cooperate with foreign authorities for effective supervision of groups and group entities. Foreign banks operating in the United Kingdom are subject to the same standards as those required of domestic banks. |
B. Prudential Regulations and Requirements
| Principle 14 | Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,63 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. |
| Description and findings re EC 1 | The U.K. authorities cited a variety of laws and regulatory guidance that establish the responsibilities of a bank’s Board and senior management.
Additionally, U.K. authorities rely on the “APR” to ensure the fitness and propriety of individuals deemed capable of exercising significant influence on a firm and imposing enforceable obligations on them. While supervisors felt that the APR did result in better-qualified candidates being recommended for key roles in firms, in retrospect the regime’s weaknesses have been highlighted publicly. In March 2016, the APR was replaced with a new “SMR” that is intended to address recommendations issued by the PCBS; in particular, it implements amendments to the FSMA 2000 made by the Financial Services (Banking Reform) Act 2013. As this new regime has not yet been implemented, its effectiveness cannot be evaluated in this FSAP. Nonetheless, assessors discussed with supervisors the perceived benefits and how SMR may change the authorities’ approach to promoting sound governance and risk-management in firms in the future. Regarding guidance, assessors reviewed letters sent to firms, including to their Boards of directors, in which supervisors expressed concerns about particular governance-related issues. Examples included PSM or PSM-related correspondence in which supervisors raised concerns about a Board’s composition, such as lacking sufficient numbers of NEDs with banking experience; concerns about the structure of Board committees; concerns about Board appointments; concerns about the ability of a control function to offer enough “challenge” against business lines. Overall, the letters reviewed generally identified the supervisor’s concerns clearly and directly. What remained unclear in the letters, in some cases, was what supervisors wanted a firm to do other than to continue the discussion of the issues, though some letters contained more specific expectations regarding next steps. Supervisors note that follow-up meetings are held with the firms to clarify what actions the PRA expects firms to undertake. In addition, assessors reviewed internal staff memoranda outlining the results of governance-related reviews in supervised entities that demonstrated broadly the authorities’ focus on the responsibilities of a bank’s Board of directors and senior management. During the course of the assessment in November 2015, the PRA issued in final form an internal document outlining its broad approach to assessing corporate government in supervised firms called “the Supervision Approach to Management and Governance,” This document sets out what it calls a “map of the territory” that the PRA expects supervisors to cover in evaluating corporate governance. Specific areas of focus include understanding the collective effectiveness of Boards and separately of senior management, as well as an evaluation of “culture,” which includes assessing how well the Board’s expectations match those of the PRA. During the BCP assessment, the authorities were in the midst of implementing this guidance, including offering half-day training sessions to staff, and consequently assessors could not evaluate its effectiveness and track record. Nonetheless, the document appears to set out an appropriate direction for the future evolution of the PRA’s evaluations of corporate governance that can be evaluated at the next FSAP. |
| EC 2 | The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. |
| Description and findings re EC 2 | As noted above in CP 8, the PRA assesses “management & governance” as an element within its risk model and refreshes its views as part of the PSM and the subsequent mid-year review. In addition, especially in the largest firms, the PRA will undertake periodic governance reviews, including “deep dives” where appropriate, in which specialists may evaluate particular aspects of corporate governance. (The PRA recommends that such reviews take place every two to three years for the largest firms.) More recently, the PRA has begun to conduct corporate governance reviews in the next largest group of firms, the Category 2 banks. While the PRA takes the lead in evaluating governance, the FCA seeks to ensure that governance within a bank is sound and pays appropriate attention to conduct-related risks. The FCA’s focus for governance assessments is on its fixed firms, in line with its risk appetite. Supervisors may assess governance in flexible firms as part of work on events (such as crystallized risks) or cross-firm work, covering multiple firms. The FCA forms its views primarily: through direct liaison with key Board members and senior executives; through focused detailed reviews; and through reviewing materials provided to a firm’s Board and other key committees. In addition to reviewing letters such as those mentioned above in EC 1, assessors saw examples of letters to firms requesting changes to remuneration policies as well as examples of skilled persons reviews (S166 reviews) that included a focus on governance or governance arrangements. |
| EC 3 | The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced nonexecutive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced nonexecutive members |
| Description and findings re EC 3 | CRD IV Art. 88(2) requires that all firms that are significant in terms of their size, internal organization, and the nature, scope, and complexity of their activities must establish a nomination committee composed of managers of the management Board who do not perform any executive function in the firm. Chairs of Board committees are NEDs performing a controlled function and must apply for approval from the PRA to take up the role. Expectations for each significant committee were outlined by the authorities and include the following guidelines:
Assessors reviewed documentation arising from numerous interviews and analyzes that PRA and FCA staff had undertaken in determining whether an individual is “fit and proper” to assume a significant role in a firm as part of the legacy APR. As the authorities noted, in most cases U.K. supervisors have historically relied on supervisory dialogue and “soft power” to express views on whether an individual is “fit and proper” and encourage changes in nominations or to ensure that individuals receive adequate support and training before taking on sensitive roles in a firm. |
| EC 4 | Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty.”64 |
| Description and findings re EC 4 | S172 of the Companies Act requires a director to act in the way she/he considers, in good faith, would be most likely to promote the success of the company for its members as a whole. In addition, banks are required to comply with the statement of principles under S64(1A) of FSMA 2000 outlining expectations for “approved persons” to act with integrity, due skill and care, and in accordance with proper standards of market conduct in the discharge of his/her accountable functions, as examples. If an individual fails to comply with a statement of principle, the PRA can take disciplinary action against the person under S66 FSMA 2000, including imposing regulatory fines. As noted above, supervisors made available documentation of interviews and analyzes that the PRA and FCA had undertaken to determine whether an individual is “fit and proper” to assume a senior role at the firm; these included analyzes of candidates for roles on a Board of directors, including roles involving chairing a significant committee. |
| EC 5 | The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite65 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. |
| Description and findings re EC 5 | Supervisors at the PRA determine that the Board approves and oversees the implementation of its policies through regular meetings with Board members of Category 1 and 2 firms; specific reviews with specialists teams on corporate governance; and, for Category 3–5 firms, at least annual visits and meetings with members of the Board and senior management to gain a better understanding of their ability to provide good oversight. Offsite supervision involves reviews of Board meeting agendas, papers and minutes, and internal communications of codes of conduct, training materials, and other materials that shape corporate culture. Supervisors at the FCA seek to ensure that firms maintain the appropriate “tone from the top” and culture to ensure that (i) staff behave in manner consistent with the fair treatment of customers and reflects the integrity of financial markets and that (ii) conduct-related risks are identified and effectively managed. For major firms supervised on an individual basis, the FCA periodically seeks to understand how the Board and senior management pursue these goals and engages in direct liaison with key Board members and senior executives, occasional direct reviews, through reviews of materials prepared for the Board and key committees, and in review conduct-related incidents and the firms’ remediation of those incidents. |
| EC 6 | The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. |
| Description and findings re EC 6 | In addition to the descriptions of the U.K. authorities approach to evaluating the effectiveness of the Board, including in overseeing the firm’s organizational structure and management, U.K. authorities have relied until March 2016 on the APR to seek to assess directly the fitness and propriety of the senior managers in the firm. The PRA draws on its views regarding senior management in forming assessments agreed at the PSM held regularly for each firm. Discussions about succession planning are conducted in regular CA meetings with Board members and through specific reviews. The PRA monitors the performance of senior management partly through regular review of Board documentation and scorecards at both business and individual level, as well as through the annual remuneration round review and ongoing supervisory contact. This includes a discussion with the chair of the remuneration committee on staff assessment and on remuneration decisions. Assessors had an opportunity to review internal memoranda and letters to firms outlining the supervisors’ views on the effectiveness of both individual Board members and of the Board as a whole and overall found them indicative of the processes described above. The documents available included the PRA’s annual review of the effectiveness of a Board of directors at a major firm as well as a review of its succession planning. |
| EC 7 | The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. |
| Description and findings re EC 7 | The Remuneration Part of the PRA Rulebook sets out rules that require firms to discourage excessive risk-taking and to encourage more effective risk management. As reported by staff, the remuneration rules were introduced in 2009 in response to the FSB Principles & Standards on Sound Compensation practices and came into effect in January 2010. The rules are jointly owned by the PRA and FCA and the supervisory teams work closely together in monitoring compliance. The main objective of the remuneration rules is “to align firms’ remuneration policies and practices with effective risk management, and to ensure that they do not provide incentives for excessive risk-taking.” Supervision with the assistance of policy assesses their firms against the remuneration rules to ensure that the firm does not operate any policies that may encourage excessive risk-taking. This annual process takes place before the firm communicates their annual bonuses. Level one remuneration firms (firms with total assets over GBP 50 billion over an average of three years) are required to submit their remuneration policy statements (which details how they ensure they meet the requirements of the remuneration rules) to their supervision teams for review. The general process for Level one firms involves meetings or calls with the firm (HR and remuneration committee Chair) followed by written feedback which may include some areas of concern that requires further action from the firm and non-objection to the firms proposed bonus awards. The PRA supervision team reviews the firms’ submission alongside the FCA, providing joint feedback where appropriate. Level two (firms with total assets over GBP 15 billion but less than GBP 50 billion averaging over three years) and level three remuneration firms (firms with total assets less than GBP 15 billion) are required to complete the remuneration policy statement which should be made available to submit to the regulators on request. Malus and clawback Supervisors of firms subject to the remuneration rules will consider, on an annual basis as part of their supervision of the firms concerned, any reports made by the firm as to application of malus (reduction of unvested awards) or clawback of vested awards. They will also consider whether any circumstances they are otherwise aware of in the firm might give rise to a requirement to apply malus or clawback, and if so may require the firm to apply malus or clawback as appropriate. Staff indicated that, in the case of serious failures or misconduct, malus or clawback requirements could be imposed at any point in the year, in which case supervisors would take this up with the firm at the time. Equally procedures to determine malus or clawback will often extend beyond the normal reporting cycle in which case supervisors may follow-up on the outcomes outside of the annual bonus round. Assessors reviewed communications to firms from PRA supervisors in some cases outlining concerns about the structure of compensation packages or, in other cases, approving the release of compensation packages for individuals subject to its review. During discussions, supervisors noted the introduction of risk-adjusted performance requirements in compensation packages. While staff viewed these as having improved recently, they acknowledged the difficulties in developing such features and the need for the industry to continue to develop and apply such adjustments. |
| EC 8 | The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. |
| Description and findings re EC 8 | In the PRA’s supervisory approach document, the PRA explains its expectations that a firm’s control framework should be comprehensive in its coverage of the whole firm and all classes of risk, commensurate with the nature, scale, and complexity of the firm’s business. The effectiveness of a firms’ risk-management arrangements are monitored through the PRA’s CA program and by periodic enterprise-wide risk-management (EWRM) reviews, specialist reviews, and case studies. For the most systemically important firms, the PRA’s dedicated supervisory team monitors the relevant firms’ risk-management arrangements on a continuous basis and reaches its views through internal discussions at the annual PSM and the subsequent internal mid-year update. According to SS9/13 on securitization, a bank applying for permission for a significant risk transfer through securitization is expected to provide, inter alia, information on its governance processes, including details of any relevant committees and the seniority and expertise of key persons involved in sign-off. |
| EC 9 | The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. |
| Description and findings re EC 9 | Under S61(1) of FSMA 2000, the regulator may grant a Board candidate’s application for approval only if it is satisfied that the candidate is fit and proper to perform the controlled function to which the application relates. If the supervisor determines that a specific member of the Board is not fit and proper and/or does not possess the capabilities to carry out his role efficiently, the PRA has the power to remove his/her approval under S63(1) of FSMA. The PRA can also require a firm to hire additional Board members where it assess that a Board lacks a particular set of skills or expertise on the Board for its size, nature, or complexity of activities it undertakes. Assessors had an opportunity to review correspondence between PRA supervisors and Boards of directors or their chairs identifying particular skill sets that the PRA felt a Board might need in future members. Assessors saw as well examples of internal analyzes and recommendations to withdraw candidates from consideration for Boards given a lack of expertise or understanding on the part of some candidates regarding their intended Board roles. Supervisors stressed that, in reviewing applicants, they do not expect every director to have advanced risk measurement and management skills, etc., and instead are expecting to see that prospective Board members would offer sound judgment and, collectively, a wide range of experiences and fields of expertise for a firm to draw on for guidance. |
| Additional criteria | |
| AC1 | Laws, regulations, or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. |
| Description and findings re AC1 | As noted earlier, both the PRA and FCA require firms to report to them on any matters that reasonably each would expect to learn about from firms through the PRA’s Fundamental Rules and the FCA’s Principles for Business for supervised firms. SUP 10B.12.18 R states that if a firm becomes aware of information that would reasonably be material to the assessment of a PRA approved person’s, or a PRA candidate’s fitness and propriety, it must inform the PRA by fax or e-mail, as soon as practicable. Under SUP 10B.13, firms are required to inform the PRA of any material information regarding an approved person as soon as reasonably practical. This includes fitness and propriety. The failure to disclose relevant information to the PRA may be a criminal offence under S398 of FSMA 2000. For the FCA, under SUP 10A.14.17R, a firm is required to notify the regulator as soon as practicable if it becomes aware of information which would reasonably be material to the assessment of that individual’s fitness and propriety. |
| Assessment of Principle 14 | Largely Compliant |
| Comments | Since the prior FSAP (2013), the Basel Committee has added corporate governance to its CP given renewed attention on governance failures and broader interest among supervisors and public authorities in promoting sound corporate cultures within firms. Assessors view the existing approach to supervising corporate culture in the United Kingdom as already meeting some of the newly articulated expectations, meriting an assessment of “largely compliant.” Still, as outlined below, weaknesses remain today. Nonetheless, ongoing discussions in the United Kingdom regarding methods for strengthening supervisors’ ability to oversee and promote better corporate governance in firms are promising. Discussions on ways to strengthen corporate governance, and within that broad concept, ethical behavior and corporate cultures, are of course taking place in major financial centers worldwide. The special attention observed in the United Kingdom may reflect the prominent conduct-related scandals that have come to light recently in the London market. As one senior U.K. supervisor put it in October 2014, “we are in many ways in the second phase of the financial crisis, and this phase has at its root conduct of business, towards customers, in financial markets, and in areas of public policy such as financial sanctions and AML. At its most serious, this confluence of conduct risk can threaten the safety and soundness of firms.”66 Much of the discussion with supervisors during the current FSAP focused on problems that had emerged under the APR, still in force at the time of the assessment. While supervisors noted that their involvement in interviewing and approving candidates for key roles in firms did seem to improve the quality of the candidates that firms put forward; in retrospect it became apparent to supervisors that the existing regime had been applied inconsistently to senior managers in banks. For example, while the role of director was a specific controlled function, the role of the Chairman was not. This meant that a director joining a Board would have his/her fitness and propriety assessed by supervisors but if the same director was duly appointed Chairman of the same firm’s Board, he/she would not subsequently have his/her fitness and propriety reassessed prior to performing that pivotal role. The process allowed an individual to be evaluated once for fitness and propriety under the regime, but the person would not be subject to another evaluation under the regime as the role evolved (supervisors indicated that they have other tools available, as discussed below). The SMR is intended to address these issues. Roles and responsibilities will be clearly assigned and a new approval is required for any move into a key role, such as Chairman or the Chair of a key Board committee. These and other criticisms became more apparent in recent years; the PCBS, which was established in August 2012 as a direct response to the LIBOR scandal that had emerged two months earlier, criticized the existing regime, noting in a report in June 2013 that, “As the primary framework for regulators to engage with individual bankers, the APR is a complex and confused mess.” Beyond the APR, U.K. supervisors have undertaken a series of corporate governance review practices that assess the structure of governance arrangements and the quality and effectiveness of policies and procedures through full reviews, “light reviews,” and case studies of particular issues in firms. Based on supervisors’ comments, these reviews appear to be grounded heavily in interviewing Board members, the CEO, committee chairs, external auditors, and others. Supervisors may also observe Board meetings to understand the dynamics of Board discussions. From reviewing examples of the PRA’s corporate governance reviews, assessors determined as well that supervisors reviewed materials and reports provided to directors. Assessors also saw examples of written communications to firms’ Boards identifying observations about weaknesses in governance, though not all of the reports to which they had access included specific recommendations to Boards and instead invited dialogue on the issues. Supervisors indicated that they sought to apply “soft power” through such dialogue in encouraging firms to strengthen their controls and governance rather than in mandating particular actions. Supervisors did share examples of situations in which corporate governance reviews have led to changes in roles for individuals, in oversight mechanisms, and through other means. At present, such reviews seem to be limited to the most systemically important firms (Category 1); supervisors should consider expanding these reviews to other firms as well. Following the PCBS in 2013, the PRA and FCA developed and consulted on rules for the SMR, which replaced the APR in March 2016. Alongside this, guidance and training for supervisors following a policy decision made by the PRA Board has been developed. These two developments hold promise for much improved supervision on governance by the PRA and the FCA. As supervisors have articulated, the SMR is designed to strengthen individual accountability in the banking sector. One important way that this is achieved is by requiring each Senior Manager to have a Statement of Responsibilities, setting out clearly what he or she is responsible for, including a large number of prescribed responsibilities and stating all other responsibilities for the functions and business activities of the firm. Supervisors will continue to have an opportunity to conduct interviews of candidates for roles covered by the SMR, with PRA and FCA conducting such interviews jointly; a difference from the existing approach is that supervisors now have the power to impose binding, formal, and enforceable conditions and time limits on the approvals of individuals covered by the SMR, both at the initial approval stage and subsequently through a variation of approval. As with the APR, supervisors will be able to intervene after the interview and it is seen that SMR will enable this to be done more effectively thanks to the new powers of conditional approval. Firms, for their part, will have a legal obligation to assess the fitness and propriety of senior managers subject to this process before applying for approval and at least annually thereafter. The SMR seeks to focus accountability at the top levels of decision-making within organizations, which should lead to fewer individuals being subject to preapproval than under the predecessor regime. However, the precise number of individuals in scope of the SMR is expected to vary depending on the size, nature, scope, organizational structure, and complexity of the institution itself. Overall, the authorities’ efforts appear focused on attaching more clearly personal responsibility to individuals in key roles in firms and giving supervisors stronger tools—and potentially clearer expectations—for intervening earlier when weaknesses emerge in corporate governance. As the SMR was not yet in force at the time of the assessment, its effectiveness could of course not be evaluated during the current FSAP; it appears to address some of the concerns supervisors and others had shared about the existing APR. Given recent concerns about the prevalence of conduct issues and weak risk cultures in firms, both prior to the financial crisis and more recently after it, the assessment of “largely compliant” reflects the fact that the authorities have taken notice of weaknesses in firms’ controls and governance, and that work remains to continue to develop the tools necessary to support this work. First, weaknesses in the existing APR regime have not consistently supported the outcomes that supervisors sought; the new SMR regime is promising, but was not in force yet at the time of the assessment. Second, supervisors have been conducting reviews of corporate governance, and it should be noted that some reviews have resulted in changes in firms’ governance arrangements. Still, as this work appears to remain focused especially on the most systemically important firms (Category 1), with some work taking place in the next set of large banks, the authorities should ensure that corporate governance is appropriately considered in supervisory work beyond the largest firms. The effectiveness of these forthcoming revisions to U.K. supervisory practices will be ascertained in future assessments. |
| Principle 15 | Risk management process. The supervisor determines that banks67 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report, and control or mitigate68 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.69 |
| Essential criteria | |
| EC 1 | The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:
|
| Description and findings re EC 1 | Art. 74 of CRD establishes the legal basis requiring banks to have in place robust governance arrangements which include a clear organizational structure with well defined, transparent and consistent lines of responsibility to identify, manage, monitor, and report risks they are exposed to. The risk-management processes and mechanisms are to be proportionate to the nature, scale, and complexity of risks inherent in the business model and the institution’s activities. Arts. 97 and 98 provide the basis for the supervisory review and examination of a bank’s risk-management processes (SREP). Relevant EBA guidelines include:
The EBA guidelines on internal governance contain detailed expectations about banks’ risk management, including:
The SREP guidelines emphasize the need for involvement of the managing body (Board) and senior management, and detail a framework for the supervisor to engage and review the role of the Board and senior management proportionate with its size, scale, complexity, and risk profile. They contain detailed instructions for the supervisory review and assessment of internal governance and institution-wide controls, including:
The PRA’s Fundamental Rule 5 requires a firm to have effective risk strategies and risk-management systems. Fundamental Rule 6 requires a firm to organize and controls its affairs responsibly and effectively. In the PRA approach document,70 the PRA sets out its expectations for risk-management strategies within firms. It states that the responsibility of each firm’s Board and management is to manage the firm prudently, consistent with its safety and soundness, thereby contributing to the continued stability of the financial system. The PRA expects firms to have a culture that supports their prudent management. The Board and management of a firm should establish, embed and maintain the principle of safety and soundness in the culture of the whole organization. In its “approach to banking supervision document,” the PRA expects firms to have in place sufficient controls to minimize incentives for excessive risk-taking by management and staff by having in place clear structures of accountability and delegation of responsibilities. The PRA, also, expects a firm’s control framework to be comprehensive in its coverage of the whole firm and all classes of risk, commensurate with the nature, scale, and complexity of the firm’s business, and to deliver a properly controlled operating environment. Key to this is that firms have an effective three lines of defense operating model. The PRA expects firms to articulate for themselves the amount of risk they are willing to take across different business lines to achieve their strategic objectives. Firms are required to have an ICAAP in place, accompanied by a robust risk-management framework and its effective and consistent implementation throughout the organization. Ongoing reforms The PRA is currently consulting on guidance covering strategy and culture setting and risk appetite and risk-management in the form of a SS, consulted on in consultation paper (CP) 18/15 on Board responsibilities. The PRA proposals set out that all firms should evidence that the Board has established, and takes decisions consistent with, a sustainable business model and manages the firm to a clear and prudent strategy and risk appetite, ensuring that the firm meets its regulatory obligations. The PRA will also expect the Board to articulate and maintain a culture of risk awareness and ethical behavior for the entire organization to follow in pursuit of its business goals. The PRA expects the culture to be embedded with the use of appropriate incentives. The business strategy of firms should be supported by a well-articulated and measurable statement of risk appetite (expressed in terms that can be readily understood by employees throughout the business), which is clearly owned by the Board, integral to the strategy the Board has signed off, and actively used to monitor and control actual and prospective risks and to inform key business decisions. The PRA expects to see evidence of this active oversight of risks according to the risk appetite. The risk control framework should flow from the Board’s risk appetite. Supervision The PRA weights its supervision towards those issues and those firms that, in its judgment, pose the greatest risk to the stability of the U.K. financial system. The frequency and intensity of the supervision experienced by firms thus increases in line with the risks they pose. Along these lines, the PRA regularly assesses the significance of a firm to the stability of the U.K. financial system. This ‘potential impact’ reflects a firm’s potential to affect adversely the stability of the system by failing, by coming under stress, or by the way in which it carries on its business. The PRA categorizes firms in 5 categories based on their size, interconnectedness, complexity and business type and their capacity to cause disruption to the U.K. financial system. Please see BCP 8 and BCP 9 for a thorough description of this. Major U.K. and international firms (Category 1 firms) Supervision forms a judgment on whether Category 1 firms have appropriate risk-management strategies approved by Boards and that the Boards set a suitable risk appetite (details of how supervision forms these judgments are set out below). Supervision takes a forward-looking risk based approach, focusing on the key risks of the particular firm; supervision, reviews the role of a firm’s Board in the setting of risk appetite, the challenge put forward by the Board (or delegated Board Risk Committee) and the ability of the Board to opine on the appropriateness of the risk appetite in light of the firm’s strategy, capital and liquidity resources, and risk control framework. Supervision will review the membership of the Board and Board Risk Committee to ensure it has the skills and experience to challenge senior management on the risk appetite and risk culture of the firm. How does supervision form these judgments? As part of the judgment process, supervision analyzes firms’ MI, regulatory returns, and external information (e.g., analyst reports). Supervision takes into account in its judgment processes tools such as peer reviews, meetings with other regulators (e.g., through the regulatory colleges), meetings with internal and external auditors, and deep-dive reviews (e.g., AQRs) on a risk-based approach carried out by the PRA’s SRS (details of these deep-dive reviews are set out below). Additionally, firms are also subject to an enterprise wide risk-management review (EWMR) (details are set out below). CA meetings The key tool used by supervision to gather information and challenge the risk-management of a firm is through a series of meetings, known as “CA” meetings. During the CA meetings the firms’ risk-management is challenged by supervision on its risk-management framework and controls, its risk exposures, its risk appetite and linkages to risk limits, the independence of the risk function, the soundness of the firms’ risk culture, the measurement of risk, and the mitigation of risk. Via the CA process supervision assesses a firms’ risk management, including the interaction between the bank’s Board and risk function. The CA meetings are carried out with a variety of risk managers, across business lines and risk types (e.g., credit risk, market risk, operational risk, etc.), on a schedule proportional to the size, scale, and complexity of the firm (e.g., monthly market risk meetings for the largest firms, quarterly meetings with group chief review officers (CRO), etc.). Furthermore, supervisory specialists carry out quarterly visits to review and assess firms’ traded risk-management controls/frameworks, alternating between focusing on counterparty credit risk and market risk. This facilitates ongoing monitoring of firms’ risk-management culture, risk strategies, and risk appetite, and is also a channel for more focused risk-management reviews. For example, market risk appetite and limit frameworks were a focus topic of a recent semiannual review round. Supervision has an annual PSM, during which the risk-management of the major U.K. firms is considered in depth by senior PRA personnel, concerns are highlighted and supervisory strategy to remedy any deficiencies is discussed and agreed upon. At the PSM the CA meetings schedule is discussed and approved for the coming year. Supervision also has an annual “head of department (HoD)” review six months after the PSM to review progress in relation to the recommendations made in the PSM. The major U.K. banks’ risk-management strategies are discussed in detail again during this HoD review, and the supervisory strategy is revisited to ensure progress is being made to ensure Category 1 firms have a robust risk-management framework commensurate with their importance and complexity. Management information Alongside the CA meetings, supervisors receive from firms a range of MI on risk management. This MI generally takes the form of internal risk committee packs, used by the firms at their regular risk-management committees (e.g., the Board risk committee pack, the market and traded risk committee pack, operational risk committee pack, etc.). The amount of MI received is dependent on the size and complexity on the firm. For example, for the large, multinational firms, risk-management MI packs are received from the regional risk-management committees. For smaller firms, less MI is received and supervisors review regulatory return data and use peer comparisons to identify outliers. Supervision uses this information to form a view on the ongoing issues being faced by the firm, to assess the level of risk being run by the firms (e.g., new material transactions and existing exposures), to assess on a regular basis the firms’ risk appetite statements and risk appetite metrics, limit excesses and actions taken by the firm, key issues discussed at the risk-management committees by the firms’ executive and nonexecutives, and key projects being undertaken by the firm. Supervision uses the CA meetings to ensure the firms’ three lines of defense (front office, risk-management, and internal audit) are taking the steps necessary to monitor and control material risks and that the risk-taking is consistent with the approved strategies and risk appetite. Supervision also uses regulatory reports to analyze and identify key risk metrics of the supervised firms and uses this information for trend analysis and to form a view on emerging risks. Deep-dive reviews with SRS For key risks or material portfolios in high-impact firms (e.g., commercial real estate in the U.K.), supervision undertakes a deep-dive review of the firm in collaboration with technical specialists from the SRS unit. The trigger for carrying out a deep-dive review is risk-based; for example, if the major U.K. firm has a concentrated exposure to a particular portfolio, or has suffered significant losses from a portfolio, then supervision carries out a deep-dive review (e.g., an AQR, model reviews, internal ratings based approaches (IRB), governance reviews, etc.). The deep-dive involves a careful scoping of the review to ensure the key risks and issues are addressed, a full MI request and onsite meetings with the firms. Where appropriate, individual loan files are reviewed to test the quality of the underwriting and risk assessment ability of the firm. The information is analyzed by supervision and SRS, with comprehensive reports written; these reports are challenged via internal “challenge panels” whose members are other SRS staff and supervision, to ensure the conclusions and recommendations are robust. Based on the review, a letter is sent to the firm outlining the actions the firm must take to ensure compliance with the PRA’s requirements. EWRM reviews Risk-management reviews comprise a number of different elements. These include specialist technical reviews (credit, market, operational, etc.) and also an overall EWRM review. The purpose of a EWRM review is to consider and assess the overall risk framework within an organization from a top-down and bottom-up perspective. It includes, but is not limited to, the Board’s setting of strategy and risk appetite, the cascade down and embedding into the business, the associated policies, procedures, governance arrangements and reporting and escalation. It also considers the skills, experience, resources and effectiveness of the CRO and EWRM function. EWRM reviews form part of the CA program of supervision. The approach adopted is proportionate; the size and complexity of the firm in question and the nature of the firm-specific risks influence the frequency and nature of risk reviews undertaken by supervisors. For the largest Category 1 U.K. banks, the CA program requires a review normally to be undertaken once every 2–3 years. The review might comprise a full review or a series of smaller reviews, sometimes linked to technical credit, market or operational risks, or the use of relevant case studies. Reviews are undertaken by specialist staff working together with supervisors. For smaller firms, the reviews are linked to the program of CA, and are commissioned on a risk based basis. On occasion, the review work is undertaken by third-party skilled persons using the powers granted under S166. This is often the case when specific issues have arisen. The assessors were provided the EWRM review of the U.K. subsidiary of an overseas bank, analyzing elements of the firm’s overall risk-management framework like its culture, risk appetite, lines of defense, the link to remuneration, and its incentive structure. They examined also the relative follow-up (supervisory letter). Supervision’s assessment of risk management for Category 1 firms Throughout the process described above, supervision makes judgments on risk-appetite setting processes, the interaction between the firms’ risk appetite and the firms’ business strategy, and the calibration of the risk appetite against the firms’ capital resources and risk control framework. The firms’ stress testing processes and outputs are reviewed and considered in light of the risk- appetite statement and risk strategy. Additionally, supervision reviews the level of challenge the risk appetite statement received from the Board/Board risk committee. Supervision also reviews how the risk appetite statement translates into granular limits and lower-level risk-appetite statements (e.g., for larger, complex firms, Supervision expects to see risk appetite statements set at the legal entity/subsidiary and/or business-line level). Supervision assesses the firms’ risk culture on a continuous basis, across all types of risk (e.g., credit, market, operational, legal, reputational, etc.) and across the firms’ business lines. The risk-culture tone set by the Board and senior executives is analyzed and, if necessary, feedback is given to the firm, which the risk culture does not meet the PRA’s expectations. Category 2–4 banks and building societies As for Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms (including banks and building societies) on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk-impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy, and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes a detailed review of the firms risk appetite and capabilities in the context of their ICAAPs and internal liquidity adequacy assessment process (ILAAPs), based on interviews with key personnel (executives, risk managers, and nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of U.K. Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite and how effective the risk control systems are in practice. The evidence for supervisory judgment comes from a combination of the outcomes from interviews, review of relevant policy documents, analysis of regulatory returns data (to identify outlier behavior and trends, including in comparison with peers), review of MI provided to the Board, and relevant committees, discussions with internal and external auditors and, if deemed necessary from a supervisory risk appetite basis, the outcome of specialist reviews—either using PRA SRS resource or through commission of skilled persons reviews (under S166 of FSMA). The results of these reviews in terms of supervisory judgments on risk appetite and capabilities are presented to a PSM for each firm, at which ICG and/or individual liquidity guidance (ILG) is set and key issues are agreed for feedback to the relevant firm—typically such feedback includes both observations and a set of specific actions expected (e.g., set/amend risk appetite limits, improve quality or quantity of risk management, amend risk-management structure, etc.)—with dates by which these should be achieved. The PSM process allows for independent review of supervisory judgments in order to achieve both consistency and a sense check on whether judgment has been correctly exercised. The CA program reviews and onsite work that will be undertaken by the supervisory team are also agreed at the firm’s PSM. The outcome of the PSM, and the work undertaken by both firms and supervisors is subject to interim review six months later by the relevant HoD, or, for Category 3 and 4 firms, by an independent manager: this independent review checks progress against the stated requirements set out in the post-PSM letter to the firm, and also assesses plans for future work to be carried out in the period up to the next PSM. The intensity of the risk review process is risk-based: typically there are more meetings held with Category 2 firms and available SRS resources are concentrated on those firms with the highest potential impact on regulatory objectives. However, Category 3 and 4 firms that display poor risk-management attributes and which are judged to be more at risk of failure (PIF 3 and higher) are allocated proportionately more supervisory resources in order to understand better the extent of the risks being run and the potential outcome of failure.71 In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality, and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,72 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. Building societies are expected to inform supervisors before implementing any change of approach or agreeing internal limits that are significantly more risk-taking than those set out as expectations in SS 20/15. The PRA is currently undertaking a review of SS20/15 that is expected to result in the provision of more clarity on risk appetite and risk-management expectations applying to different levels of approach. As a result of much greater emphasis by the PRA conducting targeted EWRM reviews, examination via interviews have focused on independent NEDs (iNEDs) to ascertain if they can meaningfully articulate:
The PRA also looks closely at the quality and competence of the CRO and the risk function, including their resources and scope. FCA has responsibility for the supervision of banks on conduct matters. Although conduct risk is not a risk that can be easily quantified, the FCA is concerned to ensure that banks pay appropriate attention to conduct-related risks, both through actions taken to set the ‘tone from the top’ and create a bank’s culture and as appropriate through more formalized risk-management frameworks. The FCA seeks through its work on larger banks, which are supervised on an individual basis to understand how this is achieved. This insight is typically obtained through direct liaison with key Board members and the senior executives; through detailed reviews; through reviewing the papers produced for Board and other key committees; and through observation of conduct-related ‘incidents’ and how these are handled. The assessors reviewed the notes of meetings with the Board of an overseas bank on issues elating to model deficiencies. |
| EC 2 | The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:
|
| Description and findings re EC 2 | The PRA Rulebook requires firms’ management bodies to approve and periodically review the strategies and policies for taking up, managing, monitoring, and mitigating the risks the firm is, or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle (Art. 2.3 of the risk control section, which implements Art. 76(1) of CRD). In its “approach to banking supervision” document, the PRA expects:
Supervision Major U.K. and international firms (Category 1 firms) Supervisors of major U.K. firms assess the comprehensiveness of firms’ views across all risk types on a forward looking and judgment based approach. In addition to CA meeting of each material risk type, supervisors of major U.K. banks also have regular (e.g., quarterly) meetings with the firms’ group CRO to assess the enterprise wide risk-management and aggregate risk profile of the bank. These meetings with group CROs, reviewing the risk control framework of the whole banking group, allow supervisors to form a judgment on the comprehensiveness of the risk framework of the firm. Supervision assesses the firms’ risk-management controls and processes on a continuous basis, via CA meetings, deep-dive reviews, thematic reviews across the major U.K. firms, and the review of the MI received from firms. Deep-dive reviews are triggered by supervision having a concern about a material element of a firm’s risk-management function or the asset quality of a particular portfolio. These risks can be identified during CA meetings, review of firm’s MI (e.g., rapid growth in a loan portfolio in a higher risk area, such as commercial real estate, review of regulatory returns, or via cross-firm comparisons and thematic reviews. These reviews are normally carried out jointly by supervision and SRS, in order to use the risk expertise of the SRS staff and to get a cross-firm perspective. During deep-dive reviews supervision reviews a major U.K. firms’ policies and procedures (e.g., credit risk policies) to ensure they are fit-for-purposes and appropriately prudent (e.g., parental support frameworks in assigning internal credit ratings). Supervision tests the outcomes of the firms’ use of the policies and processes via reviews of the risks being taken by the firms. For example in retail credit, supervision will review the asset quality of the retail exposures for mortgages by looking at the firms loan-to-value profile, vintage analysis of performance, scorecard outputs, and collections data. Supervision looks across the firms’ risk types, focusing on the material risks for the particular firm, based on factors such as size of the portfolio vis-à-vis the capital size of the major U.K. firm, losses generated by the portfolio, thematic concerns raised across U.K. firms by other parts of the BoE or risks specifically raised by the firm as top or emerging risks. As part of the PSM, the systemic importance of the bank is discussed (e.g., confirming the firm’s status as a Category 1 firm) and the firm’s impact of proximity to failure of the firm on the wider U.K. financial system is considered (i.e., “PIF” score). The macroeconomic environment is of critical importance and supervision takes this into account when assessing the firms’ risk profile and risk appetite. Supervision reviews how the firm takes the macroeconomic environment into account via the setting of risk appetite, the setting of risk limits, and the hedging of risk. Supervision forms a judgment on how the firm takes the macroeconomic environment into its risk decision making and risk appetite setting by assessing factors such as how their stress testing output feed into risk limit setting. Supervision also has discussions with risk managers on their views of the economy and how those views feed into changes in risk limits. Supervision takes into account the firm’s strategy and its business model (through business model analysis) and the firm’s operating environment when assessing the risk profile of the firm. This process of assessing how the major U.K. firm takes the macroeconomic environment into account in its risk decision making happens frequently via the CA meeting process; “update on the top and emerging risks” is a typical agenda item in the meeting with CROs. In periods of market dislocation, supervision increases contact with the relevant risk-management staff at the firm to understand the firms’ exposure to the issue (e.g., Russian exposure taken by U.K. banks or U.K. subsidiaries of overseas banks; Greek exposure taken by these institutions) and what steps the firms are taking to mitigate risks and exposures. The firms’ crisis management processes are reviewed by supervision on a regular basis to ensure they are fit-for-purpose. In addition to the above, the supervisors of major U.K. firms review the firm’s internal stress testing processes and outputs, and the BOE annual stress testing outputs, when assessing a firms’ risk appetite. During the monthly market risk meetings, the firm’s market risk stress outputs are reviewed in depth with the firm’s market risk managers and the outputs are discussed in relation to the firm’s current exposures, risk limits and risk appetite. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15, 73 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to have internal policies for lending and treasury (liquidity, funding, counterparty risk, and financial risk) that express the Board’s risk appetite. Building societies are also expected to have in place the risk-management capabilities to operate to their chosen risk appetite, and Boards should receive MI that allows monitoring of how the risk appetite operates in practice. Policy statements and Board papers are reviewed by supervisors, and by relevant technical specialists, as part of the biennial review process (capital and treasury in alternate years). A similar approach applies to Category 2–4 banks, although specific supervisory expectations are not applied in the same way as for building societies (the business models of banks are more heterogeneous than those of building societies, so setting specific expectations is not possible—they need to be tailored to each bank). However, all Category 2–4 banks are expected to have internal policy statements that are in line with Board risk appetite and are agreed at appropriate levels (Board itself, or relevant Board committee): these are reviewed by supervisors and technical specialists on authorization and as part of the annual review process, with expectations for improvements discussed and communicated to banks via the PRA’s PSM process. Although conduct-related risks cannot be easily quantified, the FCA expects banks to have metrics in place for those aspects of conduct that can be quantified, together with other relevant indicators, so that management can gain meaningful insight into the nature and extent of conduct-related risks across the group. This information should be tailored so that an appropriate level of insight can be provided at all levels within the group, including at Board level. It should be sufficient to enable management and the Board to take decisions and act where necessary. The FCA expects management and the Board to understand the implications and limitations of such information. The FCA expects banks to implement policies and procedures to manage conduct risks identified within the business. Furthermore, the FCA expects Boards to understand the interplay between financial performance risk and conduct risk. |
| EC 3 | The supervisor determines that risk management strategies, policies, processes and limits are:
The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. |
| Description and findings re EC 3 | The PRA Rulebook requires that the management body of a firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to (Art. 2.3 of the risk control section, implementing Art. 76(1) of CRD). The PRA, as set out in its “approach to banking supervision document,” expects firms to have available the information needed to support their control frameworks. This information should be of an appropriate quality, integrity and completeness, to provide a reliable basis for making decisions and so to control the business within agreed tolerances. Guidance in the “approach to banking supervision document” states that an effective risk-management function ensures that material risk issues receive sufficient attention from the firm’s senior management and Board. Whenever there is a material change to the business model or in the products offered by the firms, the Board needs to take them into account and adjust its risk appetite and strategy accordingly. Supervision Major U.K. and international firms (Category 1 firms) As outlined above under EC 1 and EC 2, supervisors of major U.K. banks have an ongoing CA meetings cycle for major firms. Supervision regularly reviews the firms’ risk MI (e.g., risk committee packs) and has regular discussions on the firms’ limits, policies, and processes. For example, supervision through its CA meetings asks the firm if its risk profile or limits have changed, and reviews the firms’ risk appetite statement and current position against that risk appetite. The frequency of these meetings and discussions vary from monthly to quarterly to annually, depending on the firm and the assessment of the risk as determined by the judgment of supervision. SRS, as well as participating in these CA meetings, conduct quarterly and half-yearly reviews of risk-management frameworks in the major firms that have advanced model permissions. If there is a sudden or severe deterioration in market conditions, supervision communicates with the firm immediately. Supervision asks the firm how it is reacting to the market conditions; what the firms’ exposure is to the risks, and how the firm is mitigating its risks. For example, supervision asks the firm if it has cancelled credit limits, put “halt notices” in place, or taken out hedging positions in a crisis type situation. This is a way for supervision to test that the firm’s policies and processes are appropriate to changing market conditions and changing risk appetites given macroeconomic conditions. To assess communication within the firm, supervision analyzes this in various ways. If a new risk framework is being rolled out (e.g., a new operational risk framework), supervision asks the firm about its communication strategy and for details on the training program to embed the changes of the new framework. During the deep-dive reviews, supervision and SRS staff often have meetings with both senior and junior staff to ask about how policies and procedures are actually carried out at the firm. Additionally, supervision looks at the firms’ internal policy manuals and risk committee packs to analyze how risk processes are communicated across the firm. This is generally carried out on a risk based approach, with supervision focusing on the larger firms or current risk issues. major U.K. firm supervisors do not review firms policies on a set timetable, rather, the review of policies is driven by a risk-based approach where supervision determine there is an issue with a material risk area of the firm (e.g., if the operational risk framework is weak, as demonstrated by increasing operation losses, supervision will review the firm’s operation risk policies and processes). Supervision asks about deviations from a firms’ stated policy or risk appetite and how these are authorized. The review of these deviations could be triggered by increasing risk exposure, increasing loan impairment charges arising from a particular portfolio or picked up by the firm’s internal audit function. For example, for exceptions to a firms’ credit risk policy, supervision expects this to be approved at the appropriate level (e.g., via a group risk level or regional risk level). For exceptions to policies around issues such as single name concentration, supervision checks that this has gone through the appropriate governance challenges (e.g., Board risk committee approval if the limits are large vis-à-vis the firms’ resources). Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15, which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to have internal policies for lending and treasury (liquidity, funding, counterparty risk, and financial risk) that express the Board’s risk appetite. Societies are also expected to have in place the risk-management capabilities to operate to their chosen risk appetite, and Boards should receive MI that allows monitoring of how the risk appetite operates in practice. Policy statements and Board papers are reviewed by supervisors, and by relevant technical specialists, as part of the biennial review process (capital and treasury in alternate years). A similar approach applies to Category 2–4 banks, although specific supervisory expectations are not applied in the same way as for building societies (the business models of banks are more heterogeneous than those of building societies, so setting specific expectations is not possible—they need to be tailored to each bank). However, all Category 2–4 banks are expected to have internal policy statements that are in line with Board risk appetite and are agreed at appropriate levels (Board itself, or relevant Board committee): these are reviewed by supervisors and technical specialists on authorization and as part of the annual review process, with expectations for improvements discussed and communicated to banks via the PRA’s PSM process. |
| EC 4 | The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk MI that they receive. |
| Description and findings re EC 4 | The PRA Rulebook places ultimate responsibility for risk-management on firms’ management bodies. The management body must be actively involved in and ensure that adequate resources are allocated to the management of all material risks (Rule 2.7 in the section on risk control, implementing Art. 76(2) of CRD). It also requires firms to ensure that the management body in its supervisory function and the risk committee, where a risk committee has been established, have adequate access to information on the risk profile of the firm and, if necessary and appropriate, to the risk-management function and to external expert advice; the management in its supervisory function and the risk committee, where a risk committee has been established, must determine the nature, amount, format, and frequency of the information on risk which they are to receive (Rule 3.2 in the section on risk control, implementing Art. 76(4) of CRD). The PRA, as set out in its “approach to banking supervision document,” expects firms to have available the information needed to support their control frameworks. The information should be of an appropriate quality, integrity, and completeness, to provide a reliable basis for making decisions. Senior management is expected to have a clear understanding of the risks that are not adequately captured by internal models used. Senior management is also expected to understand the limitations of the internal models used. Ongoing reforms Further guidance regarding collective responsibilities of the Board and setting out the regulators expectations was provided through consultation paper (CP) 18/15 on Board responsibilities. Supervision Major U.K. and international firms (Category 1 firms) The PRA has an ongoing CA cycle for major firms. This includes monthly meetings that involve discussion of key exposures with management, and semiannual visits to review and assess firms’ traded risk-management controls/frameworks. As part of the CA cycle, the PRA also receives and reviews firms’ MI, which is often used as a basis of challenge and questioning during CA meetings with firms. As part of the governance reviews, the PRA determines whether the quality of data provided to the Board is sufficient to enable management to accurately aggregate, understand, and measure risks. This assessment includes the covering format, timing, and description of information flow of protocols regarding Board papers. Please see the response to EC 1 for more detail on EWRM reviews. Supervision determines whether the firm’s Board and senior management receive sufficient information to assess the risks being undertaken by the firm by receiving, on a regular basis, the same risk packs internally produced by the firm for senior management. For example, supervision teams of large firms receive monthly risk management committee packs and the Board risk committee packs. Supervision assesses the quality and depth of this MI and forms a view on whether the key risk issues, the firm’s risk profile and exposures, and top and emerging risks are appropriately captured in the risk reports. Liquidity is closely monitored by Supervision via regularly received returns; growth in assets vis-à-vis funding of those assets is reviewed. For large firms, Supervision assesses whether the granularity of information up to the higher level risk committees is appropriate. If too much information is being provided, this can lead to a dilution effect with the key issues not being given the appropriate level of review. If too little information is provided, then informed decision making cannot take place. If the level of MI is inadequate, this is fed back to the firm. The assessment of the quality of internal MI is also reviewed in deep-dive reviews. During these reviews, a significant quantity of firm MI is requested, at varying levels of the firm. This allows SRS and supervision to track issues through the various internal risk committees, to test the flow of key risk issues and concerns both up and down the risk chain. If the flow of information is not fit-for-purpose across the firm, across risk types, this is fed back to the firm and improvements to intrafirm communications are required. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management processes—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. All Category 2–4 banks are subject to an annual visit and supervisory assessment (SREP, L-SREP) that is considered in a PSM. As part of the visit preparation, supervisors request a copy of the most recent Board pack (and frequently also the packs for relevant Board subcommittees, such as ALCO and Risk and Audit). Supervisors and technical specialists review these packs to establish the type and level of MI being provided to Board members, and use the outcome of this review work to probe understanding and risk-management in meetings with management, Board members and (on a biennial basis) with the whole Board. In particular, supervisors meet with NEDs either individually or as a group to evaluate their approach to Board information and the extent to which they are able to monitor and control the business on the basis of the information provided. Shortfalls in capability are discussed and reviewed through the PRA’s PSM process, and fed back to firms (with expected actions) by way of the post-PSM letter. Any actions are time bound and followed-up by supervisors, with reviews of progress undertaken at the 6 month mid-point between PSMs. |
| EC 5 | The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. |
| Description and findings re EC 5 | BIPRU 12.2.1R74 Part of the PRA Rulebook requires a firm, at all times, to maintain liquidity resources which are adequate, both as to amount and quality, to ensure that there is no significant risk that its liabilities cannot be met as they fall due. In complying with Art. 86 of CRD, the PRA requires that firms must have in place robust strategies, policies, processes and systems that enable it to identify measure, manage and monitor liquidity risk over an appropriate set of time horizons. These strategies, policies, processes and systems must be proportionate to the complexity, risk profile and scope of the operation of the firm, and the liquidity risk tolerance set by the firm’s governing body. The ‘Threshold Condition’ 5D,75 business to be conducted in a prudent manner, requires firms to have an appropriate amount and quality of capital and liquidity and have appropriate resources to measure, monitor, and manage risk. BIPRU 2.2.4G76 states that the adequacy of a firm’s capital needs to be assessed both by the firm and the appropriate regulator. This process involves an ICAAP, which a firm is obliged to carry out in accordance with the ICAAP rules, and a SREP. As set out in the “approach to banking supervision document,” the PRA expects firms in the first instance to take responsibility for ensuring that the capital they have is adequate. The PRA itself forms judgments about how much capital individual firms need to maintain and the PRA’s judgments should inform firms’ own assessments. Firms should engage honestly and prudently in the process of assessing capital adequacy, and not rely on regulatory minima when these are inappropriate for the risks to which they are exposed. Where the PRA judges the conservatism applied in internal models not to be sufficient, it takes appropriate action to address the situation, which include requiring methodological adjustments or recalibration, setting capital floors or imposing adjustments to modeled capital requirements. Supervision Major U.K. and international firms (Category 1 firms) Supervision regularly reviews the firms’ ICAAPs and the PRA undertakes a SREP process to assess whether the level of risk being taken is commensurate with the firm’s capital resources. The cycle of SREPs is risk-based, with larger and/or riskier firms subject to more regular review. The SREP process is comprehensive and involves both supervision and risk specialists from the SRS unit. Where appropriate, peer comparisons are made across firms to assess risk appetites and risk profiles of firms. For example, a cross-firm view is taken of U.K. firms’ concentration risks to sector, single names and geography and a cross-firm view is taken of international firms’ exposure to important market risk events. Supervision regularly evaluates the levels of capital vis-à-vis risk exposure of firms. Supervision assesses how the firms internally ensure they remain within their stated risk appetite, via CA meetings and deep-dive reviews. For example, if a RWA limit is set for wholesale loans, supervision tests how a firm ensures it stays within that RWA limit and what are the consequences and/or processes for breaching that RWA limit. If a market risk limit is set on the basis of VaR or stress test limits, supervision reviews a firm’s reaction to breaches of that limit. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on their internal assessments of capital and liquidity adequacy (ICAAPs and ILAAPs). The core supervisory process applied to all smaller firms includes an annual visit to review, in alternate years, capital adequacy and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firms’ capital and liquidity adequacy, including understanding the background to the development of their ICAAPs and ILAAPs and an assessment of the adequacy of the internal policy limits and allocations for these. The assessment is based on interviews with key personnel (executives, risk managers, and nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The supervisory review process; specifically focuses on how the Board of the firm agrees and sets its capital and liquidity levels in line with its business strategy. The evidence for supervisory judgment comes from a combination of the outcomes from interviews, review of relevant documents (ICAAPs and ILAAPs), analysis of regulatory returns data (to identify business characteristics, including in comparison with peers), and assessment of allocations of capital/liquidity for key risk components. The results of these reviews and the report of technical specialists (if involved) are presented to a PSM for each firm, at which ICG and/or ILG is set and key issues are agreed for feedback to the relevant firm in explaining why numbers differ from the firm’s internal allocations (if they do). The post-PSM letter to the firm sets out these items and the expectation of the PRA for the firm’s next internal iteration of its planning documents. |
| EC 6 | Where banks use models to measure components of risk, the supervisor determines that:
The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. |
| Description and findings re EC 6 | The EBA Guidelines on common procedures and methodologies for SREP set out recommendations for use of internal models for specific risk categories not limited to those used for regulatory capital calculations (see relevant CPs). EBA has also produced an RTS on the conditions for assessing the materiality of extensions and changes of internal approaches for credit, market, and operational risk which is aimed at harmonizing the assessment of the materiality of extensions and changes to internal model approaches across NCAs. This RTS specifies the conditions for assessing the materiality of extensions and changes to help drive consistency and compliance with the regulations. The United Kingdom has implemented Arts. 77 and 78 of the CRD on the internal approaches for calculating own funds requirements and the supervisory benchmarking of those approaches. Under this regulatory framework the PRA requires firms to submit the results of their calculations of risk weighted exposure amounts or own fund requirements except for operational risk, together with an explanation of methodologies used to produce them, at least annually. The PRA approach document sets out the expectations of models used to measure risk. While quantitative models can play an important role in supporting firms’ risk management, the PRA expects firms to be prudent in their use of such models given the inherent difficulties with risk measurement. Models, and their output, should be subject to effective, ongoing, and independent validation to ensure that they are performing as anticipated. The PRA expects senior management to have a clear understanding of the risks that are not adequately captured by the models used, and the alternative risk-management processes in place to ensure that such risks are adequately measured and incorporated into the firm’s overall risk-management framework. Supervision For credit risk, where the firm has an IRB permission, the PRA takes a risk-based approach to oversight of firms’ capital models rather than following a standard CA program for each firm. Where the firms’ models, or a subset thereof, are deemed to represent a risk to the appropriateness of the firm’s own funds requirements (e.g., due to underestimation of RWA), analysis of model MI are undertaken, including an assessment of the limitations of the model and if appropriate, the adjustments made by the firm to take into account those limitations (e.g., additional buffers added on). Senior management’s understanding of the model is in this instance assessed through minutes of the committee(s) responsible for reviewing its performance. PRA risk specialist expertise is leveraged if necessary. For traded risk, where a firm has an IMA market risk permission or an internal model method (IMM) counterparty credit risk permission, the firm is subject to a semiannual review of each of these models by relevant risk specialists, owing to the closer relationship between capital and risk decision models than is the case in the credit risk (IRB) regime. Deep-dive reviews are initiated if there are serious concerns around the performance of a model, or by thematic concerns around certain models not accurately measuring risk (e.g., income-producing real estate models prior to the PRA moving firms onto the slotting approach, and wholesale loss-given default (LGD) and exposure at default (EAD) models, for which a framework has been developed to ensure that estimates are underpinned by sufficient historical recovery experience). If necessary, the PRA commissions a SPR to evaluate aspects of a firm’s rating system. The PRA’s SSs for credit, traded and operational risk internal model regimes (SS11/13–14/13) set out the expectation that on an annual basis a person in a SIF attests to the compliance of the firm’s rating systems and/or that where there is material non-compliance, a credible plan is in place for remediation. This provides a degree of assurance on any models—or other aspects of firms’ rating systems—that are not directly reviewed by the PRA. The PRA fully participates in the EBA’s annual benchmarking exercise for credit and traded risk model regimes, under CRD Art. 78, and has a permanent member on the EBA’s task force for supervisory benchmarking. |
| EC 7 | The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products, and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. |
| Description and findings re EC 7 | The EBA guidelines on internal governance set the expectations for an institution to have an effective and reliable information and communication system covering all its significant activities (see para. 30). Para. 26 sets out the overall expectations for an institution’s risk control function (RCF) to identify, monitor, and manage all risks across the enterprise. The RCF should ensure that an institution’s internal risk measurements and assessments cover an appropriate range of scenarios and are based on sufficiently conservative assumptions regarding dependencies and correlations (see para. 26.10). Furthermore, the RCF should ensure that all identified risks can be effectively monitored by the business units (para. 26.11). The EBA SREP guidelines describe the supervisor activities to test and assess an institution’s information systems (paras. 106–107) where supervisor’s should assess whether an institution has effective and reliable information systems and whether these systems fully support risk data aggregation capabilities at normal times as well as during times of stress. According to the SREP guidelines, NCAs should assess whether an institution is at least able to:
Supervision Major U.K. and international firms (Category 1 firms) ‘Supervision review firms’ information systems as part of the CA meetings (as described above in EC 1 and EC 2) and assess the level and quality of data produced by the firm via MI received. During CA risk meetings, the frequency of which are determined on a risk based approach, supervision questions the firm on the quality of its information systems, focusing on any deficiencies (e.g., lack of timeliness, lack of completeness). Where supervision has identified risk data aggregation as an issue, the firm’s remediation of its information systems is a topic of regular discussion. For the major U.K. firms, SRS review the firm’s IT systems to determine any deficiencies. Cross-firm work is sometimes the trigger for this, with some firms identified as outliers from their peers. If necessary, a skilled persons report (“S166”) is commissioned to review the firm’s ability to aggregate data. For periods of stress, supervision reviews how quickly and accurately a firm can aggregate risk data. The data received from the firm is often reconciled against existing firm MI, BoE data, and regulatory returns. Where there are discrepancies, supervision discusses these with the firm and acts as appropriate. Firms are expected to be working towards compliance with the BCBS principles for effective risk data aggregation and risk reporting (PERDARR) and to this end, supervision and SRS have had separate meetings with firms to discuss their progress, including IT system changes that are required. The assessors analyzed several ‘Board packs,’ finding them generally very detailed, and reviewed the report from a visit to a group data center supporting some of the IT systems of a major U.K. bank. The visit, sparked by past of outage incidents, focused on the analysis of backup measures, disaster recovery and business continuity plans, and cyber security measures. They got also access to a dear chairman and dear CEO exercise, an initiative aimed to: identify actions taken by firms to improve critical infrastructure and technology resilience; draw cross-firm comparisons highlighting consistencies and inconsistencies; examine the adequacy of resilience arrangements to prevent customer detriment arising from technology failures, potential impact on market integrity, and on the safety and soundness of firms. Finally, they saw the template of a letter to banks’ CEOs following the FPC 2013 initiative to assess, test and improve the resilience of the U.K. financial sector to cyber attacks. The letter announced the rolling out of a questionnaire and the start of a program of vulnerability testing against key cyber threats, on a voluntary basis. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management systems and processes—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. All Category 2–4 firms (including banks and building societies) are subject to an annual visit and supervisory assessment (SREP, L-SREP) that is considered in a PSM. As part of the visit preparation, supervisors most cases request a copy of the most recent Board pack (and frequently also the packs for relevant Board subcommittees such as ALCO, risk and audit). Supervisors and technical specialists review these packs to establish the type and level of MI being provided to Board members, and as the basis for discussions with Board members and senior management about the source and reliability of such information. Some elements of the MI are cross-checked against regulatory data returns to identify potential inconsistencies, and peer group analysis is used to identify those firms where the data appears to be against expectation. Should serious systems or data deficiencies be identified that are beyond simple rectification, supervisors (and will) ask for specialist reviews to be carried out—either by PRA specialists (SRS) or by external skilled persons (S166 FSMA). Shortfalls in capability are discussed and reviewed through the PRA’s PSM process, and fed back to firms (with expected actions) by way of the post-PSM letter. Any actions are time bound and followed-up by supervisors, with reviews of progress undertaken at the six month mid-point between PSMs. As described in EC 4, the PRA receives from all banks copies of the MI routinely provided to the Board and to its committees (‘Board packs,’ e.g., group Board, regional Boards, risk committee, audit committee, and asset & liability committee). |
| EC 8 | The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,77 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. |
| Description and findings re EC 8 | The EBA guidelines on internal governance set out the expectations for an institution to have a framework in place with regards to the development of new products (para. 23). Institutions are expected to have a well-documented new product approval policy approved by the management body, which addresses the development of new products, products and services, and significant changes to existing ones. The expectation is for institution’s to ensure that the decision making process consider regulatory compliance, pricing models, impacts on risk profile, capital adequacy and profitability, availability of front, back and middle office resources, and adequate tools and expertise to understand and monitor the associated risks. The guidelines describe the role of the managing body in regards to new product approvals. EBA SREP guidelines recommend that the supervisor take new products into account when assessing the internal control framework and assess whether the institution has a new product approval policy and process with a clearly specified role for the independent risk function, approved by the managing body (para. 104(h)). Supervision Major U.K. and international firms (Category 1 firms) As part of supervision’s deep-dives, AQRs, (carried out on a risk-based approach, outlined above in EC 1 and EC 2) and during CA meetings (carried out on a regular basis such as monthly or quarterly dependent on the risk type), supervision asks the firm about new products and the firm’s process for approving new products, material modifications to existing products and major management initiatives. Quite often these changes are discussed in both front office/strategy meetings and risk-management meetings, particularly if they are of a material nature to the firm. Supervision asks the firm about the challenge and degree of understanding of the changes/new product by senior management and the Board. If Supervision is not assured that a robust process of challenge has been undertaken, this is fed back to the firm, along with recommendations to improve the process. Supervision ensures these processes are followed by regularly reviewing the relevant MI (e.g,. risk committee pack detailing new products coming to market) and in CA meetings. As part of a recent EWRM review, the supervisory team reviewed the firm’s new products approval process, through a desk-based review of relevant policies and guidelines (including procedures for escalation to executive management and the Board). In addition, during the follow-up interviews, the team discussed specific case study examples of new product/process launches with Line 1, Line 2, executive management and the Chair of the Board risk committee, with a particular focus on how the new product approvals committee functions. For the relaunch of the product offered by the firm, the PRA also placed particular focus on the degree of challenge and understanding posed by the Board on this issue. The supervisory team also discussed with the risk function and Chair of the Board risk committee how the firm could better ensure that sufficient information was provided to the Board regarding the potential challenges of the new product, to ensure robust challenge. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on aspects of their risk-management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firm’s business model and product range, as well as future plans embedded in the current corporate plan. The supervisory judgment reached is based on interviews with key personnel (executives, risk managers, nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The capital specialists focus on the risks inherent in any lending products, in order to assess whether the allocation of capital in the firm’s ICAAP is adequate to cover the inherent (mainly credit) risks involved, and the treasury specialists also focus on funds transfer pricing (FTP) methodologies and systems to ensure that correct pricing signals are being transmitted to the front line. In reviewing products and business models, supervisors also test the understanding of Board members and senior managers of the risks and benefits inherent in individual products, and assess the new product approval process to gauge whether it adequately addresses the relevant risk-management issues in bringing a new product to market. The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite for new products, how this is promulgated in setting limits and controls, what capacity the firm has to deliver the new business (does it have the requisite skills and capabilities?) and how effective the risk control systems are that challenge this. In the case of building societies, SS20/15 sets out specifically the risk implications that Boards and management of societies are expected to take into account in determining whether or not to go ahead with a new product, and place an expectation on societies that they will consult their supervisors ahead of embarking on new initiatives that would represent more than 5 percent of capital or 10 percent of future revenue—any such initiatives and developments would be subject to specific supervisory review and feedback. The FCA expects banks to place customers at the heart of their business and to reflect this in product design, the sales process and after sales. This means that the FCA expects banks to ensure that products are designed with particular markets in mind, that they are suitable for these target markets, that risks are explained and that products are regularly stress tested to ensure they are performing in line with expectations. The FCA expects banks to have policies and procedures to take this into account in their processes both to design new products and amend existing ones. The FCA expects senior management, including Boards, to be satisfied that a bank has appropriate controls in this regard. The FCA carries out work both on individual banks and thematically across groups of banks to ensure that they meet regulatory expectations. |
| EC 9 | The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. |
| Description and findings re EC 9 | Laws and regulation The risk control part of the PRA Rulebook requires firms to establish, implement, and maintain adequate risk-management policies and procedures, and where appropriate and proportionate, establish and maintain a risk-management function that operates independently from the operational functions, has sufficient authority, stature, resources, and access to the management body. The risk-management function implements risk-management policies and procedures, and provides reports and advice to senior management. Rule 3.4 of the PRA Rulebook—risk control part (transposing Art. 76(5) of CRD) requires that a bank’s risk-management function be independent from the operational functions and have sufficient authority, structure, resources, and access to the management body. The bank must ensure that the risk-management function is able to report directly to the management body in its supervisory function, independent from senior management. The same rule also requires the risk-management function to ensure that all material risks are identified, measured, and properly reported. It must be actively involved in elaborating the firm’s risk strategy and all material risk-management decisions, with the ability to provide a complete view of the risks the firm faces as a whole. The banks must ensure that the appropriate reporting lines are in place, so that the risk-management function can report directly to the management body in its supervisory function, independent from senior management. The risk-management function should also be able to raise concerns and warn the management body where specific risk developments affect or may affect the firm, without prejudice to the responsibilities of the management body. The risk committee (notably its Chair) should provide a channel for the CRO to do this. Ongoing reforms Under the SMR there are distinct prescribed responsibilities allocated to senior managers, which ensure independence of responsibilities. For small firms (assets of GBP 250 million or less) these are:
For larger firms the responsibility is the following:
Supervision Major U.K. and international firms (Category 1 firms) Supervisors of major U.K. firms regularly question the firm’s senior risk-management about the level of resourcing in the risk function in the firm via CA meetings, the frequency of which vary depending on the firm and the risk type. Staff attrition rates are discussed, particularly in areas where high staff turnover is an issue. As part of the supervisor’s review of the firm (via CA meetings), supervision asks the risk-management staff about how they establish their independence and authority from front office/risk-taking functions of the firm. The frequency of this questioning of the authority of risk varies depending on the firm—a risk-based, judgment approach is taken—for firms where supervision is concerned over the strength of risk-management vis-à-vis risk taking functions, this is a regular item on the agenda when meeting risk staff. Where it is clear that risk-management have the independence and authority expected by the PRA, this issue is monitored less frequently (e.g., annually requesting organizational chart updates). During deep-dives of the risk function (see EC 1 and EC 2, which set out the triggers for undertaking deep dives), the independence of the risk function are reviewed. The ability of risk to be the final decision making on transactions and risk limits is questioned. Supervisors of major U.K. banks regularly look at the internal audit reports produced on the risk-management function. This happens on a risk-based frequency, with the reports reviewed more frequently; where the risk function is perceived to be weaker, as determined via CA meetings. During deep-dive reviews, internal audit reports on the risk area being reviewed are requested as part of the pre onsite MI review. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy, and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firms risk appetite and risk-management capabilities, based on interviews with key personnel (executives, risk managers, nonexecutive chairs of key committees, and internal and external auditors) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every four years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite and how effective the risk control systems are in practice. The evidence for supervisory judgment come from a combination of the outcomes from interviews, review of relevant policy documents, analysis of regulatory returns data (to identify outlier behavior and trends, including in comparison with peers), review of MI provided to the Board and relevant committees, discussions with internal and external auditors and, if deemed necessary from a supervisory risk appetite basis, the outcome of specialist reviews—either using PRA SRS resource or through commission of skilled persons reviews (under S166 of FSMA). The independence and capability of risk-management is a key factor in the assessment of each firm, and supervisors seek to assurance that risk managers have independent access to Board members and the chair of the Board risk committee. However, whilst an independent risk function would be usual for Category 2 firms, it is not always the case that a fully independent function can be justified for very small firms that undertake low risk business (e.g., retail mortgage lending): the PRA therefore adopts a proportionate approach to setting expectations in this area. Where no fully independent risk function exists, the PRA expects to see proper segregation of duties and collective decision-making (at a minimum, “four eyes” coverage and separation between business development and risk sanctioning. The PRA continually encourages the development of additional risk capability ahead of growth in firms, so that the business is appropriately controlled. The PRA also discusses coverage of risk-management by internal audit as a standard part of its review process. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,78 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. Societies are expected to inform supervisors before implementing any change of approach or agreeing internal limits that are significantly more risk-taking than those set out as expectations in SS20/15. The PRA is currently undertaking a review of SS20/15 that is expected to result in the provision of more clarity on risk appetite and risk-management expectations applying to different levels of approach. |
| EC 10 | The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. |
| Description and findings re EC 10 | Under Art. 76(5)(4) of the CRD all banks are required to have a risk-management function. Although this function must be headed by an independent senior manager with distinct responsibility for the risk-management function, it does not need to be headed by a specially appointed person solely responsible for this role. However, taking into account their size, nature, and complexity, for some banks it is appropriate to appoint a CRO. The EBA guidelines on internal governance recommend that a chief risk officer be appointed with exclusive responsibility for the RCF and for monitoring the institution’s risk-management framework across the entire organization (para. 27.1). The CRO should be responsible for providing comprehensive and understandable information on risks, enabling the management body to understand the institution’s overall risk profile. He/she should be sufficiently expert and experienced to discharge the role and challenge decisions that affect the risk profile of the organization (para. 27.3). In relation to the appointment and dismissal of the CRO, the guidelines recommend that the institution have documented policies in place to assign the position of the CRO and to withdraw his or her responsibilities. If the CRO is replaced, it should be done with the prior approval of the management body in its supervisory function; generally the removal or appointment of a CRO should be disclosed and the supervisory authority informed about the reasons for the removal. In the SYSC Section of the PRA Rulebook (on senior management arrangements, systems and controls), Rule 21.179 sets out the PRA’ expectations for the CRO. Banks need to seek approval for a CRO to perform the systems and controls function. The CRO should:
The CRO should also alert the firm’s governing body to and provide challenge on, any business strategy or plans that exceed the firm’s risk appetite and tolerance. The CRO should report into a very senior executive in the firm. In practice, the PRA expects this to be to the chief executive, the chief finance officer or to another executive director. The CRO should be a dedicated independent senior manager. In cases where this arrangement is disproportionate, another senior person within the firm may be appointed, provided there is no conflict of interest. SYSC 21.1.4G requires firms to ensure that the CRO may not be removed from that role without the approval of the firm’s governing body. Supervision Only Category 1–2 firms are normally large and complex enough to require appointment of a CRO. Smaller firms are expected to have risk-management appropriate to their scale and complexity. CROs are subject to preapproval by the PRA as CF28s (systems and controls) functions under the current APR and will be a PRA (SMF4 3.4 in the SMFs chapter of the Rulebook) under the new SMR. Consequently, firms need to notify us if a CRO is dismissed or ceases to perform that function for another reason using a specific form (Form C to be used in both the old and new regime). Rule 3.5 of the risk control chapter of the PRA Rulebook includes provision that the CRO must not be removed without the approval of the management body of the firm: “The head of the risk-management function must not be removed without prior approval of the management body and must be able to have direct access to the management body where necessary.” |
| EC 11 | The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book (IRRBB) and operational risk. |
| Description and findings re EC 11 | The following articles of the CRD are relevant to standards for specific risk types:
EBA’s SREP guidelines also provide set of recommendations for supervisory assessment related to risk-management of specific risk categories. For the implementation in the U.K. of the standards mentioned by the essential criterion, see CPs 17, 22, 23, 24, and 25. |
| EC 12 | The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. |
| Description and findings re EC 12 | Art. 74 of the CRD establishes the basis for institutions to have in place recovery plans for the restoration of an institution’s financial situation following a significant deterioration (see para. 4). The plans need to be reflective of the size, complexity, and scale of the institution. Furthermore, NCAs shall cooperate closely with the resolution authorities and provide them with all information necessary for the preparation and drafting of viable resolution plans setting out the options for orderly resolution of the institution in the case of failure. EBA SREP Guidelines set out the requirement that NCAs consider any findings and deficiencies identified in the assessment of recovery plans and recovery planning arrangements (para. 108). The relevant parts of CRD have been implemented in the U.K. as of January 1, 2014. In implementing Art. 74 thereof (regarding recovery and resolution planning), the requirements of CRD were addressed by planned amendments to the financial stability and market confidence sourcebook rules, as consulted on by the FSA in FSA CP 11/16 and which the FSA provided feedback on in FS12/1. The PRA has indicated its compliance with the EBA guidelines specifying common procedures and methodologies for carrying out supervisory reviews (SREP) (into force since January 1, 2016). The PRA has had in place a recovery and resolution planning framework since January 1, 2014 (setting out the PRA’s information requirements necessary to inform the authorities’ selection of the preferred resolution strategy, identification of barriers to its implementation and proposed means of improving resolvability); the framework has been subsequently amended following the U.K. implementation of the BRRD (January 1, 2015). In brief, recovery and resolution planning in the U.K. today is driven largely by the requirements of the BRRD. Specifically, the BRRD requires that recovery and resolution plans are drawn up. Moreover, should authorities identify barriers to resolvability in the recovery and resolution planning process, they can ask firms to take appropriate measures, with a view to ensuring that the firm can be resolved with the available tools without posing a threat to financial stability. Supervisors benefit from a wider range of tools relative to the pre-BRRD period, including early intervention measures (e.g., removal of management and the appointment of a temporary administrator). The resolution authorities in turn are equipped with a range of resolution tools (sale of business, asset separation, bail-in, and setting up a temporary bridge bank). A number of EBA standards and guidelines on recovery and resolution matters are mandated by the BRRD, for example, recovery plan indicators, simplified obligations, failing or likely to fail, etc. The U.K. has up until now either indicated its intention to comply with all finalized guidelines or fulfill standard requirements. Under the new SMR, for larger firms,80 there is a prescribed responsibility for developing and maintaining the firm’s recovery plan and resolution pack and for overseeing the internal processes regarding its governance, allocated to a Senior Manager. PRA rules require firms to produce recovery plans and submit resolution information to ensure that they:
The PRA as the consolidated supervisor ensures institutions write and maintain recovery plans covering the European group, which take into account the overall structure of the banking group, including any nonbank subsidiaries of that group. The PRA’s rules on recovery planning and the SS 18/1381 incorporate requirements of the BRRD. Arts. 5 and 6 set out the requirements and assessment criteria for recovery plans prepared for firms subject to the BRRD that are not in an European consolidated group. Arts. 7 and 8 apply those same requirements at the European consolidated group level for the group recovery plans contents and assessment requirements. The supervisors expect their firms to incorporate recovery planning within their existing risk-management framework. Both the individual and group recovery plan (whichever is applicable) needs to demonstrate to the competent authority how the group as a whole or an institution in the group can be stabilized during a stress in order to remove the causes of the distress and restore the financial position of the group or the institution in the group. Supervisors assess whether these plans demonstrate adequate governance arrangements and escalation processes, critical functions and core business lines, internal and external interconnectedness and strategic analysis of recovery options, minimum list of quantitative and qualitative recovery plan indicators and the range of scenarios. The recovery plan, whether it is at the individual or group level, needs to include at least three scenarios of severe macroeconomic and financial stress relevant to the firm or group’s specific conditions including at least one system-wide and one idiosyncratic stress. The global systemically important institutions (G-SIIs) are required to include at least four scenarios. Following a review of the recovery plans, the new BRRD framework requires supervisors to notify their firms about any material deficiencies in the plan and/or material impediments to its implementation. Firms have a further two months (extendable to three, if the supervisors permit it) to address the material deficiencies and impediments. For the 2015 plans, the PRA supervisors have asked the major U.K. systemic banks to submit their recovery plans during the annual capital stress-testing process to ensure that the reviews of the recovery plan options and the scenarios are aligned to the stress-testing management actions. The supervisors of the nonsystemic banks and the international banks request the recovery plans from their firms at their discretion—though this does not preclude the requirement for firms to take ownership for updating their plans on at least an annual basis or following a change to the legal, organizational structure, business or financial situation of the individual firm or the group. Since the new updated BRRD requirements came into force in January 2015, the consolidating supervisors have set up a joint decision processes so that all the competent authorities for the subsidiaries and significant branches in the group can assess the group recovery plan against the risks arising from all entities in the group. Internal processes for the approval of assessments are being implemented to strengthen senior management’s exposure to plans. Although PRA supervisors have been assessing individual and group recovery plans and providing feedback to the firms since 2012, the new BRRD requirements updated in January 2015 require a more structured assessment of the firm’s risks and assessment of the proximity to failure. Supervisors assess whether the plans demonstrate adequate governance arrangements and escalation processes, critical functions, and core business lines, internal and external interconnectedness and strategic analysis of recovery options, minimum list of quantitative and qualitative recovery plan indicators and the range of scenarios. The PRA expects the indicators to cover contagion and reputation risk within this. The PRA judges a firms proximity to failure using the PIF. The PIF score takes into account elements of the supervisory assessment framework that reflects the risks faced by a firm and its ability to manage them—external context, business risk, management and governance, risk-management and controls, and capital and liquidity. This is calculated and assessed annually; however, the elements of the framework are monitored regularly. The PRA works closely with the RD of the BoE on their resolution planning, in line with Art. 10 of the BRRD. If the PRA considers an institution to be failing or likely to fail, as per the EBA guidelines, it notifies RD, as the resolution authority. The PRA supervisors only need to share the recovery plans with the RD if the supervisors identify anything that has an adverse impact on the resolvability and/or resolution strategy for the firm. The current work on EBA guideline on triggers for early intervention, coming into force on January 1, 2016, will further clarify when supervisors should increase focus on resolution planning. Supervision For Category 2–4 firms, supervisors request and review firms’ recovery plans as part of the annual capital and liquidity visits. Supervisors have six months to identify any material deficiencies in the recovery plan and to provide feedback to the firm. The review focuses on identifying and removing barriers to credible recovery options. Category 2–4 firms—building societies in particular—have limited capital and liquidity recovery options beyond shrinking or merging with a larger firm. This lack of optionality means an appropriate trigger framework is essential. This is reflected in the PRA’s supervisory strategy; supervisors assess the relevance of triggers and early warning indicators and consider how they are incorporated in the firm’s risk-management and monitoring. Early intervention and use of early intervention powers are necessary to avoid urgent recovery work or resolution actions. Examples were provided to the assessors during their visit. In some cases, firms overestimate the outcome of a recovery option by not taking into account market conditions (i.e., they suggest assets would sell at a greater value than supervisors believe). In others, firms neglect to take the step of identifying potential buyers for these assets. Supervisors see this step as an important part of due diligence for recovery planning. Another common deficiency encountered by supervisors is that firms monitor insufficient indicators of their own financial strength and threats to it—they need to think more broadly about events that they should be aware of which might impact them. PRA supervisors require firms to prepare and maintain recovery plans which are mean to prepare firms for periods of stress. Supervisors assess the firm’s readiness to deal with a stress by considering the firm’s approach setting appropriate indicators for monitoring potential causes of stress (financial and nonfinancial), and the options the firm has on hand for dealing with a stress as a result of their planning. Supervisors also ensure firms have sufficient governance arrangements in place, which would allow the firm to take appropriate action in a stress. The result of these plans is that firms can demonstrate they have credible options to deal with a stress, which would restore the firm to viability. |
| EC 13 | The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program:
The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process. |
| Description and findings re EC 13 | Art. 97 CRD sets out the basis for NCA’s to evaluate the risks revealed by stress testing taking into account the nature, scale, and complexity of an institution’s activities (para. 1(c)). Art. 98 sets out the technical criteria for the supervisory review to include the results of stress tests carried out by institutions using an internal model to calculate market risk own funds requirement. Art. 99 states that NCAs shall at least annually adopt a supervisory examination program that has due regard for the results of an institutions stress testing that might indicate significant risks to their ongoing financial soundness or indicate breaches (para. 2(a)). EBA SREP guidelines contain detailed supervisory assessment criteria to encompass stress testing (para. 103): NCAs should assess the institution’s stress testing program, covering the appropriateness of the selection of the relevant scenarios, and the underlying assumptions, methodologies and infrastructure, as well as the use of the outcomes. Specifically in relation to this EC:
EBA guidelines on stress testing (GL 32) contain a thorough guideline for the application of stress testing by institutions in terms of the development of the framework, methodologies, assumptions, validation, etc. The PRA Rulebook requires that, as part of its business planning and risk-management obligations, a bank carries out stress tests and scenario analyzes that test its business plan to failure (reverse stress test) (SYSC 20.2.1R).82 In carrying out such stress tests and scenario analyzes, a bank should at least take into account each of the sources of risk identified in accordance with GENPRU 1.2.30R(2)83 (SYSC 20.2.4G). The bank must identify a range of adverse circumstances, which would cause its business plan to become unviable and assess the likelihood that such events could crystallize; and where those tests reveal a risk of business failure that is unacceptably high when considered against the firm’s risk appetite or tolerance, adopt effective arrangements, processes, systems or other measures to prevent or mitigate that risk. The design and results of a firm’s reverse stress test must be documented and reviewed and approved at least annually by the firm’s senior management or governing body (SYSC 20.2.3R). A bank must update its reverse stress test more frequently if it is appropriate to do so in light of substantial changes in the market or in macroeconomic conditions. Reverse stress testing should be appropriate in nature, size and complexity of the firm’s business and of the risks it bears (SYSC 20.2.5G). Where reverse stress testing reveals that firm’s risk of business failure is unacceptably high, the firm should devise realistic measures to prevent or mitigate the risk of business failure, taking into account the time that the firm would have to react to these events and implement those measures. As part of these measures, a firm should consider if changes to its business plan are appropriate. These measures, including any changes to the firm’s business plan, should be documented as part of the results. Supervision Much of the BoE’s approach to firms own stress testing is summarized in the SS6/1384 on stress testing, scenario analysis, and capital planning. This statement sets out the PRA’s expectations of firms in relation to stress testing, scenario analysis and capital planning, and the requirements set out in the PRA Rulebook in Chapter 12 of the ICAAP assessment rules. Specifically it addresses:
On a regular basis, the PRA issues a scenario that provides an indication of the level of severity to which it expects firms to stress their corporate plan. This may be used directly by firms where it is relevant to their business model and the risks to which they are exposed. Both scenarios issued by the PRA and those developed by firms themselves implicitly incorporate feedback effects and system-wide interactions. For all U.K. regulated firms supervised by the PRA, supervisors also make use of stress tests set out in firms’ ICAAPs, including reverse stress testing, and where appropriate running internal supervisory models and analysis to inform their judgments of individual firm capital adequacy. Latterly the FSA, and more recently the PRA, has undertaken sequential stress testing of the largest and most complex regulated firms in the U.K., making use of the scenario issued by the PRA, but adapting it for the specific risks faced by each individual institution. These sequential stress tests used a variety of internal supervisory models and analysis to inform supervisory judgments of individual firm capital adequacy. The sequential supervisory stress tests have now been superseded by the CST framework. The CST framework established by the BoE seeks to support the understanding of feedback effects and amplification mechanisms. This will help inform the design of future scenarios, but also the review of firms’ stress tests, even where not within the scope of the CST. The CST also incorporates a qualitative review of firms stress testing capabilities and practice. This includes an assessment of the engagement of the firms’ Boards. The PRA undertakes SREP reviews of firms’ ICAAPs and this encompasses three key components:
The SREP work undertaken reflects the scale and complexity of the firms supervised by the PRA. It is also supplemented with targeted, deeper reviews either of individual risks (such as interest rate risk on the banking book) or of the capital management and stress testing processes. SREP reviews are a combination of desk based reviews of firms’ documentation and on site interviews of a range of firms’ staff from the governing body to analysts. The PRA expects firms to carry out ICAAPs annually and reserve the right to call in any year (e.g., if the firm changes its business model via acquisition). The PRA has an ongoing CA cycle for major firms. This includes monthly meetings that involve discussion of key exposures with management, and semiannual visits to review and assess firms’ traded risk-management controls/frameworks. The CA cycle includes not only reviewing firms’ stress testing frameworks, but the output of the stress tests, for example, through regular reviews of MI and discussion of risk-management/mitigation actions taken by the firm. Category 2–4 Banks and Building Societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy as part of a comprehensive SREP process. The visit will include detailed review of the firms’ ICAAPs and that will extend to a review of the stress testing that has been undertaken. The review work will be carried out by supervisors in conjunction with capital specialists. For smaller firms, there are also PRA models for specific portfolios against which the outcomes of individual firm’s stress tests can be benchmarked. For Category 3 and 4 firms that are judged to be lower risk, the specialist review of capital will take place at least every four years (but a biennial supervisory review will take place in intervening years). The PRA/FPC publishes standards scenarios that are intended to “anchor” the stress testing performed by firms, to ensure that the scenarios used are of adequate relevance and intensity. In addition, firms are expected to develop and use their own scenarios that specifically test the vulnerabilities of their business models. For banks not taking part in the CST, the scenario is provided as a guide to calibrating their own scenarios for Pillar 2 stress testing purposes. The PRA is conscious of the challenges of developing a single macroeconomic scenario that will be relevant for a diverse set of firms, operating under different business models and exposed to a variety of risks. So responsibility for developing scenarios for Pillar 2 purposes still lies with firms themselves. The ‘anchor’ scenario is intended to help firms calibrate the severity of these scenarios. The results of the reviews in terms of supervisory judgments on the level of capital planning buffer (CPB) required are presented to a PSM for each firm, at which ICG+CPB is set and key issues are agreed for feedback to the relevant firm. The PSM process allows for independent review of supervisory judgments in order to achieve both consistency and a sense check on whether judgment has been correctly exercised. As part of a SREP review, supervisors would look at the outcome of the firm’s own stress testing and the assumptions underlying it. Supervisors expect firms to use stress scenarios that are relevant to their business model and operations, and will comment if they consider that the work has not been undertaken sufficiently rigorously, requiring improvements (either immediately or at the next iteration, dependent upon materiality). The results of stress testing are expected to be integrated with the firm’s own corporate plan and ICAAP, and to inform both the level of any P2A add-ons (where stress testing suggests that the P1 charge is insufficient) and of the CPB (now PRA buffer). Where, in the judgment of the supervisor (informed by technical specialists and confirmed by a PSM), the firm has not performed an adequate stress test, the PRA will use the results of its own stress test or add an amount for conservatism pending provision of more credible numbers. This will involve an expectation that the firm should improve its stress testing capability (within a defined period). |
| EC 14 | The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement, and new product approval process for all significant business activities. |
| Description and findings re EC 14 | BIPRU 12.3.15 requires firms to incorporate liquidity costs, benefits, and risks into product pricing, performance measurement, and the approval process for new products. Supervision along with SRS ensures compliance with the requirements as part of their annual or ongoing liquidity reviews. During deep-dive reviews, supervision and SRS question the firm on many aspects of its products, including the new product approval process. As part of the CA process, during the monthly trading book reviews, supervision asks for information about new products and significant new transactions from firms. This also applies to the pricing of risk. The firm is asked how factors such as liquidity and credit risk are taken into account when origination deals and risk management’s involvement in approving those transactions. In 2014, SRS conducted a cross-firm FTP review on seven Category 1 U.K. banks. The review focused on a select, but representative set of retail and corporate banking products. The purpose of the review was to provide an understanding of firms’ pricing structures and what they implied for both firms’ own business models and the financial system more widely. The work gave insight as to how institutions determine product margins and any potential perverse incentivization at firms. The FTP components assessed included fees/cash backs, liquidity costs, interest rate hedging costs, securitization credits (for certain types, e.g., mortgages), commercial margin, and management overlays. The review concluded that, although the firms had made some developments regarding their FTP frameworks, there still remained weaknesses revolving around:
These messages were fed back to firms in a series of subsequent face-to-face meetings. In addition, where risks were considered material by supervision they were incorporated into the firms’ CA schedule. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management—including their pricing of risk. There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every four years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite (does it have the requisite skills and capabilities?), and how effective the risk control systems are in practice. Included in the discussion with firms are reviews of the extent to which potential credit costs are factored into product pricing, the process for agreeing new products (including the setting of overall prices to recover costs and generate a return on capital), and the arrangements for FTP (to ensure correct pricing signals are given to those developing or managing product lines). The intensity of the review process is risk-based: typically there are more meetings held with Category 2 firms and available resources are concentrated on those firms with the highest potential impact on regulatory objectives. Category 3 and 4 firms tend to have smaller and simpler product lines, and therefore on a proportionate basis do not need the same sophistication of pricing and monitoring systems as their larger and more complex competitors. The PRA adopts a proportionate approach in setting expectations for this group of firms. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,85 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. The SS does include expectations on pricing activities, and these are due to be expanded upon in the updated version of the document that is planned for consultation later in 2015. |
| Additional criteria | |
| AC1 | The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. |
| Description and findings re AC1 | The SREP guideline includes the need for NCAs to assess the key vulnerabilities to which an institution’s business model and strategy are exposed to or maybe exposed to, including:
Furthermore the SREP includes consideration of assessing the sustainability of an institution’s strategy and the risk level of the strategy. BIPRU 9.1.6R states that risks arising from securitization transactions in relation to which a firm is investor, originator or sponsor, including reputational risks, must be evaluated and addressed through appropriate policies and procedures, to ensure in particular that the economic substance of the transaction is fully reflected in risk assessment and management decisions. The GOR Part 5.1 of the PRA Rulebook requires firms to ensure that the management body approves and oversees implementation of the firm’s strategic objectives, risk strategy and internal governance. GOR 2.1 requires firms to have robust governance arrangements, which include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility, effective processes to identify, manage, monitor, and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems. For further details please see EC 2, 5, and 8 of BCP 14. Supervision It was noted above that, as part of the CA process, firms are required to provide supervision with details of new products authorized and significant new transactions. Supervision’s assessment of the firm’s risk-management of these transactions, carried out as part of the CA process, includes an assessment of the firm’s management of reputational risk, exposure to extreme events, and any other risks which may fall outside the Pillar 1 framework. Supervision conducts regular analyzes of firms’ business models and examines critically the viability of these models and their embedded risks. In support of these analyzes, supervision reviews firms’ P&L accounts to identify the quality and sustainability of their income streams. |
| Assessment of Principle 15 | Compliant |
| Comments | The PRA has set up a comprehensive and articulated framework for the supervision of bank’s risk-management systems, which allows it to perform a range of analyzes and reviews with more breadth and depth than it was the case at the time of the previous BCP assessment. In particular, the review of banks’ EWRM, through a combined top-down/bottom-up perspective, has now become an integral part of the CA for the largest banks. The introduction of the CST for major U.K. banks has significantly raised, in the opinion of the same banks’ CROs, the standard of risk-management practices inside the banks. This is a representation of the approach adopted for the largest banks (Category 1 and, to a more limited extent, Category 2 banks) and operated mainly by the risk specialists. The smaller institutions receive a lower degree of attention and are rarely examined by SRS: which, per se, is quite natural, given their more limited degree of complexity, but raises legitimate questions that have been further elaborated elsewhere (see CP 8 and 9). There are shades, in this approach, even for the PRA supervisory action on the same large institutions, as the increasing competition of requests towards a fixed pool of skilled specialist resources imposes frequent reprioritizations. All in all, the interpretation of the general approach to the oversight of banks’ risk-management frameworks needs to be read jointly with the other aspects of the PRA’s operating model (see also CP 2 and CP 16). |
| Principle 16 | Capital adequacy.86 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. |
| Description and findings re EC 1 | Part II of CRR defines the components of own funds following Basel capital tier structure, which reflect varying degrees of loss absorption capacity. In line with Basel III standards, CRD has introduced a ‘capital conservation buffer’ (Art. 129) and related capital conservation measures (Art. 141), which entail restrictions on distribution of dividends, payments of variable remuneration, payments on additional tier 1 instruments whenever such dividends and/or payments would result in a breach of the combined buffer requirement. Also, Art. 54 CRR provides for the write down or conversion of additional tier 1 instruments when the CET1 ratio of a bank falls below 5.125 percent. FSMA Threshold Condition 487 requires all banks to maintain adequate financial resources. All banks are required to comply with CRD/CRR which set out minimum capital requirements and qualifying components of capital. CRR is directly applicable in U.K. law. The PRA has used certain discretions in the CRR in a prudent way to ensure that the outcome is consistent with Basel III. For example, the PRA requires banks to deduct significant investments in insurance entities, subject to Threshold Conditions, rather than risk weight such investments. In addition, all AT1 instruments issued externally by U.K. banks have a trigger of 7 percent CET1 rather than the CRR minimum of 5.125 percent. In line with Basel III, the PRA has grandfathered certain state owned ordinary shares for one bank, which do not fully comply with the CET1 criteria, until December 31, 2017. In addition, the PRA’s PS 7/1388 supplements the CRR with additional rules in the PRA Rulebook. These include rules on connected funding of a capital nature, connected transactions, preissuance notification regime as well as the PRA’s implementation of national discretions and transitional provisions. The eight largest U.K. banks89 are held to a higher standard than other banks in respect of minimum risk based CET1 ratios and leverage ratios (SS3/13)90: in particular, they are expected to meet a 7 percent CET1 ratio, based on end-point definition of CET1 which does not take account of the transitional provisions for CET1, such as the phasing in of deductions. |
| EC 2 | At least for internationally active banks,91 the definitions of capital, risk coverage, method of calculation, and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. |
| Description and findings re EC 2 | The whole of Part II and III (Arts. 25–386) of CRR and Title VI, Chapter 4 (Arts. 128–142) of CRD implement the Basel capital standards in the EU. The CRR and CRD are complemented by EBA RTS on own funds. The compliance of EU legislation with the Basel capital framework has been assessed by the Basel committee in 2014 Program RCAP—assessment of Basel III regulations—EU, December 2014). The assessment has found the implementation of the Basel framework in the EU materially noncompliant; in particular, the EU framework has been found compliant in terms of scope of application, transitional arrangements, capital buffers, IMA for market risk, operational risk, supervisory review process, and disclosure requirements; largely compliant for definition of capital, standardized approach for credit risk, securitization framework, standardized approach for market risk; materially noncompliant for the IRB approach for credit risk; noncompliant for the counterparty credit risk framework. The assessors had access to some of the results, for the U.K. banks, of the EU RCAP exercise and found that certain sources of divergence with the Basel framework can be considered as having limited materiality (within 10 bps of CET1 capital ratio overestimation): e.g., small-and-medium Enterprise (SME) multiplier; absence of 1.06 scaling factor for non-IRB formula exposures. Also, for other sources of divergences, there is no impact, as the non-compliant treatment of the EU framework does not apply to any internationally active U.K. bank: e.g., original exposure method for counterparty credit risk; other risk-transfer mechanisms (different from insurance) under AMA; calculation of capital requirements for market risk using the credit risk rules; zero capital requirement on the net long or short position in an index contract if exchange traded and appropriately diversified. On the other hand, the broader range of counterparts exempted from the CVA requirement under CRR—as opposed to the Basel standard—determines an impact on CET1 capital ratios significantly larger than 10 bps in all cases. However, in exercising its options with respect to the so-called ‘national discretions’ offered by the CRR, the U.K. authorities have tended to adopt the more conservative ones; which, to a certain extent, are likely to partially compensate––though not in a precisely quantifiable way—for the increase in apparent capital ratios determined by the abovementioned source of divergence. Moreover, the PRA required institutions to apply all filters and deductions from CET1 in full from January 1, 2014, i.e., reaching the end point definition of CET1 as soon as permitted under the CRR. The discretion to phase in certain requirements more slowly has not been exercised. These include the full deduction of deferred tax assets (DTAs) that rely on future profitability and arise from temporary differences DTAs (Rule 10.7 in PRA Rulebook part definition of capital) as well as equity holdings in insurance undertakings, reinsurance undertakings, and insurance holding companies (Rule 10.8 in PRA Rulebook part definition of capital), from CET1 subject to a threshold amount. As a consequence of this choice, that represents an element of ‘super-equivalence’ with respect to the Basel framework during the transitional period, the PRA estimated that the average CET1 ratio for the largest four U.K. banks in 2015 would be almost 2 percent lower under the U.K. implementation, compared with the minimum transitional path allowed under the CRR. |
| EC 3 | The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)92 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. |
| Description and findings re EC 3 | Art. 104 of CRD requires that supervisors have the power to require a bank to hold own funds in excess of the minimum capital requirements (for any risk or element of risk not covered by such minimum requirements); to restrict or limit a bank’s businesses, operations or network or to request the divestment of activities that pose excessive risks to a bank’s soundness; to require the reduction of the risk inherent in a bank’s activities, products and systems. Art. 5 of CRR clarifies that the exposures on which capital requirements for credit risk are to be computed include assets and off-balance-sheet items. The risk-based capital adequacy regime requires banks to hold capital commensurate with the level and nature of all risks, both on and off-balance sheet, to which they are exposed as well as the risks they can pose to the financial system. Specifically the PRA can apply capital add-ons under Pillar 2 for risks that are not captured under Pillar 1 (e.g., defined benefit pension risk, IRRBB, concentration risk, governance and risk management, conduct risk, etc.) and for risks that are not fully captured under Pillar 1 (e.g., credit risk, market risk, and operational risk). The PRA requires firms to hold a capital buffer to ensure that they can continue to meet their capital minima under a severe stress. All firms are required to hold additional capital under Pillar 2, with some partial exceptions (e.g., banks subject to international sanctions, which are not subject to a Pillar 2B add-on as they do not undertake new activity). The PRA’s methodology for setting Pillar 2 capital was updated in July 2015.93 It confirms the PRA’s approach to setting tailored capital requirements to cover firm-specific risks while avoiding duplication with the new Basel III/CRD capital buffers. The PRA is further developing its internal processes to ensure consistency of approach across firms, enhance comparability of Pillar 2 capital and reinforce peer reviews. In particular, the PRA is developing a Pillar 2 database that captures relevant information; and introducing business intelligence solutions that allow better analyzes for individual firms and the sector. The PRA has implemented the FPC’s June 2014 recommendation to limit to 15 percent the proportion of new residential mortgages at loan to income ratios at or greater than 4.5. The FPC has also been granted powers of direction over loan-to-value and debt-to-income ratio limits for owner-occupied mortgage lending. |
| EC 4 | The prescribed capital requirements reflect the risk profile and systemic importance of banks94 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. |
| Description and findings re EC 4 | Art. 131 CRD sets a capital surcharge for global and other systemically important institutions. EBA technical standards and guidelines on methodology and disclosure for G-SIIs provide consistent parameters and specify a harmonized methodology for the identification of G-SIIs across the EU and determine their adequate levels of capital in excess of the minimum requirements. Art. 130 and following of CRD establish a bank-specific CCB that depends on the weighted average of the CCB rates applied in the different jurisdictions where the bank’s credit exposures are located. From a microprudential perspective, national jurisdictions cannot set higher overall prudential standards than the applicable Basel requirements, which under CRR have been harmonized at the Basel minima. However, Art. 133 of CRD grants supervisors the power to impose a systemic risk buffer––in excess of minimum capital requirements, Pillar 2 add-ons and other capital buffers, but in parallel with G-SIIs buffers––in order to prevent and mitigate long-term non-cyclical systemic or macroprudential risks not covered by CRR. Such systemic buffers may be imposed by local macroprudential authorities (not necessarily the supervisor) up to 3 percent upon prior notification to the EC, ESRB, EBA, and concerned countries. To set the buffer between 3 percent and 5 percent, the country needs to wait for the opinion of the EC before introducing the requirement. The buffer may be imposed on country-level exposures, or on all exposures, on all banks, or on subsets of banks. Also, Art. 458 of CRR allows the macroprudential authority of a MS (which is not necessary coincident with the banking supervisor) to enact stricter national measures; if it identifies changes in the intensity of macroprudential or systemic risk in the financial system with the potential to have serious negative consequences to the financial system and the real economy; in such a case, the macroprudential authority must notify the European parliament, the council, the commission, the ESRB, and EBA of that fact, and submit relevant quantitative or qualitative evidence (clause No. 2); after the notification, the council, acting by qualified majority on a proposal from the commission, can reject the draft national measures (unless they consist in increased risk weights on residential and commercial property sector or intrafinancial sector exposures): in particular, ESRB and EBA must provide their opinions to the commission within one month from notification and within one month after receiving ESRB and EBA’s opinion, the commission can propose to the council an implementing act to reject the draft national measures if it finds “robust, strong, and detailed evidence that the measure will have a negative impact on the internal market that outweighs the financial stability benefits resulting in a reduction of the macroprudential or systemic risk identified;” in the absence of a commission proposal within that period, the MS concerned may immediately adopt the draft national measures for a period of up to two years or until the macroprudential or systemic risk ceases to exist if that occurs sooner. Art. 87 of CRD requires supervisors to ensure that banks have policies and process in place for the identification, management, and monitoring of the risk of excessive leverage and that they address the risk of excessive leverage in a precautionary manner. Arts. 429–430 of CRR introduce a leverage ratio (compliant with the version of the leverage ratio (LR) standard known at the time of the drafting of CRR), but only as a reporting requirement (with obligation of disclosure from 1/1/2015). The PRA operates a stress testing regime under which the PRA requires banks to apply additional capital buffers. Under Pillar 2, the PRA assesses individual firms’ ability to continue to meet their minimum requirements under a severe, but plausible stress and sets additional capital buffers (to be renamed PRA buffers from January 2016) where the existing capital resources are deemed insufficient. Firms must hold this additional capital upfront and are able to use it if the stress materializes. The BoE has further enhanced its stress testing framework by adopting ‘CST of major firms and common scenarios of prescribed severity to explore system vulnerabilities. This information is intended to be used to inform the setting of a CCB for the entire system and the firm-specific PRA buffers. The 2015 stress test assesses a wider range of stresses including stresses in certain overseas markets, such as Asia, which are of critical importance to some of the U.K.’s largest banks. The largest U.K. banks and building societies are currently expected to meet a 3 percent Tier 1 leverage ratio (SS3/1395). On July 1, 2015 the FPC directed the PRA to implement a 3 percent Tier 1 minimum leverage ratio requirement for these firms in advance of the implementation dates under Basel III/CRR. The FPC’s leverage ratio framework also introduces two leverage ratio buffers, a countercyclical leverage ratio buffer to address systemic risks that vary over time, and a supplementary leverage ratio buffer to reduce systemic risks attributable to the distribution of risks within the financial system. The PRA intends to implement the framework from January 1, 2016. The FPC proposes to extend the minimum leverage ratio requirement to all PRA-regulated banks, building societies and investment firms from 2018, subject to a review in 2017 of progress on international leverage ratio standards. The FPC has been granted macroprudential powers to direct the PRA to introduce two different capital buffer tools to address emerging risks to financial stability.96 The CCB tool allows the FPC to change capital requirements above normal microprudential standards in relation to all loans and other exposures of banks to borrowers in the United Kingdom. The SCR tool is more targeted, allowing the FPC to change capital requirements above microprudential standards on exposures to specific sectors judged to pose a risk to the system as a whole. The FPC can adjust SCRs for banks’ exposures to three broad sectors (residential property, including mortgages; commercial property; and other parts of the financial sector), as well as more granular subsectors (for example, to mortgages with high loan-to-value or loan-to-income ratios at origination). The CCB and SCRs apply to all U.K. incorporated banks, building societies and large investment firms (such as large broker dealers). |
| EC 5 | The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:
|
| Description and findings re EC 5 |
At the time of the assessment, there were 18 banks in the U.K. with IRB approved models for credit risk (9 Advanced Internal Rating-Based approach for credit risk (AIRB), 5 foundation internal ratings-based approach for credit risk (FIRB), 4 retail only), 15 with IMA permission for market risk, 8 with IMM permission for counterparty credit risk, 2 with AMA permission for operational risk. a) Such assessments adhere to rigorous qualifying standards Credit risk All first-time notifications for IRB models are subject to a review by the risk specialists division. The PRA adopts a risk based approach to model reviews by applying a materiality based risk appetite to determine which models should be subject to detailed review. A full suite of documentation is required from firms in support of any such model change, covering development, validation, governance, and the firm’s own self-assessment against the CRR. For model subject to SRS review, a desktop review of firms’ documentation is undertaken, supplemented by onsite visits where necessary. The review follows a standard format that covers all material aspects of CRR compliance. The report and recommendation are challenged through a risk specialist-led Q&A process with mandatory contribution from supervision, policy, and other credit risk experts. Legal opinion is sought if necessary. The final decision is taken through the PRA decision-making framework. For model changes below the PRA’s risk appetite, and for models that do not change, the PRA has relied since 2013 on the firm’s own self-assessment against the CRR, the PRA’s SS, and annual attestation by a person in a SIF to the effect that the firm is materially compliant with the CRR or that a credible plan is in place for a timely return to compliance. Risk appetite is based on the category of firm, materiality of the relevant exposures, and the impact of the model change. This leads to a classification of the change as “material,” “intermediate” or “immaterial,” and review of model changes is prioritized according to this hierarchy. Immaterial changes are typically not subject to any review; intermediate changes are typically only subject to review after discussion with line supervision; material changes are always subject to review. The PRA observed that out of four IRB notifications of model changes that were considered intermediate, the risk specialists reviewed one and supported a supervisory-lead review of a second one (a request for reversion to standardized). The remaining two were not agreed, in agreement with the line supervisors, as pertaining to a firm that had recently undergone a thorough review of the most material models. However, this approach based on prioritization entails that a smaller bank could introduce significant model changes without being subject to a full review by the PRA, should the specialist division be too absorbed in other matters to provide the needed support: it all depends on the contingencies of the moment, does not provide the needed assurance about the robustness of internal models, and ultimately, does not guarantee that an adequate incentive structure is in place to avoid an opportunistic use of the possibility to adopt internal models. Beyond the individual firm reviews, the PRA periodically assesses compliance on a thematic basis where there are known or suspected weaknesses, for example through its wholesale LGD/EAD framework (see SS11/13).97 If necessary, the PRA will commission a SPR to review aspects of a firm’s rating system. The EBA Art. 78 RTS on benchmarking defines an annual comparison of key IRB/market risk and counterparty credit risk metrics across European banks. This benchmarking is expected to enable the PRA to identify outlying values that may be indicative of modeling weaknesses. The EBA is currently developing a RTS on the assessment methodology for IRB. This is expected to mandate a minimum level of oversight of firms’ IRB regimes by all EU competent authorities. The PRA intends to comply with this once it comes into force (expected 2016). Market and counterparty credit risk For traded risk internal models, the approval process is usually composed of a technical panel recommendation from SRS to supervision. Supervision takes the recommendation and its own views on the firms’ supervisory strategy to decision making committees. Banking policy and legal are consulted in the decision/recommendation. The risk specialists undertake desktop reviews and annual meetings with the banks. Normally, reviews take into account an understanding of the firms’ trading business models as well as the quality of their trading controls. The review takes into consideration most material aspects of compliance against CRR requirements for risk-management and risk measurement. The PRA monitors model performance through back-testing, capital trends, and internal risk-MI on a quarterly basis for 9 firms with the most material trading books. On an annual basis, the PRA holds CA meetings with these 9 firms. The PRA has a thematic agenda to investigate the level of standards of certain models. For, example, in the last two years the PRA has completed the following cross firm comparisons:
(For model change policy see above in this EC, under ‘Credit Risk’). Operational risk The qualifying standards for regulatory model(s) for operational risk––the AMA––are documented in the draft RTS required by CRR Art. 312.4(a). The RTS broadly follows historic FSA practices; however, there have been no recent applications for AMA permissions. Compliance with these standards is considered during periodic reviews and may be considered in response to notification of extensions of changes to the AMA. Evaluation of compliance with the relevant criteria is undertaken by supervision and operational risk specialists (SRS). To qualify for use of the Standardized Approach (TSA), institutions must meet the criteria set out in Art. 320, in addition to meeting the general risk-management standards set out in Arts. 74 and 85 of Directive 2013/36/EU. However, the PRA does not formally assess banks that use the TSA against the qualifying criteria specified in the Basel Accord paras. 660–663 and CRR Art. 320. Institutions shall notify the competent authorities prior to using the Standardized Approach. (For model change policy see above in this EC, under ‘Credit Risk’). b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor Credit risk Cessation of use is subject to PRA approval. Material modifications are subject to PRA approval to the extent that they are deemed material under RTS EBA/RTS/2013/06 on the conditions for assessing the materiality of extensions and changes of internal approaches when calculating own funds requirements for credit and operational risk in accordance with CRR. Market risk Cessation of use is subject to PRA approval. However, for market risk, the CRR does not have an explicit requirement preventing firms from reverting to standard rules, although in practice this would likely lead to increases in capital requirements so firms are unlikely to make this switch. Firms are expected to notify the PRA when switching to standard rules. The RTS on conditions for assessing IMA is under development and will define a materiality threshold that needs to be covered by internal models. The need to satisfy this threshold will effectively limit firms’ ability to move positions into standard rules. The PRA can detect a material switch to standard rules by banks by monitoring the COREP C 02.00 summary template, or the specific market risk templates i.e., C 18.00 to C 24.00. Counterparty credit risk Cessation of use is subject to PRA approval in accordance to CRR Art. 283.5. The PRA’s SS12/13 for counterparty credit risk defines the PRA’s expectations on IMM model changes and provides a definition of material model changes that require prior notification to the PRA before implementation. Operational risk Institutions will only be permitted to use a less sophisticated approach for regulatory capital computation with the express permission of the competent authority (CRR Art. 313.1) c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken Credit, market and counterparty credit, and operational risks The PRA has dedicated specialist resources for each of the risk types (credit risk, market and counterparty credit risk and operational risk). Where issues are identified, the PRA will either conduct in depth review work or ask the firm to validate their models using external consultants (through the PRA’s powers under S166 of FSMA). Should reviews highlight material concerns the PRA has the power to impose capital add-ons on firms or to revoke model permissions. d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so Credit risk The CRR provides that where certain conditions are met, the competent authority must permit institutions to use internal approaches (for example Art. 143 CRR). The PRA, as the competent authority must not add conditions. In other words, either the conditions are met, in which case the PRA must grant permission, or the conditions are not met, in which case the PRA must not grant permission. However, once the PRA has granted permission, it may use its power under S55M FSMA to impose requirements that relate to the permission. For example the PRA sometimes requires firms that have a model permission to report certain data. Market and counterparty risk Through S55M requirements the PRA can impose either reporting requirements or conditions that need to be met on an ongoing basis for firms to continue to use internal models for capital requirements calculations. These conditions typically require firms to monitor whether certain risks remain immaterial or require added mitigants to be imposed such as capital add-ons for risks not captured in VaR. Operational risk The competent authority can impose additional requirements where it is considered necessary (CRD IV Art. 101). e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval Credit risk CRD IV Art. 101.4 states that permission shall be revoked where a firm is unlikely to restore compliance within an appropriate deadline. To date, the PRA has not exercised this power. Market risk and counterparty credit risk The PRA has removed model approvals and imposed significant capital add-ons or multipliers on firms. The PRA removes permissions when the firm does not comply with CRR requirements and, based on the PRA’s judgment, the firm does not have a credible plan for the timely return to compliance. Capital add-ons are imposed when:
Operational risk The PRA has the power to revoke AMA permission or require a firm on the standardized approach to adopt the basic indicator approach (BIA). In practice, a remediation program will be put in place to assist the firm in meeting the required qualitative and quantitative standards within a time frame prescribed by the competent authority. |
| EC 6 | The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).98 The supervisor has the power to require banks:
|
| Description and findings re EC 6 | Art. 177 CRR requires IRB banks to have in place sound stress testing processes for use in the assessment of its capital adequacy; they must identify possible events or future changes in economic conditions that could have unfavorable effects on a bank’s credit exposures. Art. 296 CRR requires banks with approved IMM for counterparty credit risk to have a comprehensive stress testing program in place, including for use in assessment of its capital requirements for counterparty credit risk; it must identify possible events or future changes in economic conditions that could have unfavorable effects on a bank’s credit exposures. Art. 368 CRR requires banks with approved IMA for market risk to frequently conduct a rigorous program of stress testing, addressing a number of possible shocks. EBA guidelines on SREP require supervisors to regularly assess banks’ stress testing programs as part of the review of their ICAAP; in particular, they should:
EBA guidelines on SREP also recommend supervisors to take into account the outcomes of the stress tests and consider whether and which measures (possibly including capital add-ons) are necessary to address any breaches of the requirements Pillar 1+Pillar2) or any other relevant target ratio set by competent authorities for system-wide stress tests. In any case, the supervisor should require a bank to submit a credible capital plan, ensuring that it is able to meet its total capital ratio or any other relevant target ratio set by competent authorities for system-wide stress tests over the assumed time horizon. The SREP guidelines (paras. 359 and 360) recommend supervisors establish and maintain a routine and rigorous program of stress testing and take prompt steps to manage the specific vulnerabilities highlighted by the stress tests. Major U.K. firms are subject to CST. This stress testing assessment is done simultaneously using a common scenario and its outputs are used to assess system as well as individual firms’ vulnerabilities. It is also used as an input for setting additional capital buffers for the participating firms. For smaller U.K. banks, the PRA uses an inhouse model to benchmark firms’ stress-testing of their own mortgage books which are typically (although not always) the largest component of their balance sheets. If the results are found to be materially lower than the PRA’s without good reason, the PRA would use its own numbers to derive the capital buffer. For all banks, as part of their ICAAP, firms are expected to assess their ability to continue to meet capital requirements under a severe stress. This is a forward looking view over 3–5 years. As part of the SREP, the PRA reviews firms’ assessments and can set an additional capital buffer where existing capital resources are deemed insufficient. The PRA routinely adds capital buffers to the extent that these stress tests show capital depletion in the event of the stress. On a regular basis the PRA issues a scenario that provides an indication of the level of severity to which it expects firms to stress their corporate plan. Where directly relevant to a firm, the PRA would expect firms to run this scenario as part of their regular stress testing, in addition to other scenarios selected by the firm. Where not directly relevant, the PRA expects firms to use the scenario to calibrate the severity of at least one scenario to test their corporate plan. The PRA has broad powers to require individual firms to take specified action [under Section 55M of FSMA] and to make generally applicable rules [under S137G of FSMA] which can be and have been used to require banks to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. For example, as part of the capital shortfall exercise in 2013 of the eight U.K. major banks and building societies the PRA required three firms to submit plans for additional actions to strengthen their capital position and the PRA has made generally applicable rules requiring firms to draw up and maintain recovery plans providing for measures to be taken by the firm to restore its financial position following a significant deterioration of its financial situation. The PRA also notifies firms of an amount of capital they should hold as a PRA buffer over and above their minimum requirements and CRD4 buffers. The PRA buffer is based on a firm—specific supervisory assessment taking in account the risks revealed by stress testing. The PRA’s methodology for setting the PRA buffer reflects a firm’s systemic importance. The PRA has a published policy on the consequences for firms of using the PRA Buffer—. In summary—the PRA expects that where a firm has a PRA buffer in place, it should only use that buffer to absorb losses or meet increased capital requirements if certain adverse events materialize. A firm which does not meet its PRA buffer is subject to enhanced supervisory action and expected to prepare a capital restoration plan. If the PRA is not satisfied with the plan or the firm’s reasons for using the buffer it may consider using its powers under S55M of FSMA to require the firm to raise sufficient capital to meet the buffer within an appropriate timeframe. This may include imposing restrictions on distributions or requiring firms to use net profits to strengthen their capital position. For the purposes of the CSTs of the major U.K. banks and building societies the BoE publishes a hurdle rate framework including a strong presumption of action if in the stress a bank falls below key thresholds. Buffers for systemically important banks will be included in the hurdle rate framework but the supervisory response will be less intensive than if the firm was projected to breach minimum capital requirements. One of the participating firms in 2014 was required to submit a revised capital plan which was accepted by the PRA. |
| AC1 | For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application, and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks. |
| Description and findings re AC1 | CRD and CRR apply to all credit institutions (i.e., deposit-takers) and investment firms in the EU, irrespective of their size or intensity of international activity. The PRA applies capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application, and the capital required, in the same way to noninternationally active banks as to internationally active banks. U.K. credit unions are exempt from the European CRD and are supervised in accordance with the rules set out in the PRA’s specialist sourcebook, whose key features prescribe simple capital and liquidity regimes, lending limits, share limits, and provisioning. Their regulatory capital includes audited reserves, interim net profits, shares, subordinated debt (subject to certain conditions) and revaluation reserves (again subject to certain conditions and not exceeding 25 percent of the total capital). For the majority of credit unions, only the audited reserves and interim profits are relevant. Capital requirements are based on a simple capital/assets (i.e., leverage) ratio, without the overlay of risk weighting. |
| AC2 | The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.99 |
| Description and findings re AC2 | CRD and CRR are applied both on a standalone and consolidated basis, with few exceptions (Art. 7 CRR) that are anyway subject to conditions aimed at ensuring an adequate distribution of capital between parent and subsidiary/ies. Art. 73 CRD, in requiring banks to have in place sound, effective, and comprehensive strategies and processes to assess and maintain on an ongoing basis the adequacy of internal capital (with respect to the nature and level of risks), explicitly refers to the amount, type and distribution of such internal capital. As well as applying CRD and CRR on a standalone and consolidated basis (with some exceptions subject to strict criteria), the PRA exercises the discretion in Art. 49(2) of the CRR to deduct from own funds, on a standalone basis, significant investments in financial entities included in the consolidated group. The purpose of this deduction is to help ensure that adequate capital is located in all regulated entities within the group. If the deduction were not made, this could lead to capital being inappropriately allocated within the group. The main exception to supervising on a standalone basis is under Art. 9 of the CRR. Under this article, the PRA may waive standalone requirements on a case-by-case basis to incorporate in the solo capital adequacy calculation certain subsidiaries subject to strict criteria. Referred to as “solo consolidation.” One of the main conditions for allowing solo consolidation is that there is no current or foreseen material practical or legal impediment to the prompt transfer of own funds or repayment of liabilities between the subsidiary and the parent. Around 40 banks have been granted the permission to use this form of consolidation. The PRA does not use the more general derogation in Art. 7 of the CRR to waive supervision on a standalone basis. |
| Assessment of Principle 16 | Largely Compliant |
| Comments | The CRD and CRR implement the Basel capital standards in the EU. The CRR and CRD are complemented by EBA RTS on own funds. The legislation transposing the Basel capital framework in the EU has been assessed by the Basel committee as materially noncompliant RCAP—assessment of Basel III Regulations—EU (December 2014), particularly as a consequence of relevant misalignments in the IRB approach for credit risk and in the counterparty credit risk framework with respect to the Basel standard. The assessors had access to some of the results, for the U.K. banks, of the EU RCAP exercise and found that certain sources of divergence with the Basel framework can be considered as having limited materiality (within 10 bps of CET1 capital ratio overestimation) and for others there is no impact, as the noncompliant treatment of the EU framework does not apply to any internationally active U.K. bank. On the other hand, the broader range of counterparts exempted from the CVA requirement under CRR—as opposed to Basle—determines an impact on CET1 capital ratios significantly larger than 10 bps in all cases. However, in exercising its options with respect to the so-called ‘national discretions’ offered by the CRR, the U.K. authorities have tended to adopt the more conservative ones; which, to a certain extent, are likely to partially compensate—though not in a precisely quantifiable way—for the increase in apparent capital ratios determined by the abovementioned source of divergence. Moreover, the PRA required institutions to apply all filters and deductions from CET1 in full from January 1, 2014, i.e., reaching the end point definition of CET1 as soon as permitted under the CRR. The discretion to phase in certain requirements more slowly has not been exercised. These include the full deduction of deferred tax assets that rely on future profitability and arise from temporary differences (DTAs) (Rule 10.7 in PRA Rulebook Part Definition of Capital) as well as equity holdings in insurance undertakings, reinsurance undertakings, and insurance holding companies (Rule 10.8 in PRA Rulebook part definition of capital), from CET1 subject to a threshold amount. As a consequence of this choice, which represents an element of ‘super-equivalence’ with respect to the Basel framework during the transitional period, the PRA estimated that the average CET1 ratio for the largest four U.K. banks in 2015 would be almost 2 percent lower under the U.K. implementation, compared with the minimum transitional path allowed under the CRR. The figures analyzed by the assessors tend to suggest that this understatement of the CET1 capital ratios might compensate the net overstatement of capital ratios determined by the abovementioned divergences between the CRR and the Basel framework. However, the figures come from separate calculations that were disclosed to assessors in the form of final results and refer to different samples (four vs. five largest banks); also, any compensation effect stemming from the choice of adopting an end point definition of CET1 will progressively contract, down to full disappearance, as the end of the transitional period approaches. Overall, the assessors could not ensure a degree of comfort sufficient to reach a definitive conclusion about the net impact of these two effects, but, given the inherent uncertainties, they deem it appropriate to adopt a conservative approach, by not considering the capital adequacy regime resulting from the U.K. implementation of the EU capital framework as fully compliant. The deviations of the EU framework from the Basel standard give rise to deficiencies in Pillar 2 requirements that should be compensated by specific Pillar 2 add-ons. While this is the approach generally followed by the U.K. authorities, in order to address the lower capital requirements stemming from noncompliance with the Basel rules for CVA capital charges, the U.K. authorities are waiting for indications from the EBA Guidelines on the treatment of CVA risk under SREP, in consultation at the time of the assessment. As regards the review of banks’ internal model (for credit, market, operational, and counterparty credit risk), the assessors, while understanding the PRA need to better prioritize the use of its scarce specialist resources, found the PRA internal policy around the review of banks’ internal model not entirely reassuring in terms of the control the supervisor maintains on the robustness of models and on the absence of opportunistic behaviors on the side of the banks; assurance that would require a more intense degree of scrutiny than warranted by the policy, given the well known and documented tendency of banks (all over the world) to ease up once the initial permission is granted. The model change policy seems to be the reflection of a more general phenomenon inside the PRA. The line supervisors recognize that the adoption of internal models is an effective way of raising the bar of risk-management in the banks and to gain a better insight into risk-management practices; the PRA is beginning to see increasing demand for IRB permissions, particularly from mid-size and small banks (the largest ones being already authorized). This may result in additional demand for specialist resources. The specialist resources needed to perform the job are increasingly under pressure and unable to deal with these concurrent requests.100 Clear signs of difficulty in addressing this situation emerge: the assessors found, for example, evidence of a specialist team reducing the scope of examination of an internal model due to insufficient time available to review in full the documentation submitted by the applicant. The assessors reviewed also internal documents showing an ongoing debate within the PRA, with the quest for solutions able to reduce the pressure on skilled resources, but at the risk of a diminished assurance about the robustness of the models, such as the abovementioned model change policy; or the exploration of impervious alternatives, like external validation, which would entail the lack of any meaningful degree of analysis by the PRA and could represent an outsourcing of its prudential responsibilities to third parties (in violation, inter alia, of CP 9–EC 11). Given the high number of U.K. and international banks with approved internal models and considering the centrality of high levels of capitalization in the supervisory approach of the PRA (capitalization that can only be as good as the RWA against which it is measured), assuring that banks’ models maintain a high degree of robustness and are not used opportunistically should represent, in the opinion of the assessors, an absolute priority for the PRA. At the same time, the assessors recognize the existence of a constraint and of an inherent trade-off, and, in this regard, offer some further considerations. It must be noted that the engagement of supervisors, specialists and financial stability experts with the banks in occasion of the CSTs seems to have the advantage of raising the standards of banks’ risk-management more effectively than the usual model reviews, as the same bank managers met by the assessors confirmed. Probably this is also the result of a better incentive structure, as the stress test exercise imposes on banks a recurrent yearly challenge (that of avoiding to present a capital plan, in case of breaching the hurdle), while in the ‘usual’ pattern of internal model approval the incentive for banks to meet the supervisor’s expectations drops dramatically once the permission is granted. Hence the CST could represent, in terms of impact on the robustness of the banks’ internal models, an interesting complement—or even alternative—to an intense program of model reviews; on the other hand this would not probably address the resource constraint, as the absorption of skilled resources for the CST is unlikely to be less significant than for model reviews (especially if the adoption of internal models expands towards a wider population of banks, as the line supervisor would like). Other tools that the authorities may want to take into consideration to improve the robustness of banks’ internal models are the hypothetical portfolio exercises (HPE), which they already plan to run jointly with the EBA, but could also run independently in the interim periods (allowing for a better tailoring of the exercise to the U.K. market); and a benchmarking exercise (e.g., in the case of IRB, cross comparison of banks’ parameters on a portfolio of ‘real,’ common obligors), based on a regular collection of exposures and parameters from all the banks with approved models. |
| Principle 17 | Credit risk.101 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk102 (including counterparty credit risk)103 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. |
| Description and findings re EC 1 | The CRD establishes general requirements for risk-management and the risk-management function (Art. 76) and requires banks to have internal methodologies that enable them to assess the credit risk of exposures to individual obligors and also at portfolio level (Art. 79). In the U.K. the two articles are transposed into the risk control and internal capital adequacy assessment (ICAA) sections of the PRA Rulebook, respectively. EBA guidelines on SREP (which will apply from January 2016) set the supervisor’s expectations with respect to a bank internal credit risk processes; in particular:
The PRA and the FCA have both committed to comply with the guidelines.104 The PRA Rulebook requires that all material risks be identified, measured and properly reported, including credit, counterparty credit risk and associated potential future exposure, including where relevant, on a consolidated basis. The document ‘The PRA’s approach to banking supervision’ sets the PRA’s expectations with respect to risk-management in general (see CP 15). While there is no legal or supervisory documents stating in detail the supervisors’ expectations on credit risk-management for the generality of credit institutions, more detailed indications are provided to specific types of banks:
Also, the PRA’s SS 11/13 and SS 12/12 set out the PRA’s expectations on IRB approaches and counterparty credit risk, respectively; however they revolve mostly around the conditions for internal model approval, and so only tangentially concern the supervisory expectation listed in this EC. The PRA’s general supervisory approach of CA is delivered through supervisors maintaining an up-to-date view of the firms’ credit risk-management practices. This is supported by a rolling program of supervisory assurance work, consisting of both core and discretionary elements. The core elements are carried out regardless of a supervisor’s view of the idiosyncratic risks of the firm. The focus and quantity of discretionary elements are determined by the findings from core work, idiosyncratic risks, and business type. The CA work program for each firm is agreed annually at the firm’s periodic PSM, subject to any changes made in the interim review. This work program is rolled out through the annual cycle supported by inhouse credit risk specialist resources to assess the standards of credit risk-management practices of a firm and its adherence to regulatory expectations regarding risk-management and controls. Credit risk specialists also undertake targeted technical risk reviews, AQRS, and thematic reviews based on a firm’s risk appetite and systemic importance in combination with the market and macroeconomic conditions. This approach varies depending on the size of the bank, with specialist resources focused primarily towards Category 1 firms, conducting asset quality and other reviews at smaller banks (Category 2–4), based on the key risks of the firms and subject to resource availability. The assessors reviewed a number of documents prepared by the credit risk specialist in the SRS division, addressing a number of aspects of Category 1 banks’ credit risk management, including: underwriting standards; credit risk-management and control; adequacy of asset classification; consistency of credit growth strategy with external market conditions, internal risk appetite and risk control framework; valuation; monitoring. |
| EC 2 | The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,105 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. |
| Description and findings re EC 2 | EBA guidelines on SREP require the supervisors to verify that the management body approves the policies for managing, measuring and controlling credit risk and discusses and reviews them regularly, in line with risk strategies (para. 182). As part of the PRA’s approach to CA, supervisors regularly hold meetings with Board members, NEDs and senior management to ensure, amongst other things, that the firm implements the Board approved credit risk strategy. This includes assessing how well the Board set, monitor and control risk appetite; how effectively powers are delegated to the senior management; and what level of oversight exists. Such reviews provide comfort that senior management implements the credit risk strategy approved by the Board and develops the appropriate policies and processes. At a more detailed level, supervisors and credit risk specialists also undertake targeted reviews at selected firms based on their key risks, to ensure that the credit risk (including counterparty credit risk and associated potential future exposure) management strategy, policies, processes and controls at each firm are approved at an appropriate level and that they are consistent with the stated risk appetite. This is carried out in a variety of ways, both on and off site, including reviewing policy papers, review of assurance work from the firm’s Internal Audit, Board minutes, and MI presented to the Board and senior management. These are assessed to ensure they fully capture the actual level of credit risk the firm is exposed to, and that they are presented to senior management and the Board in a timely manner. The assessors found evidence of work conducted by the supervisors on the control of credit risk by senior management. Issues can be escalated to the attention of the banks’ Boards, if needed, as an outcome of annual PSMs or—if anything material surfaces in the interim period between PSMs—also by sending ad-hoc letters. In the case of building societies, SS20/15 specifically requires Boards to set and review lending policies, with material changes to such policies to be notified to supervisors ahead of implementation. Compliance with these policies was the subject of a PRA-mandated review by societies’ own internal audit functions in 2014, which found a number of deficiencies in the way in which the building societies had taken account of the PRA’s expectations as set out in the SS20/15, in particular in setting and monitoring risk appetite limits. The individual outcomes were discussed with the relevant societies, and remediation plans agreed where necessary. The results of the review were fed back to all building societies, and will be taken into account in the current review of the sourcebook. At the PRA’s request, a similar exercise was conducted on smaller U.K. banks, again via the banks’ internal audit functions, focusing on lending outside of policy. In this case the benchmark, absent a common sourcebook, was represented by their own lending policies. Similar work was carried out on compliance of smaller U.K. banks with their own lending policies, again undertaken by these banks’ internal audit functions at the PRA’s request, focusing on lending outside of policy. The assessors were provided examples of some targeted reviews; in particular:
|
| EC 3 | The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:
|
| Description and findings re EC 3 | A number of requirements on policies and processes for credit risk managements are present in the EU legislation and in EBA guidance (the latter taking effect from January 2015):
The PRA conveys its expectations on banks’ policies and processes for credit risk-management through dialogue with firms and feedback following SREP and other supervisory assessments. In addition, key figures from the PRA make speeches from time to time which are published on the PRA website and may contribute to convey the PRA’s stance on a particular issue. While topics such as IT systems, exception management and escalation may not be explicitly specified in the PRA Rulebook or other sources, the PRA considers them core to risk-management and as such to be assessed in order for the PRA to carry out its supervisory duties as set out in its approach to supervision and elsewhere. Assessment by the PRA of whether a firm has appropriate policies and processes and a properly controlled credit risk and counterparty credit risk environment is carried out on a risk-assessed basis through the PRA’s CA—see EC 1. The process includes an assessment of all the credit risk and counterparty credit risk-management issues as highlighted above and will focus on the key issues affecting each firm. For Category 1 and 2 firms, the PRA supervision approach includes regular interviews with the firm’s executive and NEDs and senior management. For credit risk and counterparty credit risk assessment in particular, this would include meetings with chief credit officers and chief risk officers as appropriate. Any material issues in respect of credit risk and counterparty credit risk arising from the CA process is investigated further by the PRA’s credit risk and traded risk specialists in the SRS directorate covering credit risk measurement, corporate, and financial institution credit risk, retail credit risk, structured finance credit risk and counterparty credit risk. The PRA can also appoint independent experts to supplement inhouse resource under FSMA S166. Technical risk reviews and thematic reviews of this nature also cover more detailed analysis of a firm’s processes around governance, risk appetite, credit risk, and concentration policies and how they are implemented. The reviews also cover monitoring, control, and mitigation of exposures, risk grading systems, collateral management, MI systems and reports, exceptions, identification and curing of problem assets, setting provisions, and taking impairment write-offs. The PRA also has a program of semiannual reviews, including onsite visits, of counterparty credit risk-management and measurement practices for firms with material trading books. It also draws on specialist credit risk modeling resource to review IRB capital models and models in general use in the business, such as loan affordability provisioning models. The PRA’s regular stress testing programs covering very high impact firms and building societies also address this criterion (see EC 8 below). For Category 2–4 banks and building societies, a similar review process is undertaken, but credit specialist resources are less readily available and thus review cases are prioritized on the basis of revealed risks from regulatory reporting and other supervisory activities. Local credit specialist are used for policy and file reviews, supplemented by work commissioned from the firm’s internal auditors or via appointment of “skilled persons” under S166 of FSMA. Building societies are expected to take account of supervisory expectations set out in SS 20/15 (see EC 1). Changes of policy or diversification into new areas of lending are subject to particular scrutiny to confirm that appropriate expertise and risk-management are in place. The assessors found evidence of work done—mainly offsite, but also onsite and sometimes via external experts’ review—at banks of different categories on a number of various aspects of credit risk management, such as:
|
| EC 4 | The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. |
| Description and findings re EC 4 | The EBA guidelines on SREP require the supervisors to assess the risk-management of FX lending risk, measurement and control frameworks, policies and procedures and whether the bank periodically reviews the hedging status of borrowers (para. 159.b). For Category 2–4 banks, the PRA’s approach is to review the competence and independence of the control functions, including risk management. This will include, where applicable, reviews of the second and third lines of defense in terms of an effective risk-management framework. In addition, the PRA has also undertaken thematic work to look at controls for smaller banks. For example, a review was recently undertaken of lending outside of policy at smaller banks in the U.K., with results being fed back to the industry in aggregate and to individuals firms where required. For building societies, SS 20/15 states that building societies’ should address and consider within their lending policies “information required to assess the extent of the investor-borrower’s broader exposure to the buy-to-let sector (e.g., the total number of properties in a portfolio and whether encumbered or unencumbered).” There are no specific supervisory expectations in place on monitoring FX lending risk (for banks possibly exposed to such risk). Foreign currency lending represents a small proportion of total lending for the U.K. The PRA observes that in 2011 the ESRB agreed that the U.K. was one of 12 EU MSs which sufficiently explained a lack of specific action in respect of their recommendations on foreign currency exposure, on the basis of the U.K.s low levels of foreign currency lending. The share of FX lending with respect to U.K. banks’ total assets was around 11 percent at that time and has not significantly moved from that level, according to an elaboration provided by the supervisor. PRA supervisors gain an understanding of a firms’ approach to credit assessment and the appropriateness of policies and procedures in relation to credit assessments through discussions with senior management and review of firm’s MI. Factors such as total indebtedness and foreign exchange risk of entities to which they extend credit risk are considered in this process. The application of wider credit risk policies is assessed through reviews of firms’ risk credit risk-management policies, procedures, and controls. The assessors found evidence of credit risk-management reviews at banks focusing, inter alia, on the total indebtedness of customers. |
| EC 5 | The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. |
| Description and findings re EC 5 | There is not a specific and explicit requirement that banks should make credit decisions free from conflicts of interest and on an arms-length basis, although Rule 3.2 in the ‘skills, knowledge and experience’ part of the PRA Rulebook requires senior personnel of a firm to define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest. Also, it does require that competent and, where appropriate, independent control functions oversee the risk-management framework. Also, the EBA guidelines on SREP require the supervisors to assess whether the bank demonstrates to have in place policies to identify and avoid conflicts of interest (para. 85). In practice, supervisors assess a firm’s governance framework and credit risk controls. This includes an evaluation of how the firm manages conflicts of interest to ensure that credit decisions are made on an arm’s length basis. Supervisors examine the independence of the risk function and its effectiveness via CA and other credit reviews to gain further insights. The assessors found evidence of supervisory examinations of these aspects. Forthcoming legislative and regulatory changes around structural reform will introduce additional governance arrangements reinforcing the independence of ring-fenced banks, including the credit decisioning framework. |
| EC 6 | The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. |
| Description and findings re EC 6 | The PRA has not explicitly articulated the requirement for a bank’s credit policy to prescribe that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital be decided by the bank’s Board or senior management. However, the PRA approach document sets a general expectation that key decisions, both on assuming new risks and managing existing ones, be taken at the appropriate level, including at the level of the Board where they are sufficiently important. As part of its CA processes, the PRA will assess, as appropriate, whether limits have been established for credit (including counterparty credit risk) exposures, including single name and sector limits, and that approval processes are clearly defined. The PRA will also assess whether materially large and/or high risk exposures have to be approved by senior management, and are reported to, and regularly reviewed by the Board. In carrying out AQR of corporate exposures, the PRA’s credit risk specialists review individual loans and amongst other checks, ensure that each loan has been approved at the appropriate level. The PRA’s credit risk specialists, together with the BoE’s Financial Stability Directorate, also carried out a review of commercial real estate and leveraged finance underwriting practices, which included a review of loans made outside policy to ensure that they were appropriately authorized (see EC 3). |
| EC 7 | The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. |
| Description and findings re EC 7 | Art. 4 of CRD requires MSs to ensure that supervisory authorities are able to obtain the information needed to assess the compliance of banks and banking groups with the requirements of the Directive and of the CRR (para. 3), that banks and banking groups provide the supervisory authorities with such information (para. 5) and register all their transactions and document systems and processes in such a manner that supervisors are able to check their compliance (para. 6). Under the FSMA, the PRA has the power to request all information maintained by a firm, certain third-party providers and its employees which is necessary to carry out its functions. The PRA’s Rulebook also specifies what level of information, at a minimum, a firm should maintain in the course of running and managing its business. |
| EC 8 | The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. |
| Description and findings re EC 8 | All U.K. banks are required to test their credit exposures under a stress scenario as part of the ICAAP. For smaller firms, ICAAPs are reviewed by the PRA proportionate to the materiality of the firm; they are required to consider, for their own stress test exercises, the scenarios adopted by the FPC for the CST (see below). Their internal stress-testing framework is reviewed and, where relevant, the stress-test results are compared with the outcome obtained from a PRA-developed model (on residential mortgages), in order to challenge loss projections and to calibrate capital buffers. The PRA undertakes regular CST of the largest U.K. banks (currently the largest seven). The stress testing program aims at obtaining an estimate of the potential losses and capital and liquidity requirements that could arise under a number of stress scenarios determined by the FPC and the PRA Board. The PRA’s credit risk specialists, traded risk specialists and the BoE’s financial stability team jointly challenge firms’ loss projections under the stress scenarios using a suite of models, as well as quantitative and qualitative assessment of firms’ results. Adjustments to the firms’ own forecasts can be made if the BoE believes the firm to have been overly optimistic or pessimistic in the likely impact of the stress scenario on individual portfolio or asset class exposures. If the cumulative results of the stress tests demonstrate that the firm is under-capitalized in the event of such a scenario occurring, the PRA may, as part of its broader capital assessment, take a number of actions, including requesting the firm to increase its capital resources. Information gathered as part of a stress test on the quality of assets and likely performance under stress also contributes towards the CA supervision process of firms, providing evidence to support the challenge of current business strategies, risks management practices and governance where there are perceived weaknesses. |
| Assessment of Principle 17 | Largely Compliant |
| Comment | Credit risk was one of the most critical areas in the assessment of the previous FSAP mission: at that time the mission observed and acknowledged first solid signs of an improvement in the supervisory process on credit risk, but moving from a very dissatisfactory situation, by many considered a concurrent cause of the problems that triggered a number of bank failures. While recognizing this initial progress, it also highlighted the need for a much more proactive, extensive detailed work, including transaction testing. It recommended the development of a strategy for “materially enhanced in-depth review of credit risk,” to be resourced adequately and executed immediately. The situation, five years later, has definitely improved: the PRA has introduced a program of AQRs that represents a definite step forward in terms of scrutiny and intrusiveness, even though in the assessors’ view its use could be further extended (see also CP 18); the skill set of the specialist unit allows to cover a wide range of asset classes (e.g., from SME loans in Asia to leveraged loans in the U.S.); the supervision on individual firms is increasingly supported by cross-firm and thematic reviews. As observed elsewhere (CP 15), these developments concern mainly the largest firms (Category 1 and, to a lesser extent, Category 2). On the other hand, unlike for other risk areas (e.g., liquidity), the PRA expectations with respect to banks’ credit risk-management are quite general and scarcely articulated. Frequently the EBA SREP guidelines are clearer and more detailed than the PRA Rulebook or SSs as regards the supervisory expectations on banks’ credit risk management; however the guidelines were not in force at the time of the assessment, they are not binding (unlike EBA’s technical standards, once endorsed by the EC) and the PRA has only committed to comply, which does not give the required degree of comfort with respect to the PRA’s full compliance with this principle. The following are the main requirements in this principle that are lacking in the PRA’s guidance:
The lack of explicit supervisory expectations on how banks should manage their credit risk can be less of a problem with the largest banks, which through its ‘CA’ approach the PRA engages regularly with and to which it can then more easily convey its expectations in a direct way. But it entails a much less clear supervisory guidance for medium-small banks (with the possible exception of building societies): these are the kind of institutions that structurally lack a sufficiently wide range of diversification opportunity and easily tend to converge on the same business of the moment, competing in the same markets and eventually heading towards a creeping relaxation of underwriting standards. The supervisor could strengthen its oversight of banks’ credit risk-management framework also by enhancing its access to loan level data on a regular, periodic basis. The PRA already receives loan level data through the Mortgage Product Sales Data report, managed by the FCA: it provides information of ‘positive’ nature (like loan size, loan characteristics, borrower characteristics, etc.) and, since 2015, also of ‘negative’ nature (like credit impairment) for all the loans in the database. However it does not cover other asset classes and has only just started to accumulate information on default. The availability of credit data could be enhanced through access to databases like those managed by the credit reference agencies, in order to obtain a more exhaustive coverage (at least for the household lending sector) and a deeper credit history. This would enhance the supervisor’s ability to monitor and interpret credit trends across the industry and to develop techniques for a more detailed offsite analysis of loan portfolios’ performance, leading to more efficient monitoring of credit conditions and of banks’ asset quality. |
| Principle 18 | Problem assets, provisions, and reserves.106 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.107 |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. |
| Description and findings re EC 1 | The EBA Guidelines for common procedures and methodologies for the SREP set the expectation that NCAs assess whether banks have a sound, clearly formulated and documented credit risk strategy, approved by the management body, which covers, inter alia, the management of NPLs (para. 180); whether they have an appropriate organizational framework to enable effective credit risk management, measurement and control (para. 181); whether they have appropriate policies for the identification, management, measurement and control of credit risk, including criteria for loan classification, forbearance, restructuring, and management of NPLs (para. 182). Accounting standards applicable in the U.K. require banks (and other preparers) regularly to assess whether loans and other assets valued at amortized cost have become impaired, and if so to raise an appropriate provision. This means that banks must have systems in place to identify and review problem assets, the associated level of provisions, and whether an impaired loan should be written off. An ‘incurred loss’ accounting approach to loan losses is currently found in both IFRS (IAS 39) and U.K. GAAP (FRS 102). A loan is impaired if a ‘loss event’ has taken place which means that the full contractual cash flows are no longer expected to be collected. The provision is the difference between the contractual cash flows and the best estimate of those expected following a loss event, both discounted by the original effective interest rate of the loan. Write-offs are determined by banks’ own policies and generally take place when there is no reasonable prospect of further cash flows being collected. The PRA does not provide specific supplementary guidance to banks’ on the regular review of their problem assets (at individual and portfolio level) and of their asset classification, provisioning and write-off. The approach to problem assets, like credit risk in general (see EC 17), is based on the idea that, in the first place, problem asset management is the banks’ Boards and senior management responsibility; and, in the second place, it’s the external auditors’ role to form an opinion on whether a bank’s financial statements, taken as a whole (thus including asset classification and provisioning), represent a true and fair view. The PRA relies on its frequent interaction with banks’ external auditors as a fundamental source of information on the adequacy of banks’ practices in this area; this is complemented by further evidence collected through the analysis of ‘MI packs’ and, in selected cases (and mainly for the larger banks), also as a result of AQRs. Specifically: For Category 1 firms that are headquartered in the U.K.: As part of the CA framework the PRA discusses the existing troubled assets, the book as a whole, and the risks it faces (such as emerging problem assets/portfolios), including with the Chair of the Board risk committee, the CRO, regional CROs, and also front office. It also addresses the processes, procedures, and MI they have in place and its efficacy. The MI contains, amongst other things, data on the performance of the book, emerging trends, profiles and nature. Analyzes are performed on data, regulatory returns, and trends (such as LE build up to sectors or regions and the analytics) to develop evidence that the firms’ processes are adequate. The PRA also meets with the auditors a number of times in the year to discuss (amongst other things) provisions and troubled assets etc. It receives the audit reports that relate to the provision assessment and use this to frame the agenda and to challenge the banks where necessary; the accounting specialists support supervisors in asking questions about provisioning levels and the audit thereof. The focus of the more specific reviews of asset quality carried out by supervisors themselves can vary. Nevertheless, they invariably focus on an assessment of the firm’s grading systems, how it values and manages collateral, its processes around identifying emerging risks and the handling of troubled assets (for example, the speed with which they are classified as NPLs), defaulted assets, forbearance and the appropriateness of any impairment provision raised. If deficiencies are found, these can be addressed by asking the firm to perform remedial work on their framework. If the PRA deems an additional provision necessary, it can impose “extra” provisions through starting point adjustments in the base case of stress testing; or, alternatively, factor it into the P2A assessment. In addition, seven Category 1 firms headquartered in the U.K. are subject to the CST. This program assesses the balance sheets of the firms, including how they perform in a hypothetical adverse scenario. As part of the Pillar 2 framework, the PRA can set additional capital requirements based upon either a reflection of their balance sheet i.e., concentrations in high risk sectors/countries/products, etc., or underlying deficiencies in their risk-management, i.e., inappropriate collateral valuations, overly benign credit grades, etc. For branches and subsidiaries of overseas headquartered banks: The work performed on asset quality by the supervisors of the International Banking Directorate is similar to the work described above, except that they do not use the PRA’s credit risk specialists for AQRs. For smaller banks, building societies: All but one of the U.K. building societies and all U.K. smaller banks with significant mortgage portfolios are required to submit twice a year detailed loan book data that provide a detailed analysis of a firm’s loan book by product, indexed LTV, arrears and provisions (the latter two against each product’s LTV band). This loan book data allows to see whether a firm is going up the risk curve in terms of higher LTV lending or higher risk products as well us whether arrears are increasing (and, if so, in respect of which products and LTV bands); the data contain also information on additional provisions. This information is used as a background for discussions/challenge about provisions and their adequacy with the bank and also with their external auditors (whom the PRA meets or speak to at least once a year). Asset quality discussions with smaller firms (Category 3 and Category 4) will tend to take place when the analysis suggests changes in the relationship between asset quality and provisioning levels, although provisioning will typically be covered in every annual meeting/call with the firm’s external auditors. All U.K. building societies and most U.K. smaller banks are audited by a Big Four audit firm and the PRA meets with each of these audit firms once a year to discuss issues around these banks, including the auditors’ assessment of their approaches to provisioning. More generally, discussions about banks’ approach to lending and managing arrears—informed by loan book data and the firms’ lending policy statements as well as by the Board MI––will take place at almost every visit to the firm. For credit unions: Credit unions are all required—by PRA rule—to make prescribed minimum provisions: 35 percent of balances for loans in arrears by 3–12 months and 100 percent of balances for loans in arrears by 12 months or more. The 23 Category 4 credit unions are visited by the supervisory team once a year and at those meetings lending will always be discussed. Those discussions will often be informed by Board MI and strategy documents requested and reviewed prior to the visit. |
| EC 2 | The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes |
| Description and findings re EC 2 | The document ‘The PRA’s approach to banking supervision’ states the supervisor’s expectation that banks ensure that assets and liabilities are appropriately valued and that provisions are adequate. However there is no specific supervisory guidance in place with respect to banks’ policies and processes for identifying and managing problem assets. Supervisors review banks’ problem assets, individually and on a portfolio basis, as well as asset classification, provisioning and write-offs through the CA meetings and by reviewing regular MI. In its routine supervision, the PRA relies significantly on external auditors to assess the appropriateness of provisioning systems and the levels of loan loss allowances. Partly for that reason, the PRA attaches considerable importance to the dialogue between auditors and supervisors. The arrangements for this are set out in a formal Code of Practice:. Supervisors are required to meet with external auditors of all high impact or U.K. headquartered banks at least annually, and more frequently for larger firms. The auditor’s assessment of the bank’s provisioning policies is a typical item on the agenda for those meetings and helps to inform supervisory judgment on problem assets. As a part of this dialogue, the PRA presented to auditors of large banks in 2014 on detailed areas of regulatory focus in loan loss provisioning. In August 2015, the PRA sent a list of questions to auditors around their assessment of bank’s provisioning practices, requesting written responses. (see also CPs 26 and 27). Other tools that supervisors use are AQRs and thematic reviews, which review a number of firms to provide peer comparisons. These reviews can be conducted by supervisory staff or by expert third parties (under S166 FSMA). The FRC focuses on promoting high quality corporate governance and reporting, in particular through the work of the Conduct Committee and the Audit Quality Review team. The Conduct Committee’s review focuses on corporate financial reporting, and the team monitors the quality of the audits of listed and other major public interest entities together with the policies and procedures supporting audit quality at the major audit firms in the U.K. This includes their 2014 review of the quality of audits of banks. The PRA highlighted to the FRC some concerns about the audit of loan loss provisioning, as a result of which this was the focus of their most recent (2014) work on audit of banks. |
| EC 3 | The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.108 |
| Description and findings re EC 3 | When an off balance sheet asset meets the accounting definition of a derivative under IFRS and FRS 102, it will be measured at fair value and the valuation should reflect, amongst other things, the credit quality of the counterparty. IFRS requires most other off balance sheet items, such as loan commitments and guarantees, to be subject to provisioning where appropriate. Currently the relevant standard will sometimes be IAS 37 Provisions, contingent liabilities and contingent assets, but IFRS 9 Financial Instruments will require most loan commitments and written guarantees to be subject to expected credit loss provisioning. The U.K. accounting standard setter, the FRC, has stated that it will consider amending FRS 102 to bring it into closer alignment with IFRS 9. Banks with IRB permission are required to have risk-management policies, processes and systems that ensure off balance sheet items are categorized and measured appropriately. This would be verified through model reviews, thematic reviews and self-attestations. It is the role of the supervisor to ensure that the bank’s provisioning process takes into account off balance sheet or contingent liabilities that would have a high probability of coming on balance sheet should a stress event occur or as a result of a change in credit quality of the on balance sheet assets. This process is supported by the Credit Risk Specialists who as a matter of course check the evolution of off balance sheet commitments as part of the AQR process and quarterly C&C meetings where changes in contingent liabilities and provisions are reported and discussed. |
| EC 4 | The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. |
| Description and findings re EC 4 | Accounting standards require banks to establish loan loss provisions in a timely manner and, where correlated to loan losses, to take account of economic conditions (IAS 39, para. 59 (f) (ii) under IFRS; FRS 102, para. 11.22(e) and 11.23]. Market and macro-economic conditions are also factored into provisioning through the work of the FPC. For example, the FSA wrote to banks at the request of the FPC ahead of their 2012 financial statements being finalized because––based significantly on analysis by supervisors––the FPC considered that loan loss provisions did not fully reflect macroeconomic and market conditions. The FSA’s letter noted that the recession had continued for longer than had been widely anticipated and that there were particular concerns about provisioning for commercial real estate exposures. This was part of a broader FPC initiative, which concluded that major U.K. banks’ and building societies’ capital positions could be overstated by GBP 30–40 billion as a result of unrecognized expected loan losses (and, in addition, by GBP 10–20 billion as a result of unrecognized conduct costs and some GBP 20 billion arising from imprudent risk weighting)—see FSR, June 2013, pp 62–3. AQRs are used by supervisors (as part of CA for the major firms and more generally for others) to determine whether appropriate classification of assets and timely provisioning are in place. EWRM reviews are also used as a tool to determine appropriateness. Risk management reviews in respect of credit risk would consider both the policies and procedures established by a bank and the extent to which these policies and procedures are actually implemented throughout a bank. |
| EC 5 | The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, and 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). |
| Description and findings re EC 5 | Classification of contractual arrears by days past due is not currently mandated by accounting standards, but is required in the context of regulatory reporting: the supervisory reporting framework of the EBA governs the collection by supervisors of data on impaired loans and debt securities, nonperforming exposures, forborne exposures, as well as past-due loans and securities and associated impairment (see templates FINREP F4, F7, F12, F18, and F19 in Annex 3 of the ITS on supervisory reporting). Supervisors conduct AQRs or thematic reviews in order to be sure the firms are classifying problem assets appropriately and promptly, without circumventing standards. They may also ask Internal Audit and/or external auditors to review/provide comfort that the firm is behaving appropriately. To test banks’ treatment of assets, in November 2013 the PRA introduced a program of AQRs at Category 1 banks led by credit risk specialists and covering key retail and corporate loan portfolios. The aim is to assess the adequacy of accounting provisions and Pillar 1 and 2A capital. AQRs are typified as having four levels of granularity, ranging from reviews of regulatory returns, banks’ data and MI (Level 1), to more detailed reviews including transaction testing on a limited judgmental sample of loan files (Level 3) or on a larger and statistically robust sample (Level 4). The Level 1/2 assessments include reviewing policies and procedures to ensure that they cover the criteria for assessing borrowers’ creditworthiness and collateral evaluation and those for loan classification; verifying that the bank can detect, measure and regularly monitor the credit risk inherent in all on- and off-balance-sheet activities with regard, inter alia, to collateral coverage, contractual terms and agreements, covenants; assessing the level and quality of CRM; assessing whether the institution has appropriate skills, systems and methodologies to measure risk at borrower/transaction and portfolio level, and, in particular, to differentiate between different levels of borrower and transaction risk. Portfolio-level and file-level (i.e., Level 3/4) reviews are undertaken—primarily in respect of corporate loans—by credit risk specialists to ensure that lending decisions (new exposures and renewal and refinancing of existing exposures) comply with policies and procedures. AQRs are targeted at areas of exposure with potential material problems and are aligned to the FPC’s assessment of risks in setting the annual stress test scenario. AQRs have been conducted across a range of banks simultaneously for certain portfolio types (e.g., commercial real estate, SME/Mid-corporate), to allow comprehensive benchmarking and rank ordering of risks. While AQRs of the Level 3 and 4 type have been occasionally performed on banks not belonging to the first category, in the two and a half years since legal cutover the number of these detailed reviews performed by the credit risk specialists on the smaller banks has been limited: 8 on Category 2 firms and 3 on Category 3 firms (no AQRs on Category 4 or 5 banks). There are no plans to subject the remaining banks to similar review within a given time frame, though AQRs can be programmed and executed at any time, should the PRA envisage the need to and have the necessary resources for. Some AQRs are also conducted by the ‘line’ supervisors. |
| EC 6 | The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. |
| Description and findings re EC 6 | The PRA has access to six sources of relevant information:
Receiving regular MI is part of the CA process and allows qualitative reviews of the information. Regular regulatory reporting for all firms includes data on arrears levels for different asset classes and the corresponding provisions raised against those asset classes by the bank. Supervisors therefore get a regular insight into any discrepancy arising between arrears and provisions. For banks who are supervised on a portfolio basis (i.e., small banks) mandatory reporting i.e., COREP/FINREP allows point in time reviews and trend analysis enabling supervisors to assess firms’ provisioning both individually and on a peer basis. There is no specific requirement for banks to have adequate documentation in place to support their classification and provisioning levels, but the PRA considers this requirement covered by its Fundamental Rules. The PRA expects firms with appropriate governance to have processes in place that enable them to justify provisioning levels to their Board committees. External auditors will also expect their clients to have properly documented their provisioning methodology, assumptions, inputs and assessments. The assessors were provided examples of information received by the PRA on asset classification and provisioning; they found it adequately detailed. |
| EC 7 | The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. |
| Description and findings re EC 7 | Art. 104 of CRD establishes that NCAs should have the power to require institutions to apply a specific provisioning policy or treatment of assets in terms of own funds requirements. The PRA assesses the adequacy of classification and provisioning levels through the regular review of MI, interviews with senior management, and dialogue with the external auditors, and any subsequent reviews. Given that the PRA does not have formal powers over provisioning in banks’ financial statements, the approach that would most commonly be taken to a concern that loan loss provisions in a bank were insufficient would be to persuade directors to adjust provisioning levels, or for the PRA to make an appropriate deduction from a bank’s capital in determining the starting point in the CST exercise. Alternatively, the required extra provisions could be factored into the Pillar 2A add-on. In 2013 the FPC asked the PRA to conduct a detailed analysis of the largest banks’ capital adequacy, including by investigating overvaluation of some assets through under-provisioning against expected future credit losses. As a result, the PRA identified an aggregate shortfall of around GBP 13 billion (net of actions already planned) in the capital of eight major U.K. banks and building societies and invited them to take additional actions to completely close the capital shortfalls. |
| EC 8 | The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. |
| Description and findings re EC 8 | Supervisors ensure that the governance arrangements within a firm are adequate to confirm that collateral is appropriately valued and monitored. This could be through model reviews for an IRB bank or through a review of the risk-management policies in place. AQRs and cross-firm thematic reviews also allow for assessment of the management of collateral, including peer comparison taking into account market conditions and the economic cycle. Risk management reviews dealing with credit risk would consider the management and valuation of collateral and other risk mitigants—because risk mitigants are crucial in assessing what level of provisioning for a problem asset or portfolio is appropriate. |
| EC 9 | Laws, regulations or the supervisor establish criteria for assets to be:
|
| Description and findings re EC 9 |
An exposure shall remain classified as nonperforming while those conditions are not met, even though the exposure has already met the discontinuation criteria applied by the reporting institution for the impairment and default classification. Also, for exposures that are both nonperforming and forborne, the ITS set the conditions for discontinuing their classification as nonperforming (para. 157):
The ITS clarify that those specific exit conditions shall apply in addition to the criteria applied by reporting institutions for impaired and defaulted exposures. Para. 176 of the ITS set the conditions for discontinuing the classification of an exposure as forborne. In 2011 the FSA published a specific guidance on forbearance and impairment provisions for mortgages, explaining the authority’s view on good and poor practice in the overall provision of forbearance to customers and on the adequacy of controls, oversight, reporting, and disclosure. The new EBA definitions are not hard coded into the work the PRA does on the identification of and provisioning for problem assets, although these are factors that are taken into account in the work done on the quality of assets, both through regular offsite monitoring (COREP reports, FSA015 report, MI ‘packs’) and, in selected cases, by means of AQRs. The reviews focus, inter alia, on the bank’s processes around identifying emerging risks and the handling of troubled assets (for example, the speed with which they are classified as NPLs), defaulted assets, and forbearance. Supervisory work in this regard varies, from reviewing MI, performing AQRs or potentially instructing a third-party to perform a thematic analysis. The flexibility allows the PRA to focus on either or both of nonperforming assets or “newly” performing assets, assessing the criteria of how an asset is classified as non-performing/newly performing and how well these criteria are applied in practice. |
| EC 10 | The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. |
| Description and findings re EC 10 | Supervisors look into what pro-active work the Board initiates, e.g., deep-dive reviews into areas that they are less familiar with or which in their judgment could present a future risk. Supervisors receive bank Board papers, which allow them to see directly what information is presented to the Board. The CA schedule requires supervisors to meet with the Board members and, in doing so, can confirm both the level of information they receive and challenge they provide. Regular meetings with the bank’s auditors offer an independent view of how the Board interacts with the bank’s risk-management and any subsequent Board induced action. |
| EC 11 | The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. |
| Description and findings re EC 11 | From a supervisory perspective, the regular MI the PRA receives (both from COREP and banks’ own MI) highlights significant exposures and the criteria which classify them. Regular meetings with banks’ risk personnel are used to discuss these exposures, their classification, the strategy around them, and mitigants to the risk, i.e., collateral, diversification, etc. If the assets are troubled, this then extends into the workout strategy and prudency of provisioning. The PRA does not require banks to set a threshold beyond which an exposure should be individually assessed. |
| EC 12 | The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. |
| Description and findings re EC 12 | Individual bank supervisors undertake CA of firms’ annual risk appetite and lending plans, including various concentration limits and triggers. This engagement is supported by the SRS credit team’s cross-firm review of collections & recoveries and asset quality assessments. One example of the risks identified recently through this process is challenge around buy-to-let concentrations and provisions coverage. At the system level, the FPC monitors the potential build-up of risk and makes recommendations when it considers necessary. In November 2012 the FPC noted that, based on information from supervisory intelligence and banks’ own public disclosures, provisions in areas including the commercial real estate sector and vulnerable euro area economies might not have taken full account of expected losses. As a result, the FPC recommended that the FSA took action to ensure that capital reflected a ‘proper valuation’ of assets in these areas. The subsequent detailed exercise by the FSA resulted in a provisions shortfall of around GBP 30 billion, and the banks in question were required in 2013 to raise capital or adjust balance sheets as necessary. Another example is the action to contain the rise in mortgage lending with high loan to income ratios. This recommendation was made given analysis that there were risks to financial stability from a significant increase in the number of very highly indebted households. FPC has also published a statement on how it views risks in the housing market, and in particular how it monitors the build-up of those risks. Regular monitoring includes analysis of the distribution of risk metrics both within the household sector and the banking sector, indicators of housing market conditions, and assessment of the outlook and risks around that. The FPC may also ask for a stress test scenario to be adopted to explore a risk further. A good example of this is the 2015 stress test scenario which was intended to explore U.K. banks’ exposure to emerging market economies, given the combination of strong lending to some of these economies by some U.K. banks, and the risk that NPL could start to rise. FSSR staff supporting FPC monitors emerging risks to U.K. banks, including through reporting by supervisory intelligence as well as trends in bank profitability, NPLs, aggregate lending data, LE, important markets (particularly property markets) and international developments, as can be seen in the FSR and FPC records. It also coordinates across directorates (PRA, International, Financial Market Infrastructures, etc.) to arrive at a Quarterly Risk Pack providing assessment of the risks to the outlook for U.K. Financial System to FPC and PRA Board. Finally, a Credit Risk Forum has been established for those, within the BoE/PRA, concerned with U.K. credit risk, to share risk assessment on the macro and micro side. Examples of recent topics include U.K. credit cards, challenger banks, BTL market, and U.K. CRE. The assessors got access to the presentation pack of a recent Credit Risk Forum a number of cross-firm reviews on different topics: U.K. CRE lending and slotting, Mid Corporate / SME, collection and recoveries on U.K. mortgages and, in preparation of the 2014 CST, U.K. residential mortgage. The assessors also found evidence of reviews by credit risk specialists on individual banks focusing, inter alia, on potential threats to the asset quality through concentration, market and macro-economic issues. |
| Assessment of Principle 18 | Largely Compliant |
| Comments | The PRA basic philosophical approach to banks’ credit risk and problem asset management is that these are areas whose primary responsibility is with the banks and that is mainly the external auditor’s role to ensure that the banks’ practices are appropriate and lead to a true and fair representation of their financial situation. This explains the importance assigned by the PRA, in its supervisory approach, to a frequent interaction with banks’ external auditors and with the auditing profession in general. While external auditors can represent a precious source of information and insight into banks’ management of problem assets, this clearly needs to be complemented by a more direct supervisory analysis, as the PRA also recognizes. In particular, this core principle includes the requirement (introduced by the 2012 review of the BCPs) that supervisors test banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (EC 5). This entails a direct scrutiny of banks’ asset classification and provisioning via, inter alia, transaction testing, i.e., a detailed analysis of a sample of loan files (especially for non-retail portfolios). In November 2013, the PRA introduced a program of AQRs at Category 1 banks, led by credit risk specialists and covering key retail and corporate loan portfolios. The aim is to assess the adequacy of accounting provisions and contribute to a decision on the appropriate Pillar 2A buffer. AQRs are typified as having four levels of granularity, ranging from reviews of regulatory returns, banks’ data and MI (Level 1), to more detailed reviews including transaction testing on a limited judgmental sample of loan files (Level 3) or on a larger and statistically robust sample (Level 4). While AQRs of the Level 3 and 4 type have been occasionally performed on banks not belonging to the first category, in the two and a half years since legal cutover the number of these detailed reviews performed by the credit risk specialists on the smaller banks has been limited: 8 on Category 2 firms and 3 on Category 3 firms (no AQRs on Category 4 or 5 banks). There are no plans to subject the remaining banks to similar reviews within a given time frame, though AQRs can be programmed and executed at any time, should the PRA envisage the need to and have the necessary resources for. Also, a certain number of detailed AQRs are run directly by the line supervisors, though the assessors could not obtain statistics on this. The duration and staffing of visits for Level 3 and 4 AQRs delivered by the Risk Specialist Division—as well as the number of files examined––present a wide range of variation; from the material reviewed the assessors got the impression that the median AQR might be staffed with around three specialists plus one line supervisor, last less than two weeks, and review around 100 loan files representing a share of the portfolio that can go from 5 percent to 50 percent, depending on the asset class examined. This approach appears consistent with the PRA’s interpretation of its mandate and its intention to pursue a risk-based and proportionate approach to banking supervision. However it does not ensure that the fundamental reliance on external auditors’ contribution to the analysis of banks’ problem asset management practices be always appropriately accompanied by a more direct supervisory scrutiny, as this principle requires. It also entails that a large number of banks, while regularly monitored offsite and more intensely engaged whenever credit risks are perceived to increase or accumulate, can expect––with a high probability––not to be subject to a more direct and intrusive scrutiny by the supervisor for several years (possibly spanning a whole credit cycle). As pointed out for CP 17, these are the kind of banks most likely to converge towards the same promising business or market, when profitable opportunities emerge. The PRA has put in place an offsite monitoring system which relies on the identification of outliers or banks moving up the risk curve (e.g., by shifting towards higher LTV buckets for mortgage lending) and that can then well serve its purpose in capturing idiosyncratic risks in terms of individual banks drifting away from a safe and sound growth path; but it does not provide sufficient reassurance that emerging risks can be identified sufficiently in advance (e.g., creeping deterioration of underwriting standards within a formally unchanged lending policy). While these banks might represent a modest share of total assets, and hence reasonably pose no threat to the financial stability, they might still serve a share of bank customers large enough to cause embarrassment to the PRA, should any of the largest among them fail and lead their customers to question the effectiveness of the supervisor’s job. So, even if the risk-based philosophy underling the PRA’s approach is understandable and broadly shareable, to protect itself from reputational risk, the PRA should consider introducing elements of mitigation with respect to the risk of missing important ‘pockets’ of risk from its monitoring tools. As loan-file-based AQRs tend to absorb a relevant amount of scarce and increasingly overburdened specialist resources, the PRA may want to consider the possibility of relying to a greater extent on ‘line supervisors’: after all, loan file reviews are the staple activity for ‘standard’ bank supervisors in many jurisdictions, often since their apprenticeship. While line supervisors already conduct credit reviews and credit risk training is part of the supervisory training for all new supervisors, this could be reinforced as to allow supervision to autonomously conduct AQRs more frequently. In the short term this would put further pressure on the specialist resources (who provide on the job training to line supervisors) and would likely affect also their ordinary activity; but in the longer term it would allow increased flexibility in the use of resources and less need for too tight prioritizations. Should that prove not sufficient yet to avoid an excessive burden on resources, the PRA could consider, as a minimum, to incorporate forms of ‘backstop’ in its approach, such as—for example—random AQRs at banks of less than large size that do not present evident issues: this would help to mitigate the expectation, for these smaller banks, to be able to get away with less intense and intrusive supervision for prolonged periods, provided they manage not to attract too much attention. All in all, the assessors came to the conclusion that the current PRA approach to problem assets and provisioning is not fully compliant, but not materially non-compliant either, as they got comfort from the observation that the supervisors have established an intense and fruitful dialogue with the external auditors, even for the smaller banks, and that the PRA can (and does) substantially influence the work done by the auditors according to its own priorities as regards their assessment of banks’ asset classification and provisioning (see EC 27); this, especially in the current benign environment—with NPL ratios close to their historical lows––substantially mitigates what the assessors perceive as inherent limits in the PRA approach; which they nonetheless warmly invite the authority to address, possibly––though not necessarily—along the abovementioned lines. Another requirement introduced by the 2012 review of BCPs is for the supervisor to require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold (EC 11); the PRA does not require this. |
| Principle 19 | Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.109 |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.110 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. |
| Description and findings re EC 1 | Part IV of the CRR (Arts. 387–403) contains a comprehensive regime for the treatment of LE, capturing on-balance sheet exposures, off-balance sheet exposures and contingent liabilities. Banks are required to have sound administrative and accounting procedures and adequate internal control mechanisms for the purposes of identifying, managing, monitoring, reporting and recording all LE and subsequent changes to them (Art. 393). Art. 81 of CRD––transposed into PRA Rulebook ICAA 6––require firms to establish written policies and procedures to address and control concentration risks. Specifically, firms must establish policies and procedures to control concentration risk arising from:
Banks are also required to monitor the concentration of their funding sources (by product and by counterpart) and of the products representing their liquidity counterbalancing capacity (see CP 24). Market risk concentrations are addressed under Pillar II: banks are required to hold additional capital to cover market risks that are underestimated or not covered under the market risk framework in Pillar 1; the majority of such risks relate to illiquid, one-way and concentrated positions. The assessors got access to data on the capital add-ons applied to major banks and verified the methods and processes used to account for market risk concentration. The PRA assesses and scores institutions’ management of credit concentration risk as part of the risk-management and controls category of the PRA risk model. Furthermore, under the SREP, the PRA assesses whether additional capital is needed, applying a methodology that generates a suggested capital add-on for single-name, sectoral and geographic concentration risk, separately. A revised methodology was finalized recently and will be implemented in January 2016.111 In addition, PRA Rulebook ICAA 6 refers to concentration arising from CRM. This encompasses concentration risk arising via collateral and/or guarantees. For wholesale asset classes, both sectoral and geographic concentration risk assessment applies. Retail asset classes only attract a geographic (international) concentration risk charge. Collateral is inherently accounted for in the assessment methodology, which is based on RWAs. For single name, sectoral, and geographical concentration risk, firms are required to report banking and trading book assets. The assessors got access to a number of reports which focus on concentration risk within different asset classes (e.g., U.K. mortgage portfolios, Asian Mid-Corporate and SME). |
| EC 2 | The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and LE112 to single counterparties or groups of connected counterparties. |
| Description and findings re EC 2 | If the PRA has reason to suspect that an institution’s information systems are failing to identify and aggregate information on LE (or, indeed, other relevant information) adequately, it may conduct a review of the institution’s systems and procedures for managing operational risk. If, after such a review, the PRA is still not satisfied that the institution has adequate systems to identify and manage risks, it can commission a ‘skilled persons’ review of the firm under S166 of the FSMA Act 2000. Within the last five years, the PRA has reviewed reporting systems of a number of large firms, using the powers provided to it under FSMA S166. The PRA may also impose additional capital requirements for firms where it suspects deficiencies in information and reporting systems. The assessors found evidence of a concentration risk assessment performed by the risk specialists and of a skilled person report on the same subject. |
| EC 3 | The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. |
| Description and findings re EC 3 | Institutions are required to ensure their ICAAPs are materially up-to-date and reviewed by their Boards at least annually. The PRA expects institutions to update their ICAAPs more frequently if changes in the business, strategy, nature, or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate. The PRA Rulebook’s ICAA Section, Chapter 6, require banks to address and control concentration risk, by means which include written policies and procedures, but does not set out a requirement to specify limits. The PRA expects Boards to take ownership of the ICAAP. While there are no rules for building societies, the Building Societies Sourcebook (SS 20/15—supervising building societies’ treasury and lending activities) sets out supervisory expectations re certain mortgage and treasury concentrations (e.g., max proportion of balance sheet that should be sub-prime or CRE). The PRA expects Boards to take ownership of the ICAAP, keeping it materially up-to-date and reviewed at least annually. As specified in the ICAA part of the PRA Rulebook, firms ICAAPs must include an assessment of concentration risk. The assessors reviewed a report analyzing the limits for concentration risk in place at a large U.K. bank with respect to a number of different dimensions, including single name concentration, top 20 exposures, specialized lending, sovereigns. |
| EC 4 | The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. |
| Description and findings re EC 4 | As regards LE, CRR Art. 394 sets out reporting requirements for LE and certain largest exposures, including the identification of client or group of clients, the value of the exposure before CRM, type of credit protection, and expected run-off of the exposure. In addition, the EBA has developed COREP templates and instructions in relation to LE (Commission’s Implementing Regulation (EU) No 680/2014 on supervisory reporting and subsequent amendments, Annex VIII and IX). The annexes include identification of the counterparty by general sector (government, credit institutions, households), and statistical sectoral codes for individual counterparts which are non financial corporations. The PRA collects information on LE and capital adequacy on a quarterly basis. Firms report information on their LE through COREP template ‘COR002.’ This provides the PRA with information on banks’ exposures to different sectors and economic activities, including by 2-digit nomenclature of economic activity (NACE) codes. Banks are required to provide geographical breakdowns of their exposures through COREP template ‘COR001.’ Information on currency exposures is available through liquidity reporting templates (COR003 and COR004). Firms required to comply with ‘FINREP’ reporting requirements submit information on concentrations through templates F20.01–20.07. For firms within the FINREP reporting framework, exposures are also broken down into high-level economic activities (that is, by top-level NACE Codes). These exposures are not subject to reporting thresholds. Firms are also required to submit data on credit concentration risk within their ICAAP, as specified in PRA Rulebook (ICAA). Credit concentrations to sectors and geographic regions are assessed under Pillar 2. The PRA requests data from firms in advance of assessments and expects firms to self-assess concentration risk as part of the ICAAP. The assessors had access to examples of concentration risk data—by sector, country, U.K. region—that the PRA collects for Pillar 2 reviews under both the current and the new approach, to be implemented in 2016. |
| EC 5 | In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. |
| Description and findings re EC 5 | CRR Art. 4(39): defines ‘group of connected clients’ as any of the following:
There is a possible exception for natural and legal persons connected with the government, which “may be considered as not constituting a group of connected clients. Instead the existence of a group of connected clients formed by the central government and other natural or legal persons may be assessed separately for each of the persons directly controlled by it in accordance with point (a), or directly interconnected with it in accordance with point (b), and all of the natural and legal persons which are controlled by that person according to point (a) or interconnected with that person in accordance with point (b), including the central government. The CEBS ‘Guidelines on the revised LE regime,’ Part I (currently being updated) provide guidance on how to apply the definition of ‘group of connected clients’ in practice: para. 24 of the Guidelines clarifies that “in cases of divergence between the opinion of the institution and that of the competent authority, it is the competent authority which decides whether a client must be regarded as part of a group of connected clients.” Under the FSMA part XIV, the PRA can, on a case-by-case basis, require banks to treat counterparties as a group of connected clients if it feels that such a treatment is warranted. In reaching a judgment about whether a group of counterparties constitutes a group of connected clients, the PRA takes into account the ‘Guidelines on the implementation of the revised LE regime’ issued by the CEBS in 2009. In addition, the PRA adheres to the principles for identifying groups of connected clients established in FSA Policy Statement 12/21, which contains rules on the treatment of LE to structured finance vehicles. The assessors found evidence of how the PRA can require that a bank consider a group of entities––reported as non-connected––as a group of connected clients. |
| EC 6 | Laws, regulations or the supervisor set prudent and appropriate113 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. |
| Description and findings re EC 6 | The EU LE regime is broadly aligned with the Basel 2014 LE framework, but there are likely to be gaps: in particular, exemptions wider than under the Basel text and more generous treatment for certain asset classes (e.g., covered bonds, exposures to G-SIBs). However, the Basel framework for LE was published in 2014. It will take effect from January 1, 2019. ‘Exposures’ are defined by Art. 389 CRR as any asset or off-balance sheet item referred to in the standardized approach for capital requirements on credit risk, without applying the risk weights or degrees of risk; it thus includes on- and off-balance sheet exposures and all the claims and transactions that give rise to counterparty credit risk. This in line with the Basel standard, except for exposures considered ‘low-risk,’ which receive a 0 percent credit conversion factor (CCF) in the CRR (consistently with the standardized approach for credit risk), while a 10 percent floor applies to all CCF in the Basel LE framework. Any exposure to a client or group of connected clients equal to or greater than 10 percent of a firm’s eligible capital is to be considered a LE (Art. 392). CRR Art. 395 sets out limits to LE at 25 percent of a bank’s eligible capital, after taking into account the effect of CRM. If the client is a credit institution or investment firm, the limit is the largest between 25 percent and EUR 150 million; if the EUR value is higher than 25 percent of the bank’s eligible capital, the exposure must not exceed a “reasonable limit,” to be determined by the institution’s internal policies and procedures, which must not exceed 100 percent of the institution’s eligible capital. CRR Art. 6 establishes that LE limits must be complied with on both individual and consolidated basis. In the U.K. the exemptions provided for by Arts. 400 (1) and (2) CRR take the form of two different kinds of permission (see also SS 16/13):
The PRA will only grant either of these intragroup LE permissions where it is satisfied that the reporting firm and the respective intragroup entities effectively operate as a single party. More specifically, firms must demonstrate that there are no current or foreseen material, practical or legal impediments to the prompt transfer of capital or the repayment of liabilities from the entity to the firm. At the time of the assessment there were 13 core U.K. group permissions and 20 noncore LE group permissions currently in force. The PRA reviews firms’ reporting on their LE, which is conducted quarterly through reporting template COR002, on both a solo and a consolidated basis (see EC 4). The PRA’s RDG performs plausibility, checking on the consistency and reliability of these reports, and supervisors review the returns to identify key risks arising from LE. In addition, the largest investment firms report MI to the PRA on a weekly basis, which includes information on LE. The PRA also makes ad-hoc requests for information on firms’ LE and their risk concentrations, as appropriate, based on market intelligence. The assessors analyzed some examples of MI sent by banks to the PRA and a review of single name concentrations. |
| EC 7 | The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk-management purposes. |
| Description and findings re EC 7 | The PRA requires banks to include the impact of significant risk concentrations within stress-testing and scenario analysis that forms part of their ICAAP reviews. Banks are expected to apply particular stresses to identified significant risk concentrations in order to test that the capital held for concentration risk under Pillar 2 is sufficient. The CST scenarios by design highlighted the impact of specific concentrations. For example, the 2014 CST focused on a U.K. downturn with emphasis on residential mortgage portfolio valuations. This highlighted the stress impact on U.K. centric firms (geographic concentration risk) and specific mortgage loan portfolios (product concentrations), e.g., Nationwide, LBG, etc. The 2015 CST focused on an Asian stress (geographic concentration risk) with a combined trading book shock (product concentration), which impacted mainly HSBC, SCB, Barclays, etc. Additionally, the 2015 CST required firms to identify and rank their top ten Asian trading book exposures under the stress scenario. From this list, they had to default at least the two most vulnerable counterparties (or default more than two if the firm deemed that more than two names are likely to default under the scenario. In respect of European counterparties, perform the same exercise, but default at least the most vulnerable from the top ten. |
| Additional criteria | |
| AC1 | In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:
Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. |
| Description and findings re AC1 | The EU definition of LE and the LE limits are compliant with the abovementioned criteria (see also EC 6), except for the exemptions granted by Art. 400 CRR, which are neither temporary nor necessarily related only to very small or specialized banks. Also, under CRR Art. 395(1) small credit institutions and investment firms (those for whom EUR 150 million is more than 25 percent of their eligible capital) are exempted from some elements of the LE requirements. For such institutions, LE to other credit institutions may be up to 100 percent of their eligible capital, or EUR 150 million, whichever is the higher. |
| Assessment of Principle 19 | Compliant |
| Comments | The CRR sets the LE regime and determines the limits to be observed. While the framework is broadly aligned with the Basel 2014 LE framework (which will take effect from January 1, 2019 and will be applicable to internationally active banks, regardless of size) and the ECs, there are likely to be gaps. Some exceptions under CRR 400(1) seem to go beyond the Basel LE framework and weaken the limit, such as for some off-balance sheet contingent facilities (which, in the LE framework, are subject to a 10 percent CCF floor). In addition, exemptions under national discretion provided by 400(2) may not be compliant with the LE regime: for instance the Basel LE regime establishes that a covered bond meeting certain conditions can be assigned an exposure value of no less than 20 percent of the nominal value of the banks covered bond holding. The national discretion provided under 400(2) doesn’t mention the 20 percent floor. The eligible covered bonds under CRR Art. 129 also seem to be broader than the eligible covered bonds under para. 70 of the LE framework, as underlying assets in the EU can be exposures to banks, and maritime liens on ships. There is no stricter LE limit for G-SIBs as per the Basel LE framework. Some of these elements of noncompliance in the EU regime for LE are likely to be non material in the case of the U.K.: for example, it is unlikely that there be significant concentrations of covered bonds in the banks’ balance sheets, given that covered bond holdings are typically not relevant for U.K. banks in the first place. However, an exhaustive analysis of the nature and materiality of divergences between the EU and Basel framework for LE (of the kind of the EU RCAP on the capital requirement framework, for example) is not available; similarly, there does not exist an analysis of the materiality of those divergences in the specific case of the U.K. Also, EC 6 clarifies (footnote 193 of the BCP document) that the “prudent and appropriate requirements to control and constrain large credit exposures” should ‘reflect’ the applicable Basel standards. Considering all this, the assessors came to the conclusion that, at the best of their knowledge and understanding, given the information available, the EU framework for LE, as applied in the U.K., does not seem to present deviations of such a materiality that it no longer reflects the Basel standards. As regards concentration risk, the PRA framework appears overall robust and the assessors could examine a number of detailed and analytical reviews conducted by the risk specialists on different dimensions of credit concentration risk and information received on concentration in funding sources and liquid assets. Also, the PRA has further reinforced its approach to concentration risk by introducing a standard methodology to set, for all banks, Pillar 2 capital buffers against credit concentration risk stemming from single name, sector and geographic credit concentration. The PRA also considers market risk concentrations; while its approach in this area is less structured than for credit risk, the assessors found evidence of supervisory action based on the analysis of market risk concentrations, such as Pillar 2 add-ons for illiquid, one-way and concentrated positions. The main notable divergence from the essential criteria of this principle is that the PRA does not require banks to have risk-management policies and processes that establish thresholds for acceptable concentrations of risk, as expected under EC 3. Requiring banks to set internal limits for concentration risk within their risk tolerance is important to promote a higher level of discipline in the management of their risk concentrations and the assessors recommend that the authorities explicitly introduce and enforce this requirement in their regulation. The lack of this requirement in an explicit form is partially compensated by the fact that, at least for credit risk concentrations, the Pillar 2 approach entails now a penalization in terms of capital buffers. Another divergence relates to the requirement that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board (EC 3): this is achieved implicitly, through the PRA expectation that Boards ‘own’ the bank’s ICAAP, which, in turn, requires that credit concentration risk is addressed. The assessors then considered these deviations not material enough to change their perception of an otherwise fairly robust overall framework for concentration risk and to deviate from an assessment of full compliance. |
| Principle 20 | Transactions with related parties. In order to prevent abuses arising in transactions with related parties114 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties115 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. |
| Essential criteria | |
| EC 1 | Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties.” This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. |
| Description and findings re EC 1 | The PRA Rulebook defines “related parties” in relation to a firm as:
The PRA has the power to require, on a case-by-case basis, a firm to recognize a person or entity as a related party, where it has not already done so (PRA Rulebook’s section on related party transaction risk). |
| EC 2 | Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.116 |
| Description and findings re EC 2 | Under the PRA Rulebook, a firm must enter into transactions with related parties at market value or on terms no more favorable than would be agreed if the transaction was not with a related party. For the purposes of the instrument, ‘transactions’ are defined as any arrangement or circumstance that gives rise to, or varies, an on-balance sheet or off-balance sheet asset or liability (whether contingent or otherwise). Transactions may also refer to dealings such as service contracts, asset acquisitions and disposals, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The prohibition on firms entering into transactions with related parties on more favorable terms does not apply to beneficial terms that are part of firms’ overall remuneration packages, such as favorable interest rates for employee loans. In addition to the PRA Rulebook on related parties, the Building Societies Act (BSA) 1986 contains a number of provisions and restrictions relating to building societies’ transactions with directors and other persons connected with building societies. S63 sets out requirements around disclosure of transactions and arrangements with directors; S64 imposes restrictions on substantial property transactions with directors and connected persons; and S65 imposes restrictions on societies’ ability to make loans to directors or persons connected with directors on more favorable terms than with other parties. S66 contains sanctions for breeches of S65. S68 contains requirements for transactions with directors and connected parties to be recorded and reported to the societies’ members and for this information to be made available to the FCA and the PRA. Finally, under S69, there must be disclosure and recording of income by a director or officer of a building society obtained via the provision of certain services to the society. |
| EC 3 | The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. |
| Description and findings re EC 3 | The PRA Rulebook requires firms to set a ‘materiality threshold’ above which transactions with related parties (including write-offs) receive prior approval from the firm’s management body. The PRA Rulebook further requires firms to prevent a related party from taking part in the firm’s decision making process in relation to any transactions with that related party |
| EC 4 | The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. |
| Description and findings re EC 4 | The PRA Rulebook requires that a firm’s policies and procedures on related parties’ transactions must prevent a related party from taking part in the firm’s decision making process in relation to any transactions with that related party. PRA supervisors address banks’ policies and processes for identifying and mitigating conflicts of interest as part of periodic ‘governance reviews’ and ‘EWRM’ reviews, tailored to the particular risks and circumstances of individual firms (see BCP 15, EC 1). The frequency of such reviews depends on the size and complexity of the firms; for ‘Category 1’ U.K. firms, they take place once every two or three years; for lower categories of firms, the PRA conducts governance reviews and EWRM reviews every 2 to 3 years and the depth of the reviews will depend on the size and complexity of the firms. |
| EC 5 | Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. |
| Description and findings re EC 5 | Before the entry into force of the CRD-CRR framework, the matter was regulated by FSA’s (first) and PRA’s (then) BIPRU; in particular, BIPRU 10.5.6 required banks to “ensure that the total amount of its exposures to the following does not exceed 25 percent of its capital resources (as determined under BIPRU 10.5.2 R, BIPRU 10.5.3 R and BIPRU 10.5.5 R):
“Connected counterparty” was defined (by BIPRU 10.3.8) as “another person (‘P’) to whom the firm has an exposure and who fulfils at least one of the following conditions:
The term ‘associate’ includes, for individuals, related family members and trustees of which the individual’s family is a beneficiary or discretionary object. The assessors found evidence of how this rule was used to intervene on a bank where the total exposure to connected parties was in breach of the regulatory limit. Under the current EU legislation and regulation, banks’ exposures to related parties are subject to the same requirements as exposures to other entities, i.e., the EU LE framework. Where related parties are financial sector entities included within the scope of regulatory consolidation, firms may apply for a Core U.K. group permission or a noncore LE group permission (see BCP 19, EC 6). These permissions allow the firm to exceed the 25 percent LE limit as long as certain criteria are met. In addition to the general LE and intragroup LE rules, the PRA can limit the activities of firms, including their ability to conduct transactions with other entities, on a case-by-case basis. In particular, under Part 4A of the FSMA 2000, the PRA has the power to vary the permissions of, or impose requirements on PRA authorized firms. This may be at the request of the firm or on the PRA’s own initiative. Under these powers, the PRA has the power to:
In a consultation paper of October 2013 (CP 8/13), the PRA has explained that it intend to use these powers where it records failings in the firm’s establishment, implementation and maintenance of the risk control requirements on related party transaction risk. Going forward, the PRA may impose additional restrictions on firms’ transactions with related parties as a consequence of its structural ring-fencing reforms, which are part of the implementation of the BRA 2013. The PRA has not yet issued its final rules in relation to ring-fencing. |
| EC 6 | The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. |
| Description and findings re EC 6 | The PRA Rulebook’ section on related parties transaction risk requires firms to establish, implement, and maintain effective policies and procedures to identify, evaluate, and manage risks arising out of transactions with their related parties. To meet this condition, firms’ policies and procedures must ensure that the firm records and monitors the details and amounts of any related party transactions using an independent credit review or audit process. Furthermore, firms must only permit exceptions to those policies and procedures if those exemptions are reported to the firm’s senior management or management body as appropriate. Building societies are required to submit annually a copy of information provided to the FCA relating to loans to directors and connected parties and income received by directors for the provision of certain services. These sections of the 1986 Act are the responsibility of the FCA. However, PRA supervisors examine the information received to assess, in particular, whether a small society has made a large loan (relative to the size of the society’s balance sheet) to an executive director, which might give rise to repayment problems were that executive to be dismissed (and, therefore, might influence that Board’s assessment of that executive). If PRA supervisors suspect an offence under the 1986 Act had been committed, they would pass this on to the FCA. The PRA requires firms to provide information on policies and procedures for transactions with related parties on a case-by-case basis; the assessors could examine such an example. The PRA monitors senior management’s policies and procedures for managing transactions with related parties when it deems it necessary and appropriate for the attainment of its statutory objectives. In particular, the PRA conducts governance reviews and enterprise wide risk-management reviews, which may examine banks’ policies and procedures for handling conflicts of interest policies. Whether such reviews would assess conflicts of interest typically depends on supervisors’ knowledge of the firm and their view of the particular risks to which it is exposed. |
| EC 7 | The supervisor obtains and reviews information on aggregate exposures to related parties. |
| Description and findings re EC 7 | The PRA Rulebook enables the PRA to obtain information on aggregate exposures to related parties on an ad hoc basis. Some information on transactions with related parties is provided in regular reporting on LE (part of COREP, quarterly frequency). In addition, the PRA regularly obtains information on banks’ transactions with related parties as part of the FINREP reporting framework, which is semi-annually. Template F31 of FINREP specifically asks for information on exposures to related parties. Reporting is on a consolidated basis only (not individual). The information is available only for banks submitting FINREP. Furthermore, as discussed under EC 2 and EC 6, the PRA obtains information on building societies’ loans to directors and connected parties. This information is obtained on an annual basis. The assessors examined the COREP and FINREP reports. |
| Assessment of Principle 20 | Compliant |
| Comments | The PRA Rulebook complies with the BCP definitions of related parties and related party transactions and sets out most of the requirements cited in the principle, as recommended by the previous FSAP mission. Under the pre-CRD regime (BIPRU) the PRA could set specific limits on aggregate exposures to related parties. Under the current EU legislation and regulation, banks’ exposures to related parties are subject to the same requirements as exposures to other entities, i.e., the EU LE framework. However, FSMA assigns to the PRA the power to: set limits for exposures to any natural or legal persons; deduct a firm’s exposures under transactions with related parties from its capital resources when assessing capital adequacy; or require a firm to collateralize that firm’s transactions with related parties. The PRA has granted intragroup exposure exemptions from the LE regime to a number of U.K. and international banks (CP 19–EC 6): this means that for these exposures there are no limits in place. On the other hand the PRA, when it envisages the need to mitigate risks to safety and soundness of U.K. subsidiaries arising from other entities within the group, has the power (and used it on several occasions) to implement ‘supervisory ring-fences’ or ‘specific supervisory measures’ (CP 12–EC 6). Apart from the regular quarterly COREP reporting on LE, the PRA receives information on transactions with related parties in a semiannual FINREP report that contains information on an aggregate basis. It is available only for the 32 banks submitting FINREP. It means that the majority of U.K. banks only provide information on transactions with related parties in their annual reports (unless they represent LE, in which case they are covered by COREP reporting). Considering this finding as a manifestation of the reduced supervisory intensity on less systemically important firms, already flagged elsewhere in this assessment (see CP 8), the assessors didn’t weigh it against the degree of compliance with this principle, but still recommend that the authorities introduce a regular infra-annual reporting of transaction with related parties applicable to the generality of the banks and a routine monitoring of their compliance with the rules. |
| Principle 21 | Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk117 and transfer risk118 in their international lending and investment activities on a timely basis. |
| Essential criteria | |
| EC 1 | The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. |
| Description and findings re EC 1 | Supervisors noted in discussions that staff from the SRS department conduct periodic reviews (two per year) of Category 1 firms’ management of country and transfer risk, including the appropriateness of reserves established against those risks (less resources are available for firms in the lower categories). The PRA handbook sets out expectations for firms to identify, control, and quantify their exposures, including to country risk and transfer risk. Firms are required to report to the PRA quarterly all country risk limits and exposures and are required to notify the PRA of any breaches in those limits. Rules which require firms to identify, control and quantify their exposures, including to country risk and transfer risk, are contained within the risk control chapter of the PRA Rulebook, Rule 2.1, which sets out PRA requirements regarding risk policies and procedures that firms must adhere to. The PRA Handbook requires firms to have sound administrative and accounting procedures and adequate internal control mechanisms including for the purposes of identifying and recording country and transfer risks and for monitoring these exposures in the light of the firm’s own exposure policies. These requirements are outlined in the record keeping chapter of the PRA Rulebook, Rule 2.1. Firms are required to report all country risk limits and exposures to the PRA through quarterly reporting requirements and are required to notify the PRA of any breaches of these limits. The usual reporting mechanisms are the CA program and COREP. Supervisors, supported as required by risk specialists, review the governance procedures that set out the country and transfer risk-management policies, process and appetite at each firm. This review includes assessing how well the Board set, monitor and control country and transfer risk appetite, how effectively these powers are delegated to senior management, and what level of oversight exists. It is the role of the supervisor, with SRS specialist support, to determine if a bank’s policies and processes give due regards to the identification, measurement, monitoring, and control of country risk and transfer risk. Exposures need to be measured and identified on an individual country basis. With the larger and more systemically important firms, country risk analysis tends to be done as part of a broader technical risk review or an AQR. In other firms, evaluations of country and transfer risk are generally conducted on at least a quarterly basis. Such reviews of other firms’ exposures to country and transfer risk coincide with the receipt of the COREP COR001 regulatory return, which categories exposures based on the residence of the obligor, supplemented by the COREP COR002 regulatory return, which details the counterparty and the nature and structure of the exposure. |
| EC 2 | The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
| Description and findings re EC 2 | U.K. supervisors review banks’ strategies, policies, and process for the management of country and transfer risk through the review of policy papers, Board minutes, and MI presented to the Board and senior management, as well as through discussions with Board members, management, and NEDs. |
| EC 3 | The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. |
| Description and findings re EC 3 | As noted under EC 1, the Risk Control chapter of the PRA Rulebook sets out expectations for firms to establish, implement, and maintain adequate risk-management policies and procedures to aggregate, monitor, and report country exposures on a timely basis. |
| EC 4 | There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:
|
| Description and findings re EC 4 | U.K. supervisors do not prescribe or set guidelines on provisioning. Instead, data relating to country and transfer risk are reported to the PRA through the FDSF on a quarterly basis. Supervisors noted in discussions that staff from the SRS department conduct periodic reviews of Category 1 firms’ management of country and transfer risk (less resources are available for firms in the lower categories). Where shortfalls in provisions are noted, supervisors indicated that they could require firms to increase their capital held against country and transfer risks by requiring firms to hold an additional prescribed amount of “Pillar 2A” capital. Supervisors shared with assessors summaries of recent processes they had run to evaluate provisions held against exposures to obligors in European jurisdictions that were experiencing fiscal or economic distress and that resulted in requiring firms with relevant exposures to increase their capital through the Pillar 2A capital ad-on process. In some cases, SRS have conducted AQR in overseas locations to understand the adequacy of provisions and capital against exposures to obligors in those jurisdictions. Assessors also had an opportunity to review analyzes prepared by PRA or BoE staff of the risks associated with certain countries or regions that may require heightened attention by supervisors, and those reports shared with assessors offered evidence of the supervisors’ efforts to evaluate the sufficiency of firms’ mitigants against country and transfer risk. |
| EC 5 | The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. |
| Description and findings re EC 5 | The PRA requires all banks to test their credit exposures under a stress scenario as part of the ICAAP. For smaller firms, the PRA reviews such assessments proportionate to the materiality of the firm. |
| EC 6 | The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). |
| Description and findings re EC 6 | As noted above under EC 1 and EC 4, U.K. supervisors obtain and review information on country and transfer risk on a quarterly basis. When necessary, the PRA has the power to obtain additional information, such as in crisis situations. Supervisors summarized in discussions the process used to gather and analyze such data in response to concerns that have arisen recently in certain jurisdictions within Europe. |
| Assessment of Principle 21 | Compliant |
| Comments | Overall, U.K. supervisors appear to have adopted appropriate policies and procedures regarding firms’ obligations to manage their exposures to country and transfer risk. At the prior FSAP, assessors recommended that U.K. supervisors adopt a more proactive approach to the supervision of these risks; with regard to Category 1 firms, our discussions with supervisors suggested that the PRA does engage with large firms on these risks periodically, including through reviews of country and transfer risk reserves established by the firms. Assessors also took note of recent studies performed by PRA and BoE staff on country and regional developments and other topics related to country or transfer risk that could be relevant across firms. As has been noted elsewhere in this FSAP, limited specialist resources are available for reviewing country and transfer risk in firms that are smaller than those in Category 1. Given the London market’s prominence in global finance, even firms that are smaller than those in Category 1 may still have substantial international exposures. It remained unclear to assessors how significant such risks might be and what, if any, additional supervisory engagement could be necessary to ensure a more proactive approach to the supervision of country and transfer risk. |
| Principle 22 | Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance, and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring, and control of market risk. |
| Description and findings re EC 1 | Art. 83 of CRD requires competent authorities to ensure that policies and processes for the identification, measurement and management of all material sources and effects of market risks are implemented. Art. 368 of the CRR lays down further qualitative governance requirements for banks using internal models for market risk. Art. 105 of the CRR requires valuation adjustments to reflect valuation/exit-price uncertainty due to the risk of deterioration in market liquidity. EBA’s “Guidelines on SREP methodologies and processes” specify elements of market risk-management to be assessed by supervisors in SREP, which covers, among others: market risk strategies and appetites; organizational frameworks; policies and procedures; and, risk identification, measurement, monitoring and reporting; and, internal control framework. Specifically, they recommend supervisors to assess:
The EBA is in the process of drafting delegated acts that specify in greater detail the governance and technical requirements for institutions using internal models to manage market risk (“model assessment RTS,” CRR, draft RTS as per Art. 363[4]). They are expected to be in force from 2016 onwards. In addition to European legislation, banks in the U.K. are subject to the PRA’s rules and standards on market risk set out in the PRA Rulebook. Banks are periodically reviewed by the PRA to assess that their risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. Nine among the banks with the largest trading books are assessed on a continuous basis (CA), with the frequency of assessment reducing for remaining banks. The PRA statement of policy “The PRA’s methodologies for setting Pillar 2 capital” (July 2015),119 outlines the methodologies used by the PRA to inform the setting of Pillar 2 capital for firms to which CRD applies. S3 provides details of the methodology used by the PRA to assess market exposures against the capital resources of the firm. As a part of this review, institutions are required to:
Firms that are not part of the CA cycle can nonetheless receive reviews of the effectiveness of their overall risk-management frameworks (including market risk) undertaken as part of their supervisory cycle. This may be a more in-depth review undertaken to address specific concerns arising due to a supervisory request. For less material firms, risk specialists may advise supervision on Pillar 2A assessments. The PRA may also visit the institutions on ad-hoc basis to undertake assessments, for drill-down on specific market events (e.g., Swiss Franc de-peg in January 2015) or thematic reviews (e.g., specific interest rate risk VaR models under IMA, cross-firm comparison of credit valuation adjustments). The assessors got access to some of the periodic reviews performed by the SRS division: these are detailed documents with half-yearly frequency that summarize the analysis conducted offsite on the material received by the banks and discussed with the risk-management functions during onsite visits (generally half-a-day visits); provide an overall assessment of the relevant points of strength and weakness in the banks’ risk-management framework, with more intense focus on specific issues identified during the preparatory work; propose recommendations for the firm and next steps for supervisory action. There was evidence that the specific situations were followed up appropriately. The assessors also found evidence of a detailed cross-firm analysis of a market event, containing recommendations for further action on selected banks. |
| EC 2 | The supervisor determines that banks’ strategies, policies, and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
| Description and findings re EC 2 | EBA SREP guidelines require that supervisors assess whether banks have a sound, clearly formulated and documented market risk strategy, approved by their management body (para. 219). This includes whether the management body clearly expresses the market risk strategy and appetite and the process for their review (para. 219 a). Regarding the Boards’ oversight of policies and processes, the guidelines provides that supervisors assess whether the management body approves the policies for managing, measuring and controlling market risk and discusses and reviews them regularly, in line with risk strategies (para. 221 a). The EBA Guidelines on Internal Governance require that the management body of an institution sets and oversees the institution’s overall risk strategy, risk appetite, and the risk-management framework (para. 8, responsibilities of the management body). PRA receives documents from banks on a regular basis to help it assess that the risk-management process is effectively implemented and full integrated into the business-asusual activities of the bank. The documents received include: (1) internal and external audit reports; (2) risk-management & control reports; (3) agendas for Board audit; risk and ExCos, and (4) specific risk reports. The assessors found evidence of a review conducted by the supervisors at a bank verifying the approval by the Board of the bank’s strategy, policy, and processes, including a critical evaluation of the risk appetite framework, also approved by the Board. |
| EC 3 | The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:
|
| Description and findings re EC 3 | The EBA SREP Guidelines recommend that supervisors assess whether the bank’s market policies and procedures are sound and consistent with the market risk strategy and cover all the main businesses and processes relevant for managing, measuring and controlling market risks. (para 221). In particular, they recommend that supervisors assess following elements:
The PRA Rulebook also covers the aspects of a bank’s risk-management policies and processes addressed by the essential criteria. The SRS division of the PRA assesses the bank’s compliance with these requirements. For firms with material risk, the operational risk, traded risk management and the traded risk measurement teams of the SRS division conduct a CA of the bank’s information systems, risk appetite and limit framework, permissions to use (and alter) internal models, and the allocation of risk exposures to the trading book. As part of the CA process, institutions submit market risk related information to SRS on a quarterly basis (alternating between market risk and counterparty credit risk). SRS, along with the bank supervision team, visit the firm on a semiannual basis to conduct a full review and clarify all outstanding issues from the latest quarterly submission. The assessors found evidence of supervisory review of the items listed in this EC in the analysis of the risk-management reviews mentioned in EC 1, except for the assessment of policies and processes for the inclusion/exclusion of positions from the trading book (e), which however is reviewed throughout the supervisory cycle. |
| EC 4 | The supervisor determines that there are systems and controls to ensure that bank’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. |
| Description and findings re EC 4 | CRR Art. 105 provides a number of requirements for banks regarding prudent valuation of trading book positions, including:
The EBA SREP Guidelines recommend supervisors to assess whether:
In addition, the guidelines require supervisors to assess whether stress testing used by banks to complement their risk measurement system identifies relevant risk drivers, where illiquidity/gapping of prices, concentrated positions, and one-way markets are provided as examples (para. 224 b). Based on the above mentioned CRR article, EBA has published draft RTS on prudent valuation of fair-valued positions, which provides details of calculating additional valuation adjustments. Individual bank supervision teams coordinate with expert teams within the PRA to assess the requirements listed for this EC. In particular, the valuation and product control team of the SRS division assesses valuation processes and ensures prudent valuation adjustments are made at banks. The PRA requires banks with significant fair valued positions to report valuation adjustments on a quarterly basis in accordance with the PRA GENPRU S1.3, through a standardized process. The assessors got access to a cross-firm analysis performed on the banks with the most significant trading business. The analysis focused specifically on a number of relevant findings in, among other, the areas of data and IT systems, prudent valuation policies and processes, model risk. There were no specific examples of reviews addressing the timeliness of transaction capture and the reliability of market data; however; the specialists review prudent valuation methodologies to verify that weaknesses in market data are reflected in the valuation uncertainty metrics. The assessors also found evidence of adequate follow-up. |
| EC 5 | The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. |
| Description and findings re EC 5 | The PRA has an established Pillar 2 framework for market risk, to meet the requirements of this EC. This requires a firm to hold Pillar 2 capital for illiquid or concentrated positions, that the PRA considers not necessarily adequately capitalized based on VaR models. The Pillar 2 capital assessment follows a predefined process: firms submit their annual ICAAP report to their supervisor. Depending on the information provided in the ICAAP, the systemic importance of the institution, and other factors, the supervisor may then request the SRS division to conduct a review and incorporate it in the SREP. If as a result of the SREP, the supervisor finds that risks are under-estimated under Pillar 1, then a Pillar 2 capital charge is applied. The methodology to calculate the capital requires the bank to stress test exposures for a holding period of one year with a 99.9 percent confidence interval. The offsetting impact of any capital mitigants—such as accounting reserves or additional Pillar 1 capital held—is then deducted to arrive at the Pillar 2 capital charge. For valuation adjustments, the PRA GENPRU in Section 1.3120 provides full guidance on the U.K.’s valuation adjustment approach. The Valuation and Control Team of the SRS division supervises the valuation adjustments of banks and collects and analyzes data via standardized reporting in accordance with GENPRU Section 1.3 (see also EC 4). The assessors review a cross-firm analysis of IMA back-testing, following the introduction, under CRR, of the requirement to consider (for the purpose of the VaR multiplication factor) the largest number of VaR breaches between the hypothetical and actual P&L. It includes a proposal of feedback letters to the banks. |
| EC 6 | The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. |
| Description and findings re EC 6 | Art. 100 of the CRD requires supervisors to conduct annual stress tests under the SREP for all institutions they supervise. The SREP covers the market risk exposures of banks. For banks using internal models for market risk, Art. 368(1)(g) of the CRR mandates frequent stress tests to identify and address any shortcomings of the internal model vis-à-vis gap risks, concentration risks, market illiquidity, event risks, etc. The EBA SREP Guidelines recommend supervisors to assess whether an institution has implemented adequate stress tests regarding market risk that complement its risk measurement system. In particular, they require supervisors to cover:
The U.K. banking sector is also subject to the periodic stress tests conducted by the EBA. The FPC recommended in October 2013, regular stress tests to assess the health of U.K. banks and building societies in a discussion paper.121 The aim of the stress tests is to assess the impact of stressed financial periods on the individual banks and the system as a whole. The largest U.K. banks and the U.K. subsidiaries of non-U.K. banks are subject to these tests. Market risk exposures are included in this stress testing framework. The SRS, with the help of the bank supervision teams, conduct bank stress tests. The aforementioned BoE and EBA stress tests focus on capital. However, the quarterly risk submission (see EC 1 and EC 3) requires institutions to provide details on risk-management stress tests as well. For instance, SRS frequently asks institutions to stress test the impact of higher order risk sensitivities, currency de-pegs, and other events. These stress tests are used by the PRA to impose capital add-ons or require higher VaR multipliers to ensure the safety and soundness of the U.K.’s banking system. Starting in 2016 the PRA will also conduct a dark corners stress test scenario, which will be done every other year (opposite years of EBA stress testing) and will look to identify noncyclical risks. |
| Assessment of Principle 22 | Compliant |
| Comments | The PRA periodically reviews banks to assess that their market risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. Nine banks with the largest trading books are subject to CA; the remaining banks receive reviews of the effectiveness of their overall risk-management frameworks (including market risk) within the supervisory cycle. The assessors observed supervisory practice and verified observance of this principle. |
| Principle 23 | Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk122 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. |
| Description and findings re EC 1 | Art. 98 of the CRD requires that the review and evaluation performed by competent authorities shall include the exposure of institutions to the interest rate risk arising from nontrading activities. Mitigating measures, such as holding extra capital are required, as a minimum, where a bank’s economic value would decline by more than 20 percent of their own funds as a result of a sudden and unexpected change in interest rates of 200 basis points or such change as defined in the EBA guidelines. The requirements of the CRD are implemented in the U.K. via the PRA Rulebook. The ICAAP rules in the PRA Handbook require firms to:
Under Art. 13.1, firms are required to make a written record of their assessments made under those rules and its approach to evaluating and managing interest rate risk as it affects the firm’s nontrading activities. The PRA Statement of Policy “The PRA’s methodologies for setting Pillar 2 capital” (July 2015)123 outlines the methodologies used by the PRA to inform the setting of Pillar 2 capital for firms to which CRD applies. S7 provides details of the methodology used by the PRA to assess IRRBB exposures against the capital resources of the firm. As part of the PRA assessment, large U.K. firms are required to provide IRRBB data via the FDSF. All banks, including building societies, also provide data through the FSA017 regulatory returns. These data show the outcome of a standard shock of +/-200bp on both a simple basis and (optionally) under the firm’s own calculation. They also show separately what behavioral assumptions for assets, liabilities, and capital has been made by the firms, and what yield curve has been used for the calculation of the returns. Additional data on basis risk are collected from smaller banks and evaluated to identify outliers that need to be assessed in more detail for risks to future earnings. The PRA intends to further update its Pillar 2 methodology following Basel’s review of interest rate risk. For building societies, interest rate risk should be managed with reference to the PRA’s SS 20/15 on supervising building societies’ treasury and lending activities. Only societies whose banking book assets or liabilities reference an interest rate that is not administered by the society, or reference different interest rates, should incur any significant interest rate risk. Compliance with the above rules is tested during the course of the supervisory cycle. Frequency of meetings depends on the scale of the business. All meetings involve in depth reviews, as well as meetings with senior management and risk-management officers at banks. If necessary, the PRA will require a bank to take appropriate actions or steps at an early stage to address any future potential failure to meet its prudential regulatory requirements. For Category 2–4 banks, PRA specialists support supervisors in their assessments of banks’ ICAAPs to undertake more detailed reviews on a risk-assessed basis. The EBA recently published “guidelines on interest rate risk arising from nontrading activities” (May 2015).124 The guidelines will enter into force in January 2016. The guidelines for the management of IRRBB cover the following topics: scenario and stress testing, measurement assumption; methods for measuring interest rate risk; the governance of interest rate risk and the identification, calculation, and allocation of capital to interest rate risk. |
| EC 2 | The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. |
| Description and findings re EC 2 | The standards set out in PRA SS31/15)125 include a general requirement for the ICAAP (including the IRRBB assessment) to be the responsibility of a firm’s management body, that it is approved by the management body, and that it is used as an integral part of the firm’s management process and decision-making (S2.2–2.6). See EC 1 for the PRA’s supervisory approach to monitoring IRRBB. |
| EC 3 | The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:
|
| Description and findings re EC 3 | See EC 1. Specifically on points listed in the EC:
PRA
These requirements are tested as part of the PRA’s supervisory cycle. On the basis of the SREP, if necessary, the PRA will require a bank to take appropriate actions or steps at an early stage to address any future potential failure to meet its prudential regulatory requirements. In addition, for building societies, the SS 20/15 sets expectations for the level of IRRBB taken depending upon the strength of risk management, measurement systems and other elements of the controls framework.
Further as discussed in the ICAAP and the SREP, the PRA may need to request further information and meet with the governing body and other representatives of a firm in order to fully evaluate the capital adequacy for all risks undertaken. For building societies, the PRA’s standards are explained in “supervising building societies’ treasury and lending activities” (SS 20/15).126 Under Art. 2.3, societies are expected to adopt a risk-averse approach to maturity mismatch and to structural risk management. A degree of maturity mismatch and structural risk is inherent in normal society operations, but Boards of societies should set risk limits that either: (i) ensure that, as far as possible, exposures to changes in interest rates are minimized; or (ii) where interest rate positions are to be taken, restrict potential reductions in income or economic value, estimated under robust stress-testing scenarios, to levels that would not compromise the current or future viability of their societies.
Escalation procedures to Board and senior management and other risk-management arrangements are reviewed as part of the PRA’s supervisory processes. Smaller banks are subject to risk-based review, depending upon the complexity of their risk profile and their relative level of IRRBB exposure. Specialist supervisors assist with assessment and review of these banks over a more extended supervisory cycle. The PRA does not have a formal requirement for internal or external validation of models used for IRRBB, but its ICAAP and SREP processes require that, where a firm uses a model to aid its assessment of the level of adequate capital, it should be appropriately conservative and should contribute to prudent risk-management and measurement. |
| EC 4 | The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. |
| Description and findings re EC 4 | The guidelines recommend supervisors to assess whether the institution has implemented adequate stress test scenarios that complement its risk measurement system, based on EBA guidelines issued in accordance with Art. 98(5) of Directive 2013/36/EU (para. 313). In addition to the points mentioned above, the EBA guidelines on internal governance (GL 44, para. 22, risk management framework) require banks to conduct periodic stress tests to ensure effective risk management. In accordance with ICAAP, in the PRA handbook, Art. 9.2, a firm should apply a 200 basis point shock in both directions to each major currency exposure. The PRA will periodically review whether the level of the shock is appropriate in light of changing circumstances, in particular the general level of interest rates (for instance, during periods of very low interest rates) and their volatility. The level of shock required may also be changed in accordance with guidelines issued by the EBA. The PRA’s methodologies for setting Pillar 2 capital,” state that the PRA will test a range of currency-specific yield curve volatility parameters and a set of different interest rate shocks beyond the standard 200bps shock in either direction (S7.10). Further, the PRA requires firms to monitor the potential impact of changes in interest rates on earnings volatility. The assessment should consider an appropriate timeframe of three to five years, and factor in the firm’s forward-looking view of product volumes and pricing, based on its proposed business model during the scenario, and the projected path of interest rates. This information will be used in the PRA’s methodology outlined in the statement of policy “The PRA’s methodologies for setting Pillar 2 capital” (January 2015). Exposures to IRRBB are also tested as part of the stress tests conducted by the FPC that aim to assess the impact of stressed financial periods on the individual banks and the system as a whole. U.K. banks and the U.K. subsidiaries of non-U.K. banks are subject to these tests. |
| Additional criteria | |
| AC1 | The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book. |
| Description and findings re AC1 |
In the ICAA section of the Handbook, the PRA requires firms to:
Further as outlined in the statement of policy “The PRA’s methodologies for setting Pillar 2 capital,” the PRA will test a range of currency-specific yield curve volatility parameters and a set of different interest rate shocks beyond the standard 200bps shock in either direction (see S7.10). Through regulatory return FSA017 and the FDSF, the PRA collects data on the outcome of a standard shock of +/-200bp on both a simple basis and (optionally) under the firm’s own calculation. The data also show separately what assumptions about the behavior of assets, liabilities and capital has been made by the firms, and what yield curve has been used for the calculation of the returns. Additional data on basis risk are collected from smaller banks and evaluated to identify outliers that need to be assessed in more detail for risks to future earnings. |
| AC2 | The supervisor assesses whether the internal capital measurement systems of banks adequately capture IRRBB. |
| Description and findings re AC2 | CRD IV Art. 97, which sets out general requirements for the SREP, provides that supervisors shall determine whether the own funds held by them ensure a sound management and coverage of their risks, although it does not refer specifically to market risk. Then, as described above, Art. 98 (5) provides a specific requirement on IRRBB. The technical guidelines “technical aspects of the management of interest rate risk arising from non-trading activities under the supervisory review process” provide that institutions should be able to demonstrate that their internal capital is commensurate with the level of the interest rate risk in their banking book, and, in this respect, they should be able to calculate the potential changes in their economic value resulting from changes in the levels of interest rates and the overall IRRBB1. In the U.K., the supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control, or mitigate interest risk in the banking book on a timely basis. In addition to the requirements implemented through the EU’s legislation (CRD), the U.K. sets out expectations in the PRA statement of policy, “the PRA’s methodologies for setting Pillar 2 capital” (July 2015); SS 20/15 supervising building societies treasury and lending activities, SS 5/13 “the ICAAP and the SREP,” and the PRA’s guidance on “assessing capital adequacy under Pillar 2” (CP 1/35). |
| Assessment of Principle 23 | Compliant |
| Comments | Through the implementation of existing EBA guidelines as well as additional requirements set by U.K. supervisors, firms are subject to a range of requirements to ensure that they are measuring and managing their exposure to IRRBB appropriately. Supervisors, likewise, have appropriate responsibilities to evaluate exposures to this risk. The treatment of IRRBB is nonetheless facing two important changes that may also help the authorities to respond to the prior FSAP’s recommendation that they conduct better outlier analysis especially for mid-sized and smaller firms. First, the EBA has promulgated new guidelines that are coming into force in January 2016. U.K. supervisors believe that their existing methodology largely complies already with the incoming EBA guidelines; supervisors acknowledge that they may need to augment current data collection efforts from firms in preparation for the new outlier test contained in the EBA guidelines. At the time of the assessment, the PRA was updating its periodic IRRBB data collection framework. In particular, the PRA was modifying existing returns to consolidate the data collection and to collect any information, not already collected, to implement the EBA guidelines. Changes being made include modifying the FSA017 interest rate gap report for large deposit-takers to also capture data that is currently captured via other returns such as the FDSF documents PRA60.13 (ALM & Liquidity Risk) and PRA60.01 (capital and other projections). For the smaller deposit-takers, the FSA017 is being modified to capture information currently captured via X033—basis risk return. Second, the PRA’s Pillar 2 framework for treating IRRBB may change further in light of the Basel committee’s review. The Basel committee has not yet completed its review as of the time of this writing. A substantial part of the Basel committee’s reform is expected to introduce a more standardized methodology that may allow for greater comparability between banks in the same jurisdiction as well as across jurisdiction. If agreed by the Basel Committee and adopted in the U.K., the introduction of this methodology under Basel guidelines, plus the adoption of additional data collection set out in the incoming EBA guidelines, may help to address the prior FSAP’s recommendation that the authorities revise regular reporting forms for smaller and mid-sized firms such that U.K. supervisors can conduct better outlier analysis of this fundamental risk. |
| Principle 24 | Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. |
| Description and findings re EC 1 | In the EU, a modified-LCR (set out in the Art. 412 CRR and delegated Act 2015/61 by the EC) became effective for all banks from October 2015. The requirement follows the LCR set by the BCBS broadly, but with a number of divergences, which mostly are less conservative than the BCBS and as a result improve the ratios. These include, most notably:
Treatments more conservative than the Basel rule includes application of 15–20 percent run off rates for certain retail deposits (DA Art. 25 (2) (3)). Also, the 3 percent outflow rate for stable retail deposits cannot be applied during the phase-in period. According to the calculation by the EBA (EBA 2014 LCR Internal Auditing Report, December 2014), these changes lead to increase in LCR of 13.9 percentage points for all the sample banks (322) and decline in the number of banks failing to meet the 100 percent LCR from 74 to 17 (although one bank that is compliant under the Basel III LCR fails under the DA). This analysis showed the impact from the increase in the HQLA 2B instruments is by far the biggest. Covered bonds were not eligible for recognition in the previous regime (BIPRU) and, as a consequence, U.K. banks typically do not hold significant quantities of them. At the time of the assessment they did not represent a significant portion of either Level 1 HQLA or total HQLA. The implementation schedule in the EU is as follows:
The schedule is consistent with the Basel timetable, except for the latest start and for the fact that full implementation will be achieved one year earlier. MSs are allowed to speed up the pace of phase-in. The PRA has set a path to transition that will require firms to meet 100 percent LCR by January 1, 2018, but has set the initial LCR requirement as of October 1, 2015 at 80 percent, which is greater than the DA mandated 60 percent. Regarding liquidity monitoring tools, a final draft ITS on additional liquidity monitoring metrics, which covers tools prescribed in the BCBS LCR text, was adopted by the EBA and submitted to the EC (EBA ITS on AMM) and will form the basis of the PRA’s liquidity monitoring when in force. Currently the PRA relies on the pre-existent reporting framework, which includes basically the same information, but with a different structure: for example the maturity ladder used by the PRA has a shorter time horizon (5 years vs. > 10 years) and a finer detail (daily schedule vs. coarser and unevenly spaced maturity buckets). At the time of the assessment the PRA was maintaining its ‘old’ maturity ladder in parallel with the ‘new’ one, so as to ensure that no relevant information detail went lost in the regime switch (see below). Until the entry into force of the LCR (October 2015), regulation and supervisory expectations on liquidity risk in the U.K. were set in the BIPRU 12 liquidity regime. As a consequence of the regime switch, the PRA decided to revoke BIPRU 12 and to carry forward the broad principles established in BIPRU 12 into the new regime. The new regime is set out by the section ‘internal liquidity adequacy assessment’ of the PRA Rulebook. The PRA’s overall liquidity adequacy rule (OLAR) requires a firm to maintain adequate liquidity resources in amount and quality to ensure there is no significant risk that its liabilities cannot be met as they fall due. The PRA will normally give ILG to firms on the amount and quality of liquidity resources which it considers appropriate for a firm to hold to meet OLAR and what it considers to be a prudent funding profile for a firm. OLAR is supplementary to the liquidity requirements, set in the form of ILG. Where the firm’s liquidity resources fall, or are expected to fall, below the level advised in the ILG or its funding profile ceases to conform, or is expected to cease to conform, with the expectation set out in the ILG the firm must notify the PRA and submit a remediation plan. Supervisors set ILG for U.K. incorporated subsidiaries and, in limited circumstances, U.K. branches of overseas firms across all categories of firms. ILG can cover the amount, quality and profile of funding the firm should maintain. Supervisors monitor compliance with ILG through review of regulatory returns on a periodic basis and, at a minimum, quarterly for Category 1–3 firms and six-monthly for Category 4 firms. Supervisors of larger firms review liquidity returns (FSA047 and FSA048) at a frequency of biweekly or monthly, depending on the size of the institution. Should a bank fail to meet, or expect to fail to meet, the expectations set out in the ILG, this will often lead to an increased level of supervisory monitoring and action. At a frequency in line with the submission profile, supervisors review the metrics for unexpected changes or emerging trends, including where requirements or guidance may be breached. Should a breach occur, or be likely to occur firms are required to submit plans explaining the cause of the breach, or expected breach, and outline plans for restoring the liquidity profile to required levels. Such an event would prompt an increased level of supervisory scrutiny in line with CRR Art. 414. With regard to monitoring of qualitative aspects of ILG, supervisors review progress against qualitative guidance as part of their ongoing interaction with the firm, either as part of the CA approach or by agreeing delivery dates and check points with the firm at the time ILG is communicated upon completion of the supervisory review. With the transition from the previous to the current (i.e., LCR) liquidity risk regime, the PRA has decided and announced to banks that, until an L-SREP is undertaken under the new regime, the PRA carries forward the existing ILG add-on in the form of an interim Pillar2 liquidity buffer, aimed—like the ILG—at reflecting risks not captured by the LCR (such as intraday risk or concentration of funding sources). |
| EC 2 | The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. |
| Description and findings re EC 2 | The EU modified-LCR includes on- and off-balance sheet risks. Specifically, the DA contains treatments for both on- as well as off-balance sheet items and in different areas reflecting market risk. In particular there is an additional outflow for collateral outflows for derivatives under market stress, for which the EBA has delivered a final draft RTS (on additional liquidity outflows corresponding to collateral needs resulting from the impact of an adverse market scenario on the institution’s derivatives transactions, financing transactions and other contracts for liquidity reporting under Art. 423(3) of Regulation (EU) No. 575/2013). Also, there is an additional outflow for all contracts entered into the contractual conditions of which lead within 30 calendar days and following a material deterioration of the credit quality of the credit institution to additional liquidity outflows or collateral needs. (DA Art. 30(2)). The final draft ITS by the EBA (to be adopted by the EC) “EBA final draft ITS on additional liquidity monitoring metrics under Art. 415(3)(b) of Regulation (EU) No. 575/2013” includes reporting on rollover of funding and pricing of funding. This will allow supervisors to monitor the ability of institutions to refinance in the markets. Guidelines on common procedures and methodologies for the SREP recommend competent authorities to make a detailed assessment of the liquidity risk profile of institutions. This includes the evaluation of actual market access and also recommends NCAs to take into account warnings and recommendations issued by macroprudential authorities, including the ESRB. The OLAR requires firms to maintain liquidity resources which are adequate, both as to the amount and quality, and to maintain adequate qualitative arrangements to ensure there is no significant risk that it cannot meet its liabilities when they fall due. Firms are required to document their compliance with this rule as part of their individual liquidity adequacy assessment (ILAA). Using the ILAA as a preliminary source, the PRA assesses the adequacy of a firm’s liquidity resources through the supervisory liquidity review process (L-SREP) at a frequency of between one and three years defined by the systemic importance of the firm. The objective of the L-SREP is to define an appropriate liquidity profile and level of liquidity resources for that firm, as well as to identify any improvements necessary to the qualitative arrangements for managing liquidity. The output of the L-SREP informs the ILG. Quantitative ILG is a dynamic metric, reflecting the changing shape of a firm’s balance sheet. The regular review of ILG ensures that it is a set at a level consistent with the PRA’s view of changing macroeconomic conditions and markets. The quality and results of a firm’s stress testing are key inputs to demonstrate a firm’s compliance with the OLAR and influence ILG. Firms are required to document the results of their stress testing in their ILAA. When conducting these stresses, a firm must separately analyze the effect of the 14 sources of liquidity risk and the net level of outflows that would occur before management actions (PRA Rulebook’s ILAA S11.5). The broad approaches to liquidity stress testing outlined in BIPRU continue in the new liquidity regime (Rule 11.3). Firms must consider institution-specific, market-wide, and combined alternative scenarios across different time periods (Rule 11.4) making appropriate assumptions around the major sources of liquidity risk including, where appropriate, at least the sources of risk outlined in the revised PRA Rulebook rule 11.5. Para. 2.18 of SS 24/15 clearly states the PRA’s expectation that firms will consider a macroeconomic stress when conducting their internal stress testing, as do the EBA SREP guidelines (para. 411). As per the EBA SREP guidelines (para. 403) and SS 24/15 (para. 2.20(iii)), firms are required to consider market access when assessing their liquidity risk profile. ILG is reviewed annually for the most systemically important firms and every two to four years for the less systemically important firms. For the most systemically important firms, the supervisor can choose whether to conduct a focused or full-scope L-SREP but must conduct a full-scope L-SREP at least every three years. Where firms have liquidity risk that is not captured under the LCR, the PRA can exercise its discretion to apply Pillar 2 add-ons under ILG to ensure the liquidity risk profile is appropriately captured. In September 2012, the PRA responded to the FPC’s recommendation of June 2012, by announcing that firms could use collateral prepositioned for use in the BoE’s discount window facility to meet up to 10 percentage points of their ILG requirements. In June 2013, the FPC recommended that the minimum requirement should be set at an LCR of 80 percent until January 1, 2015, rising thereafter to reach an LCR of 100 percent on January 1, 2018. In August 2013, the PRA responded to the FPC’s recommendation by announcing that it would adjust liquidity requirements such that firms should hold highly liquid assets broadly equivalent to 80 percent of the LCR, in line with the FPC’s recommendation. It did this by allowing firms to use collateral pre-positioned for use in the BoE’s Discount Window Facility to meet up to 40 percent of their ILG requirements (subject to holding enough capital). When the LCR was eventually implemented in October 2015, the PRA set the minimum level at 80 percent, in line with the FPC’s recommendation. The supervisor retains the ability to set higher liquidity levels for individual firms where appropriate. |
| EC 3 | The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance |
| Description and findings re EC 3 | CRD Art. 86 provides a general requirement for liquidity risk management, including that competent authorities shall ensure that institutions have robust strategies, policies, processes and systems for the identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons, including intraday, so as to ensure that institutions maintain adequate levels of liquidity buffers. EBA’s “Guidelines on SREP methodologies and processes” (December 2014) specifies elements of management of liquidity risk to be assessed by supervisors in the context of SREP. Regarding policies and processes, the Guidelines recommend supervisors to assess whether:
The PRA’s approach to liquidity risk is in line with the EBA SREP guidelines (which will apply from January 1, 2016). The PRA Rulebook Chapters 3 and 4 transpose the requirements of CRD Art. 86 paras. 1–3 that a firm must have: a robust liquidity risk-management framework; sufficient liquidity buffers for stress scenarios; and, policies and processes, for managing liquidity risk that have been approved by the firm’s management body that are consistent with the risk profile and systemic importance of the firm. The PRA provided a suggested structure and content of an ILAAP document in SS24/15, Annex 1. This template includes sections, which detail the firm’s liquidity risk-management framework, policies, processes, and stress testing. The PRA Rulebook Chapter 13 requires firms to update their ILAAP annually for approval from its management body. The firm must regularly carry out an internal assessment of the adequacy of its liquidity and funding in accordance with its ILAAP. The PRA will use the firm’s ILAAP to form the basis of their liquidity assessment. The PRA will use the evidence contained in the ILAAP in line with SS24/15 paras. 3.5–3.8, to assess whether the strategies, policies, processes, and systems that enable it to identify, measure, manage, and monitor liquidity risk are comprehensive and bank-wide. This will inform the PRA’s judgment of the qualitative aspect of “ILG.” In the previous regime, BIPRU 12.4 (in particular BIPRU 12.4.-2R) already stipulated the requirement on firms to be able to withstand a range of different stress events while conforming with the liquidity risk appetite approved by the firm’s governing body. The requirements of BIPRU 12.3.4R were supplemented by BIPRU 12.3.5R which required the firm to ensure it has a comprehensive bank-wide view of liquidity risk consistent with its risk profile and systemic importance. The assessors found evidence of actual implementation of this EC in the ILAAP documentation and supervisory documents they had access to. These included: the ILAAs and related PRA’s focused reviews—conducted either by specialists or by line supervisors, depending on the bank category and focus of the assessment—for a major U.K. bank, a building society, the U.K. branch and subsidiary of an international bank, spanning a range of different business models and liquidity risk-management approaches. The reviews appeared thorough and detailed, with well articulated findings and related recommendations; they are tailored to the specific characteristics of the banks, including their systemic importance, and address a variety of liquidity risk-management aspects. The assessor also examined examples of the supervisory follow-up stemming from such reviews. |
| EC 4 | The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:
|
| Description and findings re EC 4 | The EBA SREP guidelines (which will apply from January 1, 2016) recommend supervisors to assess the following elements of this EC:
In the U.K. context the same elements as covered as follows:
Banks are recommended to refer to the EBA SREP Guidelines as outlined in SS 24/15, Annex 1. The PRA will assess the firm’s ILAA or ILAAP submission which must contain an assessment of the firm’s compliance with the PRA rules as outlined above. The supervisor will, through assessment of the firm’s ILAA or ILAAP and the CA engagement, determine whether a firm’s liquidity risk appetite is approved by the management body of the firm, is clearly articulated and appropriate for the firm’s business and role in the financial system.
The PRA determines whether a firm’s day-to-day and intraday liquidity management practices are sound through assessment of the firm’s ILAA or ILAAP and the CA engagement.
The PRA will assess the firm’s ILAA or ILAAP submission which must contain an assessment of the firm’s compliance with the PRA rules as outlined above. The supervisor will, through assessment of the firm’s ILAA or ILAAP and CA and engagement, determine whether a firm’s bank-wide information systems are effective in enabling the active identification, aggregation, monitoring and control of liquidity and funding risks.
The supervisor determines whether a firm’s management body has adequate oversight to ensure the effective implementation of policies and processes for the management of liquidity risk through assessment of the firm’s ILAA or ILAAP and the CA engagement.
The supervisor determines whether a firm’s management body regularly reviews and appropriately adjusts the firm’s strategy, policies and processes for the management of liquidity risk, through assessment of the firm’s ILAA or ILAAP and the CA engagement. The supervisor will expect the firm to update the ILAA or ILAAP document accordingly should there be a change in the firm’s risk profile or the external markets and macroeconomic conditions in which they operate. |
| EC 5 | The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:
|
| Description and findings re EC 5 | Art. 413 CRR requires firms to ensure their long term obligations are adequately met with a diversity of stable funding instruments under both normal and stressed conditions. Art. 86(1) CRD mandates competent authorities to ensure that firms have robust strategies, policies, processes and systems for the identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons, including intraday, so as to ensure that institutions maintain adequate levels of liquidity buffers. Art. 86(4) CRD mandates competent authorities to ensure firms develop methodologies for the identification, measurement, management and monitoring of funding positions. Those methodologies shall include the current and projected material cash-flows in and arising from assets, liabilities, off-balance- sheet items, including contingent liabilities and the possible impact of reputational risk. The EBA SREP guidelines (which will apply from January 1, 2016) recommend supervisors to assess whether the funding plan is feasible and appropriate in relation to the nature, scale and complexity of the institution, its current and projected activities and its liquidity and funding profile (para. 420). Regarding interaction between funding risk and other risks, the guidelines recommend supervisors to take into account whether the institution recognizes interactions between different risks arising from both on- and off- balance sheet items, when assessing whether the institution has an appropriate framework for identifying and measuring liquidity and funding risk (para. 404 b). On specific issues listed in this EC, the guidelines recommend supervisors to assess:
On (b) the guidelines require supervisors to assess the adequacy of the institution’s liquidity buffer and counterbalancing capacity to meet its liquidity needs (para. 388). The PRA expects firms to detail in their ILAA or ILAAP submission their compliance with the rules and expectations detailed above. The supervisor will ensure through review of the ILAA or ILAAP document and their CA engagement, consistent with the PRA’s approach to conducting a liquidity-supervisory review and evaluation process (L-SREP) as detailed in SS 24/15 section 3, that the firm complies with the above and below mentioned rules, requirements and guidelines in EC 4. Once the EBA ITS on AMM under CRR Art. 415(3)(b) have been adopted by the EC the supervisor will be able to monitor diversification of funding in part through the C.76.00 AMM return.
The alternative scenario and stress testing rules are supplemented by SS 24/15. Para. 2.20 (particularly (i) to (iii) and (v)) sets expectations on the firm’s analysis of the ten key risk drivers mentioned in EC 2.
The PRA Rulebook, s ILAA section, Rule 2.2 requires firms to hold liquidity resources containing an adequate buffer of high quality, unencumbered assets and to maintain a prudent funding profile. Rules 7, 8, and 10 requires firms to manage funding needs, collateral and asset encumbrance to ensure the firm can use the assets as set out in Rule 2.2 in a timely manner, without impediment, to obtain funding in times of stress. The PRA is consistent with EBA SREP guidelines para. 416, outlined above in the EBA text.
The PRA expect banks to have due regard to their own business model when determining the appropriate level of diversification in their buffer. In accordance with DA Art. 8(1) the PRA may set requirements on a firm to enforce increased diversification of the HQLA buffer, or conversely to restrict holdings of particular asset classes. This may include requirements on a firm’s liquidity management practices or investment policies. Under CRD Art. 103, the PRA may also restrict holdings of particular asset classes if it observes that this exposes several firms to a common set of risk factors. The PRA will review firms’ own policies (e.g., limits) on composition of the liquid asset buffer. The PRA will consider as part of its work on liquidity Pillar 2 how best to ensure that firms observe prudent principles of buffer composition. The EBA’s ITS on AMM C76.00 return will allow the supervisor to monitor diversification of funding.
The PRA expects larger firms to take into account the absolute size of their HQLA holdings and to be able to monetize these without compromising on either speed of disposal or price. They should also consider the impact of their actions on the wider market and on financial stability. In the previous regime, the above listed elements were covered by the BIPRU handbook. The supervisor will monitor the diversification of funding in part through the C76.00 CM return, in addition to ILAAP documents. |
| EC 6 | The supervisor determines that banks have robust liquidity contingency funding plans (CFPs) to handle liquidity problems. The supervisor determines that the bank’s CFP is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s CFP establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s CFP is feasible and requires the bank to address any deficiencies. |
| Description and findings re EC 6 | Art. 86(10) and (11) CRD mandate competent authorities to ensure firms develop CFPs to address possible liquidity shortfalls which are tested at least annually and approved by senior management. The EBA SREP Guidelines (which will apply from January 1, 2016) recommend supervisors to assess whether the institution’s liquidity contingency plan (LCP) adequately specifies the policies, procedures and action plans for responding to severe potential disruptions to the institution’s ability to fund itself (para. 417) Regarding the LCP the guidelines recommend supervisors to assess:
Chapter 12 of the revised PRA Rulebook’s ILAA Section requires firms to develop an effective LCP taking account the outcome of the stress tests. Firms are required to test their LCP at least annually. Further guidance for firms is provided in SS 18/13 with SS 24/15, Annex 1 recommending that firms cross reference the relevant section of the recovery and resolution plan in the ILAAP document. The supervisor will comply with paras. 417 to 419 of the EBA SREP Guidelines and will ensure that compliance with the requirements of the revised PRA Rulebook Chapter 12 are addressed in the ILAAP document and through the CA engagement. This will cover, but not be limited to, the firm’s CFP being formally articulated, adequately documented and that it sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments reflecting the liquidity risk profile of the firm. The actions outlined in the LCP should be in line with the firm’s overall risk strategy and liquidity risk tolerance. The supervisor will also assess whether the LCP establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. For the purposes of reviewing the recovery plans, the supervisors and the supporting recovery and resolution team undertake a joint assessment of issues arising from the CFP/LCP set out in the firm’s recovery plan. The supervisors and recovery and resolution experts review the stress scenarios in the recovery plan to identify whether or not liquidity recovery options generate sufficient benefit to the firm in the event a liquidity stress causes the firm to invoke their recovery plan. For the LCP and CFP review for the L-SREP, supervisors, along with liquidity experts in the SRS’ teams will assess the CFP/LCP in order to review the firms’ arrangements and how these are informed by the results of firms’ liquidity stress testing. The previous PRA liquidity regime (BIPRU 12.4.10 to 12.4.16) already stipulated the requirements, guidelines, and expectations on firms to create CFPs, setting out adequate strategies and proper implementation measures to address possible liquidity shortfalls. These plans had to be regularly tested, updated on the basis of the outcome of the mandatory stress tests required by the PRA rules, and reported to and approved by the firm’s governing body, so that internal policies and processes could be adjusted accordingly. |
| EC 7 | The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective CFPs. |
| Description and findings re EC 7 | Arts. 86(8), (9) and (10) CRD mandate competent authorities to ensure firms consider alternative scenarios on liquidity positions and risk mitigations at least annually. These considerations should cover the potential impact of institution-specific, market-wide, and combined alternative scenarios across different time periods and varying degrees of stress. The outcomes of these considerations should inform the development of effective LCPs. The EBA SREP guidelines recommend supervisors to assess whether an institution has implemented adequate liquidity-specific testing as part of its overall stress testing program (para. 408). Supervisors are recommended to analyze whether short-term and prolonged, and institution-specific and market-wide scenarios are considered by the institution (para. 410). On assumptions, supervisors are required to assess whether the institution takes a conservative approach to setting them (para. 412). The Guidelines also recommend supervisors to assess whether assumptions and scenarios are reviewed and updated sufficiently frequently (para. 413 d). In terms of use of the stress tests result, the guidelines recommend supervisors to assess whether the outcomes of stress testing are integrated into the institutions’ strategic planning process for liquidity and funding and used to increase the effectiveness of liquidity management in the event of a crisis, including in the institution’s liquidity recovery plan (para. 413 b). Chapter 11 of the PRA Rulebook’s ILAA Section outlines the PRA rules a firm must follow with regards to stress testing in line with the relevant requirements of CRD Art. 86. The rules require firms to conduct stress tests on a regular basis (11.3), across institution-specific, market-wide, and combined alternative scenarios across different time periods (11.4). Assumptions must be appropriate (11.5), reviewed by its management body (11.6), and the results used for risk-management purposes and the development of LCPs (11.7). The SS24/15, para. 2.18 to 2.22 sets the PRA expectation of the minimum considerations firms should undertake for a set of liquidity risk drivers in their stress testing program. SS24/15, para. 2.23 to 2.24 set PRA expectations that firms will consider intraday risk within their stress testing program. The PRA expects firms to detail in their ILAAP submission to document their compliance with the rules and expectations detailed above. The supervisor will ensure through review of the ILAAP document and their CA engagement, consistent with the PRA’s approach to conducting an L-SREP as detailed in SS24/15 S3, that the firm uses the results of the stress tests to adjust accordingly their risk-management strategies, policies and positions, and to develop effective LCPs. The previous PRA liquidity regime (BIPRU 12.4 and 12.5) requirements and guidelines already stipulated that firms include a variety of time horizons within both bank-specific and market-wide liquidity stress scenarios (individually and in combination) into their stress testing programs for risk-management purposes. These assumptions had to be reviewed at least annually (BIPRU 12.4.3). The results of the stress tests had to be used to adjust the firm’s strategies, internal policies and limits on liquidity risk and to develop effective CFPs (BIPRU 12.4.10). |
| EC 8 | The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. |
| Description and findings re EC 8 | CRR Art. 415 (2) requires an institution to report LCR separately in the currencies in which it has more than 5 percent of the total liability or it has a significant branch in a MS using a different currency. DA Art. 4 (5) requires institutions to also observe the LCR requirement in these currencies. Art. 8(6) requires firms to ensure that the currency denomination of their liquid assets is consistent with the distribution by currency of their net liquidity outflows and grants competent authorities the power to restrict currency mismatches. The EBA SREP guidelines recommend supervisors to assess, in relation to liquidity in different currencies:
The PRA Rulebook’ ILAA section, Rules 3.1, 3.2, 5.2(3), 81 11(5), 11(7) and 12.4 cover aspects of foreign currency liquidity transformation and significant currency exposures. Rule 3.1 requires firms to have robust strategies, policies, processes, and systems that enable it to identify, measure, manage, and monitor liquidity and funding risks, including tailoring these to currencies and legal entities. Rule 8 requires firms to actively manage its liquidity risk exposures and related funding needs taking account of currencies and limitations to potential transfers of liquidity among entities, both within and outside the EEA. Rule 5.2(3) requires firms to measure, monitor, and deal with intraday liquidity risk for the currencies in which it has significant positions. Rules 11(5) and 11(5)(2) require firms to stress test their cross currency funding risk and report to its management body any vulnerabilities identified and proposed mitigating actions. The stress testing rules are supplemented by SS24/15, para. 2.20 sets expectations on the firm’s analysis of key risk drivers outlined the revised PRA Rulebook Chapter 11; particularly 2.20(iii), 2.20(vii), and 2.20(viii). The PRA is consistent with the EBA’s SREP guidelines that recommend competent authorities assess an institution’s liquidity needs taking into account the currency of the liquidity needs and, where an institution operates in different material currencies, the separate impacts of shocks in the different currencies to reflect currency convertibility risk. The PRA can currently set ILG by currency where a firm has significant (greater than 20 percent) liabilities in a particular currency. The interim LCR reporting requirement will be on an all currency basis though as mentioned above, DA Art. 8 (6) grants competent authorities the power to restrict currency mismatches. When the EBA’s ITS on AMM under CRR Art. 415(3)(b) will be adopted by the EC, the PRA will monitor currency mismatches in part through the C.67.00 and C71.00 AMM returns. For the transitional period between the BIPRU 12 regime and the EU LCR, it was decided to maintain the submission of legacy PRA returns (FSA047 and FSA048). This allows the PRA to continue monitoring the liquidity position in each significant currency of bank subsidiaries. In the previous regime, the requirements of this EC were covered by the BIPRU handbook. The PRA does not set an explicit rule requiring firms to regularly review the limits on the size of its cash flow mismatches for foreign currency. |
| Additional criteria | |
| AC1 | The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. |
| Description and findings re AC1 | The EBA SREP Guidelines recommend that supervisors, in assessing risks to sustainability of the funding profile from concentrations in funding sources, take into account the risk that asset encumbrance may have an adverse effect on the market’s appetite for the unsecured debt of the institution (para. 396 b). Regarding disclosure, following CRR Art. 443, the EBA published guidelines on disclosure of encumbered and unencumbered assets. The disclosure guidelines provide the set of principles and templates that enable the disclosure of information on encumbered and unencumbered assets by products on a consolidated basis. The disclosure guidelines, which were published in June 2014, will be reviewed and form the basis for binding technical standards to be developed by 2016. On setting limits, the guidelines recommend supervisors to assess whether the limit and control framework helps institution to ensure the availability of sufficient and accessible liquid assets (para. 414 f). Rule 3.4 of the PRA Rulebook’s ILAA section requires firms to have risk-management policies to define their approach to asset encumbrance, as well as procedures and controls that ensure that the risks associated with collateral management and asset encumbrance are adequately identified, monitored, and managed. Chapter 10 details PRA rules on the management of asset encumbrance. Firms are required to actively manage their asset encumbrance position including the amount of unencumbered assets available in stress periods and any impediments to encumbering these assets in stress. A firm must actively manage its encumbrance position in a manner proportionate to its business model, specificities of the funding markets and the macroeconomic situation with the management body informed in a timely manner of an appropriate level of detail within its encumbrance levels and credit quality. The PRA expects firms to detail their compliance with the rules and expectations detailed above in their ILAAP submission. The supervisor will ensure that the firms level of unencumbered assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance through review of the ILAAP document and their CA engagement. The PRA’s thinking is still evolving with regard to asset encumbrance. The items supervision will be asked to investigate will be more specifically outlined within the L-SREP guidelines which take effect from October 1, 2015. These include, for example, the quality of the metrics, whether encumbrance will be high enough to deter potential investors and whether the limits are set with appropriate granularity and at a level to ensure sufficient free assets are available to fund previously unsecured funding in stress. The PRA will monitor the levels of asset encumbrance in firms through the submission of data in line with the EBA published guidelines on reporting of asset encumbrance. The previous PRA liquidity regime (BIPRU 12.3.33 and 12.3.34) already required firms to actively manage their asset encumbrance position. The management of asset encumbrance had to be conducted in a manner proportionate to a firm’s business model, funding sources and the macroeconomic situation and the governing body had to be informed of an appropriate level of detail on its encumbrance such as level, evolution, types, credit quality, ineligible amounts and contingent encumbrance. BIPRU 12.3.22 required that firms distinguish the amounts of unencumbered assets at all times, including in stress, and 12.3.23 required that the firm understands any impediments to encumbering these assets in stress. |
| Assessment of Principle 24 | Largely Compliant |
| Comments | At the time of the previous FSAP, the mission observed that “the new comprehensive liquidity regimen and supervisory program that the FSA has put in place recently, over time, will be a strong base for U.K. supervisors to assess banks’ liquidity management strategies adequately, including prudent policies and processes to identify, measure, monitor, and control liquidity risk.” Post-crisis evolution in the U.K. supervisory framework for liquidity risk put the U.K. authorities at the front edge in the area. As a result of this legacy and of a persistent heightened attention to liquidity and funding management in the banks, the PRA is equipped with a liquidity risk framework that is overall robust, structured, consistently implemented. At the time of this assessment the PRA was transitioning from the previous national regime (regulated by the BIPRU12 section of the FSA—then PRA—Handbook) to the EU version of the LCR standard (October 2014). BIPRU12 was ‘switched off,’ though part of the preexistent reporting framework is provisionally maintained, so as to allow the PRA to have adequate sight of liquidity and funding positions during the transition to the EU LCR regime. The assessors agree and appreciate the PRA commitment to ensure that it keeps on being equipped, where permissible, with the monitoring tools that it created to back its supervisory action. The assessors were not in the position to verify the implementation of the new regime, but got comfort from the comprehensiveness of the rules in place (which sometimes go beyond the EBA guidelines) and the observation of the consistent implementation of this principle before and after the regime through the analysis of ILAAP documentation and supervisory documents. There are no substantial deviations from the requirements of this principle in the PRA framework for liquidity risk. The main notable exception to this overall positive picture is the LCR requirement: the LCR adopted in EU has a number of elements which are less stringent than the Basel agreed rule, most notably a wider definition of HQLA. Given EC 1 clearly states that for internationally active banks the prescribed liquidity requirement should not be lower than the applicable Basel standard, the EU regulatory framework’s compliance with the EC is problematic. In 2014 the EBA performed a comparison between the Basel and EU versions of the LCR: it found that the EU implementation of LCR determined an average increase of banks’ LCR by 13.9 percent, with a significant dispersion of results. It also stated that “large, internationally active banks show only a moderate increase in the LCR.” The PRA maintains that most of the increase in LCR ratios was driven by the assumption made regarding level 2B assets. It must be said that the PRA has set the initial LCR requirement as of October 1, 2015 at 80 percent, which is greater than the 60 percent mandated by the EU regulatory standard and will ensure a higher LCR floor for the U.K. banks until January 2017. Also, as part of the LCR Pillar 2 framework the PRA will consider how best to ensure that firms observe prudent principles around buffer composition. As a consequence, of the EU LCR being less stringent in important respects than the applicable Basel standard, the assessors deem the overall U.K. supervisory framework for liquidity risk largely compliant. |
| Principle 25 | Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk127 on a timely basis. |
| Essential criteria | |
| EC 1 | Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). |
| Description and findings re EC 1 | All banks are required to comply with the provisions of CRD IV/CRR that set out general risk-management standards specific to firms that have adopted the standardized approach and AMA for operational risk measurement and management. In addition, under Section 10.1 of the ICAAP rules in the PRA Rulebook, banks are required to implement policies and processes to evaluate and manage their exposures to operational risk. In accordance with Section 10.1 of the ICAAP set out in the PRA Handbook, banks are required to implement policies and processes to evaluate and manage their exposures to operational risk, including model risk, and to cover low-frequency, high severity events (Art. 85(1) of the CRD). The PRA requires all Category 1 firms to have operational risk-management frameworks that are commensurate with their scale, nature and complexity and that meet the qualitative standards applicable to the AMA the Basel capital framework. Supervisors conduct firm-specific reviews to verify these arrangements. |
| EC 2 | The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. |
| Description and findings re EC 2 | The PRA Rulebook provides guidance that a firm should provide its governance body with the information it needs to perform its role in identifying, measuring, managing, and controlling risks of regulatory concern. The PRA Handbook also specifies that the CRO should report to the firm’s governing body on the firm’s risk exposures relative to its risk appetite and tolerance and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the governing body’s risk appetite and tolerance (SYS21.1.2). U.K. supervisors expect that the Board approves risk appetite, though this is not a formal requirement. U.K. supervisors have found that, in some cases, governance responsibilities are handled by committees of the Board, such as the risk committee, the operational risk committee, etc. The PRA reviews operational risk appetite and governance arrangement on a proportionate basis as part of operational risk reviews. Supervisors have the ability to require changes to a firm’s methodology or practices if necessary. |
| EC 3 | The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk-management process. |
| Description and findings re EC 3 | In addition to the points raised in EC 1 and EC 2 above, supervisors assess the effectiveness of implementation and integration of operational risk policies and procedures in a firm through review of management reporting and governance committee minutes; reviews of procedures for, and outputs from, the operational risk-management framework; discussions with the CRO and Internal Audit. Especially for Category 1 firms and some Category 2 firms, U.K. supervisors evaluate the effective implementation of risk-management policies and procedures through “deep-dives.” Staff shared in discussions that the PRA aims to complete about 10-12 deep-dives in aggregate related to operational risk across all Category 1 firms each year; in addition, often supervisors will undertake two deep dives in aggregate per year across all Category 2 firms each year. Typically few or no specialist resources are available for firms in categories 3–5. For Category 1 firms, usually about two to four aspects of operational risk are evaluated through deep-dives, and staff noted that this implied that operational risk is assessed on a comprehensive basis over a period of about three years for each firm. The pace of this work reflects the PRA’s sense that while operational risk can crystallize abruptly, the underlying exposures typically build up slowly, and therefore U.K. supervisors see typically limited supervisory value in more frequent assessments. Internal documents made available to assessors suggest as well that the PRA’s approach to supervising operational risk evolved over the course of late 2013–2014, moving from reviewing “high-level operational risk frameworks” under the former approach to adopting reviews that are more “targeted, looking at individual types of operational risk that we think are particularly relevant for each firm.”128 Supervisors realized that the former approach failed to consider the longer-term implications that some operational risk events can have. In addition, supervisors learned through experience that their approach to operational risk reviews were too standardized and did not consider the key operational risk exposures that individual firms might face.129 |
| EC 4 | The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. |
| Description and findings re EC 4 | Firms must comply with EBA guidance on SREP (paras. 279–280) on this expectation, which includes having contingency and business contingency plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruptions (CRD Art. 85). In 2014 the PRA reviewed one aspect of these arrangements (business continuity arrangement sin off-shore processing centers) across major 12 firms. In the U.K., this expectation appears in requirements specified in the PRA Rulebook (SYSC 4.1.6 and SYSC 4.1.7), under which firms must take reasonable steps to ensure continuity and regularity in the performance of their regulated activities. They must establish, implement, and maintain adequate business continuity policies and employ appropriate and proportionate business continuity systems, resources, and procedures. In addition, firms in the U.K. must comply with the PRA’s Fundamental Rule 8, which requires firms to be prepared for an orderly resolution with minimum disruption to CEFs. This expectation is complemented by the PRA Rulebook’s requirement that firms take reasonable steps to ensure continuity and regularity in the performance of their regulated activities (SYSC 4.1.6 and SYSC 4.1.7). Supervisors review all Category 1–4 recovery and resolution plan documents on an annual basis. |
| EC 5 | The supervisor determines that banks have established appropriate information technology (IT) policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound IT infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. |
| Description and findings re EC 5 | The PRA’s Fundamental Rule 5 requires a firm to have effective risk-management systems; the FCA Rulebook (SYSC 3.1.1) requires that a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. SYSC 3.2.21 requires firms moreover to have appropriate systems and controls in place to fulfill its regulatory and statutory obligations with respect to adequacy, access, periods of retention, and security of records. GENPRU 1.2.89G states that firms should satisfy themselves that their systems are sufficiently sound to support the effective management and, where applicable, the quantification of risks. The notes above outlining how the supervisors address the ECs summarize some of the key ways through which supervisors evaluate the management of operational risk. |
| EC 6 | The supervisor determines that banks have appropriate and effective information systems to:
|
| Description and findings re EC 6 | The criteria for information systems for banks using the standardized and AMAs to operational risk under Basel II/III are detailed in CRR Art. 320 and 321. SRS assess periodically the effectiveness of operational risk reporting to banks’ Boards, senior management, and business lines, and these assessments include discussions with internal audit. |
| EC 7 | The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. |
| Description and findings re EC 7 | The PRA’s Fundamental Rule 7 requires a firm to deal with its regulator in an open and cooperative way and to disclose to the PRA “anything related to the firm of which the PRA would reasonably expect notice.” Since the start of 2015, the PRA has required Category 1 firms to provide quarterly data on their operational risk exposures through the FDSF; the data required includes operational risk loss events, top risks, scenarios, and emerging risks. SRS staff collate this data and present overviews to supervisory teams for Category 1 firms every six months. For firms presenting less systemic risk to the U.K. financial system, the work may be carried about by groups of supervisors with oversight responsibilities for the firms in question. |
| EC 8 | The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:
Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. |
| Description and findings re EC 8 | The PRA Rulebook (SYSC 4.1.1R) requires a bank to have effective processes to identify, manage, monitor, and report risks and internal control mechanisms. A firm must not outsource important material, operational functions in such a way as to impair materially the quality of its internal controls or the ability of the PRA to manage the bank’s compliance with all of its obligations under the regulatory system and, if different, of a competent authority to monitor the firm’s compliance with all obligations under Directive on Markets in Financial Instruments (MiFID). The PRA Rulebook also requires banks, their auditors, the PRA, and any other relevant competent authority to have effective access to data related to outsourced activities, as well as to the business premises of the service provider (SYSC 8.1.8(9)R). The Rulebook requires that the PRA and any competent authority be able to exercise those rights of access. Supervisors offered assessors examples of specific cases in which the PRA evaluated outsourcing arrangements and required changes in the arrangements to address their concerns. Supervisors noted that large-scale outsourcing is not yet prevalent among U.K. banks but that the rise of “challenger banks” may increase the demand for outsourcing. As that demand increases, supervisors expect to conduct more onsite reviews of those arrangements as they have already done for the insurance sector. |
| Additional criteria | |
| AC1 | The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). |
| Description and findings re AC1 | The BoE, the PRA, and other U.K. authorities including the home office have run market-wide exercises to investigate common points of exposure to operational risk or other potential vulnerabilities. As examples, supervisors summarized a 2013 financial sector cybersecurity exercise that had been undertaken across twenty firms (including six financial market infrastructure providers), the PRA and BoE, plus other U.K. public sector authorities. The exercise focused on disruption and dislocation in wholesale markets and in the financial market infrastructure supporting those markets that could arise from an attack. In addition, supervisors shared insight into an initiative that the BoE launched in June 2014 to conduct penetration tests for financial services organizations using intelligence from government and accredited commercial providers. The BoE expects to report on this initiative, called “CBEST,” in the summer of 2016. |
| Assessment of Principle 25 | Compliant |
| Comments | As reported by supervisors, the PRA’s approach to the supervision of operational risk in the largest firms has undergone important changes over the past two years. Supervisors report that they now customize their reviews more closely to the key risk exposures that the largest firms face. The more strategic use of several deep-dives spread out over three years for each of the largest firms may provide supervisors with some confidence that firms are making progress in their development of operational risk frameworks. It is though uncertain whether this pace of review is sufficient to ensure that large firms are keeping pace with the state of the article in operational risk management. Since the treatment of operational risk as an explicit risk discipline is a recent development, it is possible that important innovations could emerge at a more rapid pace than might be true for more established and traditional risk-management stripes. Supervisors may wish to consider ways to monitor and evaluate with potentially greater frequency the most important advances in operational risk-management and look horizontally across major firms to ensure they are keeping pace. As supplements to the “deep-dives,” supervisors at the PRA seek to monitor firms’ own sense of their exposure to key operational risks and how those views may differ from supervisors’ assessments. PRA supervisor risk specialists developed an operational risk dashboard that gathers firms’ views on their exposures to process risks, infrastructure risks, business practice risks, and other risks, and compares those results against the views of PRA supervisors. The dashboard is intended to provide supervisors with comparative data on firms to develop peer group comparisons and identify outliers. Currently three dashboards are developed for (i) Category 1 U.K. international firms; (ii) Category 1 international Banks; and (3) Category 1 U.K. domestic firms. Lastly, risk specialists support supervisors with their ongoing contacts with firms’ operational risk function to monitor changes in their frameworks as well as to maintain their knowledge of the industry practices in this field afresh. The authorities noted that operational risk specialists in particular are expected to allocate around 10 percent of their time to such activities in Category 2 firms.130 The decision to limit the availability of expert operational risk resources in smaller firms is an understandable effort to deploy resources efficiently and effectively. As long as the operational risks in these smaller firms are indeed lower, the decision may be appropriate. However, nearly all firms are exposed to substantial operational risk in IT and cybersecurity. Smaller firms may have fewer resources for addressing those risks. Innovative firms may seek to build their comparative advantages relative to traditional firms by deploying novel technology, innovative processes, or unusual or wider outsourcing arrangements. It may be important for U.K. supervisors to consider these matters as they evaluate their current operating model. The PRA has nonetheless recognized some of these recent changes in the operational risk landscape and in particular the emergence of challenger banks. The authorities report that one aspect of this is the increase of the operational risk and IT risk resources allocated to smaller banks from less than 10 percent of these two specialist pools in 2014 to around 20 percent in the second part of 2015. U.K. supervisors have responded to recent lessons learned from their former approach to supervising operational risk and are encouraged to continue to evaluate the best ways to ensure appropriate mitigation of operational risk broadly in supervised firms. |
| Principle 26 | Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent131 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:
|
| Description and findings re EC 1 | CRD Art. 74.1 is contained in GOR 2.1 of the PRA Rulebook, which also implements Art. 13(5) and the second para. of the Markets in Financial Instruments Directive (MiFID). Under GOR 2.1, “a firm must have robust governance arrangements, which include a clear organizational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.” It also requires firms to have “effective control and safeguard arrangements for information processing systems.” GOR 2.2 requires the arrangements, processes, and mechanisms referred to under 2.1 to be comprehensive and proportionate to the nature, scale and complexity of firms’ activities. They must also take into account specific technical criteria described in other rules—such as in skills, knowledge, and expertise (SKE) 3.2 of the PRA Rulebook, which requires firms to define arrangements concerning segregation of duties and the prevention of conflicts of interest, and the risk control part of the PRA Rulebook, which implements CRD Art. 76. Under GOR 2.3, firms are required to establish, implement, and maintain (i) decision-making procedures and an organizational structure which specifies reporting lines and allocates functions and responsibilities; and (ii) adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm. Under 2.7, “A firm must establish, implement and maintain accounting policies and procedures that enable it, at the request of the PRA, to deliver in a timely manner to the PRA financial reports, which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.” Under 3.2, “a firm must ensure that its management is undertaken by at least two persons meeting the requirements laid down in 3.1.” Where 3.1 states that “the senior personnel of a firm must be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of a firm.” The above requirements in the PRA Rulebook are incorporated into the ‘PRA’s approach to banking supervision (June 2014).’ This approach outlines that firms should have robust frameworks for risk-management and financial and operational control, commensurate with the nature, scale, and complexity of their business, and consistent with their safety and soundness. Competent and where appropriate independent control functions should oversee these frameworks and its risk-management and control functions. In many cases these expectations are directly reflected in PRA rules. More generally they elaborate on the ‘prudent conduct’ and ‘effective supervision’ Threshold Conditions. The PRA supervisory approach to ensuring that firms’ internal control environments are robust is covered in EC 2 to 5. The FCA leads on financial crime, AML, and other conduct related issues, including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading, and computer intrusion. However, the PRA will consider these issues in the context of operational risk and the potential impact the effectiveness of a firm’s internal controls may have on a firm’s prudential safety and soundness. |
| EC 2 | The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions, and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. |
| Description and findings re EC 2 | The SKE part of the PRA Rulebook sets out requirements on firms to ensure that staff have appropriate SKE (SKE 2.1); that employees are not given multiple tasks that might compromise their ability to act properly (SKE 3.1); that a firm monitors, and regularly evaluates, the adequacy of its systems, and controls related to staff. In addition, at Category 1 firms the PRA meets regularly, and more than once per year, with the head of audit; head of compliance; the chair of the audit committee; the chair of the compliance committee; the head of the risk committee; and the external auditor. For firms in lower categories, meetings are held annually with the chairs of the audit and risk committees, and the head of internal audit. As outlined in the PRA approach document, firms should have in place separate risk-management and control functions—notably risk management, finance, compliance, and internal audit—to the extent warranted by the nature, scale and complexity of their business. Senior management and the Board should hear and heed the views of these functions. This means that they require access to the Board and (where a firm has them) the Board’s risk and audit committees, which should oversee these functions to ensure their independence and effectiveness. These functions support and challenge the management of risks across the firm, by expressing views within the firm on the appropriateness of the level of risk being run and the adequacy and integrity of the associated governance, risk-management, and financial and other control arrangements. The PRA expects these functions to be independent of a firm’s revenue-generating functions, and to possess sufficient authority to offer robust challenge to the business. This requires these functions to be adequately resourced, to have a good understanding of the business, and to be headed by individuals at senior level who are willing and able to voice concerns effectively. |
| EC 3 | The supervisor determines that banks have an adequately staffed, permanent, and independent compliance function132 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. |
| Description and findings re EC 3 | Compliance and Internal Audit 2 of the PRA Rulebook requires a firm to establish a permanent, effective and independent compliance function (2.3) and to appoint a compliance officer responsible for coordinating the various tasks associated with the firm’s compliance policies and procedures, and reporting to senior management (2.4). In order to enable the compliance function to discharge its responsibilities properly, the function “must have the necessary authority, resources, expertise and access to information”; compliance staff “must not be involved in the services or activities they monitor” and the firm’s remuneration policy should not undermine the compliance function’s objectivity (2.4). |
| EC 4 | The supervisor determines that banks have an independent, permanent and effective internal audit function133 charged with:
|
| Description and findings re EC 4 | Under Compliance and Internal Audit 3.1 of the PRA Rulebook, the PRA requires firms to establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm, where, given the nature, scale and complexity of its business, it is an appropriate and proportionate way of ensuring the firm maintains adequate and effective internal control mechanisms and arrangements. The internal audit function should be responsible for issuing recommendations and verifying compliance with those recommendations. In practice, all significant U.K. firms have an internal audit function, either fully sourced by the firm’s personnel or, if not, by a combination of internal and outsourced personnel. Under 3.1, the internal audit function has to establish, implement, and maintain an audit plan which examines the adequacy and effectiveness of the firm’s systems and controls, makes recommendations based on its work and verify compliance with those recommendations. Internal audit should provide independent assurance over firms’ internal controls, risk-management, and governance. |
| EC 5 | The supervisor determines that the internal audit function:
|
| Description and findings re EC 5 | Under GOR 2.1 of the PRA Rulebook134 the PRA expects a firm to ensure an internal audit function meets all the elements identified in (a) to (f) in this EC. Further requirements are also placed on firms in regards to the internal audit function through the compliance and internal audit part of the PRA Rulebook. Under Part 3.1135 “a firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm.” Under GOR Part 4.2 (1) of the PRA Rulebook “a firm must ensure that its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by Compliance and Internal Audit…indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies.” Under compliance and internal audit part 3.1 (1), where appropriate and proportionate in view of the nature, scale and complexity of its business and the range of its financial services and activities, a firm is required to “establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm’s systems, internal control mechanisms and arrangements.” Internal audit is currently part of the systems and control controlled function (CF 28) in the table of PRA controlled functions.136 The head of internal audit is also a SIF and all individuals applying for this role need to be approved by the PRA in consultation with the FCA. In assessing whether to approve the individual for the role, the PRA performs an assessment of an individual’s competence and capability to carry out the role (The PRA’s approach to banking supervision, June 2014, paras. 89–90). The PRA also places requirements on firms with regard to the outsourcing of functions in general, which addresses part (g) of EC 5. Under outsourcing part 2.6 (3)137 of the PRA Rulebook a firm “must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing, and must supervise those functions and manage those risks.” It is expected this rule would be applied where a firm outsourced functions relevant to internal audit. The supervisor assesses whether the firm’s internal audit function is operating effectively as part of its ongoing supervision of the firm. For example, some business model analysis work will assess the strength of the internal audit function as part of the review. This can include the capability and scale of resources in the internal audit function. The PRA requests copies of, and reviews, internal audit reports and can request the minutes and papers of audit committee meetings as part of its CA of the firm and when conducting onsite and desktop based reviews. In practice, for larger firms which the PRA supervises, audit committee papers, and minutes form part of the normal MI received from the firm. The PRA also meets, at least annually, with the head of internal audit, chair of the firm’s audit committee and external auditors of Category 1 and 2 firms, and periodically, on a proportionate basis, for Category 3, 4, and 5 firms. These meetings form part of the wider continuous program and provide supervisors the opportunity to test their findings and observations of the internal audit function. The PRA also meets with other Board and Board committee members, which allows the PRA to assess how internal audit reports/recommendations are escalated upwards and the extent to which findings are given adequate consideration by the Board and Board committees. In the event of internal audit duties being outsourced to an external body, such as a firm of accountants, the PRA seek similar comfort on the quality of work undertaken and its effectiveness in influencing the standard of internal control and risk management. In addition to its regular supervision, the PRA has powers to require the provision of a report on a firm, which could cover the effectiveness of the internal audit function, by a skilled person (FSMA S166). |
| Assessment of Principle 26 | Compliant |
| Comments | The PRA’s approach to supervision sets out an expectation that “firms should have in place separate risk-management and control functions—notably risk management, finance, compliance, and internal audit—to the extent warranted by the nature, scale, and complexity of their business.” For the largest and most systemically important firms, the PRA has set out expectations for its supervisors regarding their engagement with these various risk-management and control functions within the firm and with chairs of relevant committees at the Board level. In addition, the use of the APR may have helped supervisors to ensure that individuals being placed in key roles within firms were “fit and proper,” though as outlined earlier in this FSAP, problems have emerged with this approach that led to the proposal to replace the regime with a new SMR. As this came into force in March 2016, assessors at the next FSAP will have the opportunity to evaluate the SMR’s success in ensuring that the individuals in key roles in firms are indeed fit and proper and can be held appropriately accountable for their responsibilities. For smaller and less systemically important firms, the PRA may have fewer touch points beyond the PSM and subsequent midyear review to ensure that internal controls and internal audit are functioning as expected. U.K. supervisors rely on these firms’ compliance with the fundament rules and the threshold conditions and to report to supervisors when problems emerge with meeting these expectations. |
| Principle 27 | Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. |
| Essential criteria | |
| EC 1 | The supervisor138 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. |
| Description and findings re EC 1 | Regulation 2002/1606 (Arts. 4 and 5) requires the application of IFRS to the consolidated financial statements of EU companies whose securities are traded on a regulated EU market. EU countries may extend the application of IFRS to annual financial statements and nonlisted companies. Transparency Directive 2004/109/EC (Art. 4) stipulates that all issuers (including non-EU ones) whose securities are listed on a regulated market located or operating in an EU country must use IFRS and publish their financial statements annually. The audited financial statements shall comprise such consolidated accounts under IFRS as endorsed in EU and the annual accounts of the parent company drawn up in accordance with the national law of the MS in which the parent company is incorporated. Where the issuer is not required to prepare consolidated accounts, the audited financial statements shall comprise the accounts prepared in accordance with the national law of the MS in which the company is incorporated. Arts. 74 and 88 of the CRD require that institutions have in place appropriate robust governance arrangements including sound accounting practices in order to ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards. U.K. banks, building societies, and credit unions (‘U.K. credit institutions’) are required by the relevant law (the Companies Act 2006, the BSA 1986, and the Friendly and Industrial and Provident Societies Act 1968) to prepare financial statements and to maintain books and records that inter alia produce adequate and reliable data for the preparation of those financial statements. U.K. credit institutions are required to prepare their annual financial statements in accordance with IFRS as endorsed for use in the EU, U.K. FRS 101 reduced disclosure framework, or FRS 102 the FRS applicable in the U.K. and Republic of Ireland. Though not international standards, both FRS 101 and 102 describe accounting policies and practices that are widely accepted internationally. U.K. credit institutions are required by the aforementioned Acts of parliament to maintain books and records that inter alia produce adequate and reliable data for the preparation of those financial statements. The PRA, through its implementation of Arts. 74 and 88 of the CRD (GOR 2.1 and 5.1)139 has similar requirements. The FCA, through the U.K. listing authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed credit institutions, and the department of business, innovation, and skills (BIS), and the FRC enforce them on other firms. The PRA also reviews firms’ ability to produce adequate and reliable data. Although the focus of these reviews is often on internal MI and regulatory data, there is a natural overlap with accounting and other financial data. The PRA also reviews the external auditors’ management letter, as well as key audit committee and internal audit material and other material which helps the PRA in assessing the quality of a firm’s recordkeeping systems. |
| EC 2 | The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. |
| Description and findings re EC 2 | Under Art. 26 of the Audit Directive (2006/43/EU), MSs shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the commission. MSs may apply national auditing standards, procedures or requirements as long as the commission has not adopted an international auditing standard covering the same subject-matter. Under Art. 41 of the Audit Directive (2006/43/EU), public interest entities (credit institutions as defined in point 1 of Art. 3(1) of Directive 2013/36/EU) should establish an audit committee responsible to: (i) monitor the financial reporting process; (ii) monitor the effectiveness of the company’s internal control, internal audit where applicable, and risk-management systems; (iii) monitor the statutory audit of the annual and consolidated accounts; and (iv) review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audit entity shall monitor. However, this is without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of the shareholders of the audited entity, as also required under Art. 33 of the Accounting Directive (2013/34/EU). U.K. credit institutions are required by the relevant law (the Companies Act 2006, The BSA1986 and The Friendly and Industrial and Provident Societies Act 1968) to obtain an independent auditor’s opinion on their annual financial statements. Those audits are required to be conducted in accordance with auditing standards issued by the FRC. These auditing standards are referred to as ‘International Standards on Auditing (ISAs) (U.K. and Ireland).’ but are issued by the International Auditing & Assurance Standards Board (IAASB), with additional guidance or legal requirements to fit with local circumstances (for example, covering the duty of external auditors to report to the PRA in certain circumstances). The FRC has also issued guidance on the application of ISAs (U.K. and Ireland) to U.K. credit institutions: Practice Note (PN) 19 the audit of banks and building societies in the United Kingdom140 and PN 27 the audit of credit unions in the United Kingdom.141 PNs are persuasive rather than prescriptive and are considered indicative of good auditing practice. ISAs (U.K. and Ireland) require the auditor to include a statement as to whether the audit has been conducted in accordance with ISAs (U.K. and Ireland) as part of the auditor’s report. The PRA meets on a regular basis with external auditors of Category 1 firms and liaises with the external auditors of other credit institutions. The existence of an external auditor that carries out a high-quality audit is important to the way the PRA supervises firms and, through the discussions held with client specific audit teams, audit firms as a whole, and the auditing profession in general, the PRA seeks to ensure that those high standards are upheld. |
| EC 3 | The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. |
| Description and findings re EC 3 | Regulation 2002/1606 (Arts. 4 and 5) requires the application of IFRS to the consolidated financial statements of EU companies whose securities are traded on a regulated EU market. EU countries may extend the application to annual financial statements and to nonlisted companies. Must be assessed on a national basis. Art. 24 of the CRR requires that the valuation of assets and off-balance sheet items shall be effected in accordance with the applicable accounting framework. For prudential purposes, Art. 105 of the CRR requires that credit institutions establish and maintain systems and controls sufficient to provide prudent and reliable valuation estimates. In addition, Art. 105 of the CRR requires institutions to perform an independent verification and validation and to establish and maintain procedures for considering valuation adjustments to the position required for financial reporting and regulatory purposes. Art. 34 of the CRR requires institutions to apply the requirements of Art. 105 to all their assets measured at fair value when calculating the amount of their own funds and shall deduct from CET1 the amount of any additional value adjustments necessary. U.K. credit institutions are required either to prepare their financial statements in accordance with IFRS as adopted for use in the EU, FRS 101, or FRS 102. Those standards prescribe the measurement basis to be used for accounting purposes and, although there are some differences in detail, all those standards describe accounting practices that are widely accepted internationally. For prudential capital purposes, valuations are required (by Art. 24 of the CRR) to be effected in accordance with the applicable accounting framework and, in addition, trading book positions are to be subject to the standards for prudent valuation set out in Art. 105. What this means in practice is that accounting valuations are used for regulatory purposes except that accounting fair values are subject to so-called prudent valuation adjustments. The EBA is developing a RTS setting out how these prudent valuation adjustments are to be made.142 Although that RTS has not yet been formally adopted, it has existed in draft form now for two years and the PRA’s expectation is that firms will be applying it already. Supervisors assess the governance arrangements and systems and controls that firms are required by Art. 105 of the CRR to have in place to independently verify and validate their valuations. This work tends to focus on the major trading firms and on the prudent valuation adjustments made for regulatory purposes, where practice is benchmarked against EBA’s draft RTS on the subject; the underlying fair values being subject to external audit. This is achieved through regular CA meetings with the independent valuation control functions of those firms as well as more targeted reviews on specific product or process areas. The resources and system capabilities of these departments are assessed, along with the quality of their processes, documentation, and MI and their ability to challenge the judgments of the revenue generating functions. See also the responses to BCP 10, EC 3, and BCP 15. The PRA also draws comfort from the work of external auditors. U.K. firms are required by law to obtain an independent auditor’s opinion on their annual financial statements and, in forming that opinion, the auditor will consider the valuation practices used. That will involve considering the “framework, structure, and processes for fair value estimation” to the extent they consider necessary to form their opinion on the financial statements as a whole. The PRA meets with external auditors of the bigger U.K. credit institutions as part of the CA process to discuss issues of common interest, including valuation. |
| EC 4 | Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. |
| Description and findings re EC 4 | The Acts of Parliament mentioned in the response to EC 1 prescribe at a high-level the scope of the external audit that is required to be performed of U.K. credit institutions. This is supplemented by the requirements in ISAs (U.K. and Ireland) issued by the FRC. There are also U.K. specific PNs issued by the FRC (PN 19, PN 27, and PN 23 special considerations in auditing financial instruments) which provide guidance on audits of some U.K. credit institutions. The ISAs, and the PNs, follow a risk and materiality based approach to planning and performing the external audit. Other relevant FRC literature includes:
Although the scope is determined by law and ISAs (U.K. and Ireland), it is the external auditor that determines, based on its assessments of where the material risks to the financial statements lie, the depth to which specific matters making up that scope are covered. In order to help external auditors in this process, the PRA discusses with them what it regards as the key risks and areas of concern. Some of these are generic risks, but others are firm-specific. For example, a few years ago the PRA’s credit risk specialists gave presentations to each audit firm on the PRA’s concerns about refinancing risk. More recently, the PRA’s accounting experts have been giving presentations to each audit firm on what the PRA regards as the key financial reporting issues for their biggest U.K. credit institutions clients and for U.K. credit institutions in general. The PRA follows up on those key risks and areas of concern in subsequent discussions with external auditors. The PRA also engages with auditing standard-setters in respect of future issues to try to ensure that the appropriate authoritative material is in place on a timely basis as new issues emerge and existing issues change their form. If the PRA believes that work needs to be carried out by an external auditor (or other independent, external expert) on a matter that does not fall within the prescribed scope of an external audit of financial statements, it has powers under S166 and S167 of FSMA to require a firm to engage a skilled person to carry out a piece of work scoped by the PRA and deliver a report of a form specified by the PRA. It can also use S166 or S167 to engage a skilled person itself to carry out such work and prepare such a report. |
| EC 5 | Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. |
| Description and findings re EC 5 | Acts of Parliament and local auditing standards set out the scope of external audits of U.K. credit institutions. Those standards require the auditor to do such work as the auditor deems necessary to express an opinion on whether the financial statements as a whole show a true and fair view. These audits are conducted in accordance with internationally accepted auditing practices and standards (see the response to EC 2) and are based on a risk and materiality approach (see the response to EC 4). Together these requirements mean that all the areas mentioned in the EC will be covered by the audit as long as those areas are deemed material in the context of the financial statements as a whole, subject only to the following caveats:
As explained in the response to EC 5, the PRA engages with auditors to ensure that they are aware of what the PRA regards as the key risks and areas of concern. The PRA follows up on those key risks and areas of concern in subsequent discussions with external auditors, and earlier this year published proposed Rulebook changes designed to enhance this process further (see the response to AC1). The PRA also engages with auditing standard-setters to try to ensure that new and emerging issues relating to the areas mentioned in the EC and other audit-related issues are identified early and the appropriate authoritative material put in place on a timely basis. |
| EC 6 | The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. |
| Description and findings re EC 6 | The Audit Directive (Art. 3 of Dir 2006/43/EU) requires each MS to designate competent authorities which shall be responsible for approving statutory auditors and audit firms as they satisfy certain criteria under Art. 4 of the Audit Directive, which include among others adequate expertise and adherence to professional standards. The provisions do not explicitly cover the requirements of this EC, although based on an EBA survey across MSs in EU in 2015, in some MSs the supervisors may have powers over the appointment or dismissal of an auditor. The PRA has the power under S55M of FSMA to impose requirements that result in the proposed appointment of a new external auditor being rescinded or in the existing appointment of an external auditor being terminated. The power in respect of new appointments is supported by a requirement that the PRA be notified of an appointment (Part Auditors 2.1(5)).143 U.K. credit institutions are required to take reasonable steps, when appointing an auditor, to ensure that the auditor has the required skill, resources and experience to perform its duties (Part Auditors 3.1(1)) and that the auditor is independent of the firm (Part Auditors 4.1). The PRA also has the power, under S345A of FSMA, to disqualify (or fine or publicly censure) an audit firm if it appears to the PRA that the audit firm ‘has failed to comply with a duty imposed on him under [FSMA].’ U.K. credit institutions are prohibited from using disqualified auditors (Part Auditors 3.2). The PRA works closely with the FRC’s audit inspection teams to ensure that concerns that the PRA might have over the quality of a particular audit informs the audit inspection work that the FRC carries out and that the PRA understands and can respond appropriately to audit quality concerns that the FRC has following its inspections of particular audits. As part of this process, the PRA also can and does refer audits and external auditors that it has concerns about to the FRC’s accountancy scheme and to the auditors’ professional body. |
| EC 7 | The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. |
| Description and findings re EC 7 | The Audit Directive (2006/43/EU) sets out the rotation requirements for the key audit partner or partners on public interest entity engagements within a maximum of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. In summary, audit tendering is required by the U.K. Corporate Governance Code; the rotation of audit engagement partners is required by the FRC’s ethical standards; and U.K. legislation implementing the EU Audit Directive’s audit firm rotation requirements is expected to be in place by summer 2016. The PRA has no specific powers to require U.K. credit institutions to rotate their external auditors although it does have general powers under S55M of FSMA to impose requirements that result in the termination of an external auditors’ appointment. In 2012, the FRC updated its Corporate Governance Code—a document that has a ‘comply or explain’ status—to include a provision that FTSE 350 companies put their external audits out for tender every ten years (see para. C.3.7, p. 19). This has led to a number of U.K. credit institutions putting their external audits out to tender and, in some cases, to changing external auditor. For example, Cooperative BoE and HSBC have recently changed their external auditor, and the RBS and Barclays have announced that changes will be made. If a firm chooses not to comply with the Code, the PRA would consider the need to take action to ensure an appropriate level of governance. The FRC also has requirements regarding rotation of audit engagement partners. For listed companies, under the FRC’s ethical standard 3 (revised) long association with the audit engagement:
For unlisted firms, if an the audit engagement partner has been in place for ten years, the external audit firm must consider “whether a reasonable and informed third-party would consider the audit firm’s objectivity and independence to be impaired” and where the individual concerned is not rotated after ten years, the auditor must:
The U.K. authorities are in the process of implementing the EU Audit Directive and determining how the options in the EU Audit Regulation shall be implemented. The current proposal is that the effect will be that U.K. credit institutions other than credit unions will be required to change their external auditors every ten years unless a competitive tender is held at the ten year point in which case the external auditors’ tenure can be extended to 20 years. The EU timetable envisages that these requirements should come into effect from June 2016. |
| EC 8 | The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. |
| Description and findings re EC 8 | There are requirements in FSMA S339 that there should be at least annual bilateral meetings between external auditors and supervisors of the largest U.K. credit institutions (i.e., those that could have a material impact on the U.K. financial system). The PRA’s SS—the relationship between the external auditor and the supervisor: a code of practice (the PRA Code)—also sets out the principles that guide the PRA’s supervisory relationship with external auditors of individual U.K. credit institutions. The PRA Code mandates that, for the largest and most significant PRA supervised firms, there should be at least annual bilaterals between supervisors and auditors. It is often the case that supervisors meet more frequently with external auditors than FSMA and the Code requires. In addition to these mandated meetings, the PRA meets with audit firms in a number of fora, including twice-yearly bilateral meetings (held with the banking/financial services audit partners of the big six audit firms) to exchange feedback on the auditor-supervisor dialogue and to discuss generic issues of common interest relating to banking (and other) operations. As explained in the response to EC 1, the PRA also reviews the external auditors’ management letter, as well as key audit committee and internal audit material, and uses that material as a basis for its discussions with external auditors. The assessors met a number of auditors and discussed with them the modality of interaction with the regulators, both at bilateral level (supervisor and auditor of a single bank) and multilateral level (either between the supervisor and a specific audit firm or the supervisor and the audit industry): they drew the impression of a modality that is overall well-functioning, collaborative and, ultimately, mutually beneficial for a better understanding not only of the accounting practices, but also of the governance arrangements of the supervised/audited entities (though an auditor considered that still more room could be given to the latter aspect). |
| EC 9 | The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. |
| Description and findings re EC 9 | The requirement of the “duty to report” is established in the CRD (Art. 63(1)). It is, however, limited to material breaches of laws, regulations or administrative provisions; issues which affect the ongoing functioning of the institution; and issues which may lead the auditor to refuse to certify the accounts or to the expression of reservations. Under the FSMA 2000 (communications by auditors) regulations 2001,144 auditors have a legal duty to report to the PRA certain contraventions, or possible contraventions, of rules and legislation and other matters that they reasonably believe are or may be of material significance to the PRA. FSMA (S 342(3) and S343(5)) provides protection for auditors contravening any duty during disclosure under an auditors’ statutory duty to report to the PRA, provided the disclosure is done in good faith and the auditor reasonably believes the information or opinion is relevant to any function of the PRA. |
| Additional criteria | |
| AC1 | The supervisor has the power to access external auditors’ working papers, where necessary. |
| Description and findings re AC1 | The PRA does not have the power to access external auditors’ working papers unless those papers are issued to the client as reports (including the auditor’s report to those charged with governance and the auditor’s findings on internal control weaknesses). Under S165 of FSMA, the PRA has the power of access to the supervised firm’s documents including, for example, any reports from the auditor to the firm. As part of the PRA’s ongoing engagement with external auditors of the larger supervised firms, the PRA may request copies of the auditor’s report to those charged with governance and the auditor’s findings on internal control weaknesses. Both can be very valuable in understanding the issues that have arisen in the external audit, and the audit work that has been undertaken. From time to time, external auditors might be engaged carry out ‘deeper dives’ into areas covered by the audit, and the PRA may request copies of those reports too, as well as copies of reports that do not relate to audit matters. The FRC’s audit quality review team (AQRT)—which is responsible for the review of the audit work carried out on public interest entities (which includes all credit institutions other than credit unions)—has the right of access to the auditors’ working papers, and the PRA works closely with the FRC on general and specific audit quality matters. For example, the PRA suggests to the FRC audits that the PRA has concerns about to help the FRC to direct its audit inspection teams’ work. For other audits, the auditor’s recognized supervisory body is responsible for the review of the audit work and has the right of access to the auditors’ working papers for this purpose. If the PRA has a concern about the quality of one of these audits, it would notify the relevant recognized supervisory body which could then inspect the audit and the audit working papers. Recent changes made by the FRC to the Corporate Governance Code and ISAs (U.K. and Ireland) have resulted in greater transparency for the audit and auditor reporting process. In particular, the audit committee prepares a report that describes the significant issues that it considered in relation to the financial statements and how these issues were addressed and the external auditors include in their reports a description of those assessed risks of material misstatement that were identified by the auditor and which had the greatest effect on the overall strategy. These reports help the PRA to understand the areas of audit focus. In February 2015 the PRA issued proposals (in CP 8/15 engagement between external auditors and supervisors and commencing the PRA’s disciplinary powers over external auditors and actuaries)145 to require external auditors to prepare written reports to the PRA on their audit of specified matters. The intention behind these proposals is to further enhance the quality of the information the PRA has about the audit process and audit judgments and thereby further enhance the quality of the discussions the PRA has with external auditors (see the response to EC 8). The PRA is currently considering the comments received in response to the proposals and a decision is expected to be taken later in 2015 on whether (and if so how) to proceed with them. |
| Assessment of Principle 27 | Compliant |
| Comments | The law requires U.K. banks to prepare financial statements and to maintain books and records that produce adequate and reliable data for the preparation of financial statements. The FCA, through the U.K. Listing Authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed banks. The PRA also reviews firms’ ability to produce adequate and reliable data. While at the moment the supervisor has no formal power to impose a rotation of the auditor, the assessors observed that the U.K. Corporate Governance Code requires auditor rotation on a comply-or-explain basis, that several large U.K. banks have put their external audit out to tender and that the upcoming adoption (summer 2016) of the EU Audit Directive will formally impose audit rotation. The PRA does not have a formal power to access external auditors’ working papers, but the assessors observed a number of other practices and powers that mitigate the lack of a specific formal power: in particular, the close collaboration of the PRA with the FRC (which has right of access to the auditors’ working papers) and the use the PRA makes of this collaboration to address areas of its own concern. This, coupled with the observation that information from external auditors is a generally complementary aspect of bank supervision, on which the UK authorities rely to a much lesser extent than in other jurisdictions, leads to consider this deficiency immaterial. |
| Principle 28 | Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require periodic public disclosures146 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. |
| Description and findings re EC 1 | Three broad sets of disclosures are required regarding information on the financial condition and performance of credit institutions in the U.K.:
Art. 431 of the CRR require firms to publicly disclose the information set out in part eight of the CRR, which corresponds to the 2011 Basel II Pillar III disclosures. Additional required disclosures include the countercyclical buffer, asset encumbrance, GSIB, IRB models, and remuneration, among others. The EBA has issued binding technical standards specifying uniform templates and instructions related to own funds; leverage ratio; CCB; G-SIB indicators; and encumbered and unencumbered assets, among others. Art. 431 of the CRR requires a firm to adopt a formal policy to comply with the Pillar 3 disclosure requirements and to have policies for assessing the appropriateness of its disclosures, including frequency and their verification.
The form and content of financial statements of regulated firms in the U.K. is governed by the Companies Act 2006 (CA2006), among other laws. Reporting requirements differ depending on whether a firm is a company or a building society and whether it has issued listed securities. Listed U.K. banking and building societies (or entities with listed securities) are required to prepare consolidated financial statements in accordance with IFRS and to comply with those parts of CA2006 and BSA1986 applicable to companies or building societies reporting under IFRS. The form and content of a building society’s financial statements are similar to the requirements applicable to U.K. banking companies. Nonlisted U.K. banks and banking groups (companies are permitted to adopt voluntarily either IFRSs or FRS 102 for their solo and consolidated financial statements (CA2006) Sections 395 and 403). As for U.K. banks, nonlisted building societies may apply FRS 102 or may adopt IFRSs for their individual financial statements (BSA S72A). S393 of CA2006 requires that the directors of a company must not approve accounts unless they are satisfied that the accounts give a true and fair views of the assets, liabilities, financial position, and profit or loss of the company or group. All U.K. regulated firms are required to present comparative information in respect of the preceding period for all amounts report in the current period’s financial statements. The concept of materiality underlies the preparation of financial statements under IFRS and U.K. GAAP. If information is material, it is required to be recognized, measured, presented, and disclosed, as appropriate. Both U.K. GAAP and IFR require information provided in financial statements to be reliable. A regulated firm is required to present a complete set of financial statements at least annually. |
| EC 2 | The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. |
| Description and findings re EC 2 | IFRS and FRS 102 (U.K. GAAP) require qualitative and quantitative disclosures on an entity’s financial performance and financial position, the nature and extent of particular risks to which the entity is exposed during the period and at the reporting date, and how the entity manages those risks (risk-management policies and objectives). IFRS 7 and FRS 102 S11 and S34 require disclosure of the significance of financial instruments for an entity’s financial position and performance and the nature and extent of risks arising from financial instruments to which the entity is exposed and how the entity manages those risks. IAS 24, FRS 102.33.5–14, CA 2006 sections 409 and 401, CAR Schedules 2 and 6 and BSA Schedules 6 and 10 B require disclosures in the accounts of the relationships between a parent and its subsidiaries, the name of its parent and, if different, the ultimate controlling party, key management personnel compensation in total and in each category; if the firm had related party transactions in that period, the nature of the relationship and information on those transactions that are necessary for users to understand the potential effect of the relationship on the financial statements. IAS 19, CAR Schedule 8, and FRS 102.28 both require disclosure of additional information on employee benefit expenses. In addition, the PRA supports firms’ voluntary disclosure initiatives to promote transparency. Currently, for example, seven of the largest 21 banks (all within Category 1) voluntarily report under the British Bankers Association’s Code for Financial Reporting Disclosure that sets out principles for high quality, meaningful, and useful disclosures. Similarly, the FPC recommended in 2013 that the PRA should ensure that all major U.K. banks and building societies comply with the recommendations of the enhanced disclosure task force (2012) upon publication of their 2013 annual reports. Compliance has been high enough for the FPC to declare this recommended to have been implemented. |
| EC 3 | Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. |
| Description and findings re EC 3 | Art. 436 of CRR requires the disclosure of an outline of the differences in the basis of consolidation for accounting and prudential purposes, with a brief description of entities therein explaining the degree of their consolidation or deduction. Under IFRAS 12.10-31/U.K. GAAP and CA 2006 S409 and S410 and BSA, an entity is required to disclose information that enables users of its consolidated financial statements to understand the composition of the group and the interest that noncontrolling interests have in the group’s activities and cash flows. |
| EC 4 | The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. |
| Description and findings re EC 4 | Art. 78 of CRD requires the EBA to produce benchmarking studies on both credit and market risk to assist competent authorities in the assessment of internal models, highlighting potential divergences among banks or areas in which internal approaches might have the potential to underestimate an own fund requirement. These reports enable competent authorities to compare the outcomes of firms’ internal models and identify non-risk variability across firms and take appropriate corrective actions to overcome these drawbacks when deemed necessary. Two other examples of reviews undertaken by the EBA include an analysis of the consistency in the outcomes or the calculation or RWA as well as an annual assessment of Pillar 3 disclosures. These processes are meant to help inform regulators’ corrective processes (especially with regard to the study of risk-weighted asset calculations) and to foster greater compliance with regulatory disclosure guidelines as in the case of the Pillar 3 disclosure review. The PRA participates in the EBA-led assessments. The analysis focuses on European banks with cross-border activities and aims to identify reporting requires for which compliance must improve. For public annual reporting, capital or risk disclosure are subject to external audit if it contains information required by accounting standards. In addition, CA 2006 S496, 497, and BSA 72A require other sections of the annual report to be reviewed by the auditor for consistency with financial statements (including Pillar 3 disclosures where these are included in the annual report rather than in a separate document but outside the notes to the financial statements). Where annual accounts do not comply with the requirements of CA 2006 or BSA, every director who (i) knew they did not comply, or was reckless as to whether they complied, and (ii) failed to take reasonable steps to secure compliance, commits an offence. The financial reporting review panel (FRRP), which is part of the FRC, seeks to ensure that the annual accounts of public companies and large private companies and building societies comply with the requirements of the CA 2006 or BAS and applicable accounting standards. The FRC is the U.K.’s independent regulator responsible for corporate reporting and governance; its chairman and deputy chairman are appointed by the secretary of state for Business, Innovation, and Skills.147 The FRRP can ask firms to correct matters in error or may require alternative remedial action (either voluntarily or through a court order). The PRA and the FRC have signed a MoU that sets out arrangements for cooperation and coordination in carrying out their respective regulatory responsibilities. The arrangements include exchanging information to coordinate and cooperate effectively in the necessary areas and discussing concerns to inform the FRC’s exercise of its professional disciplinary function. |
| EC 5 | The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). |
| Description and findings re EC 5 | Under the Financial Services Act, the FPC is required to publish a FSR twice per year. The FSR covers the FPC’s view of the current stability of the U.K. financial system and an assessment of developments that have influenced this view. The content of the report is not fixed and usually covers aggregate capital ratios, balance sheet composition and other data related to short, medium and long-term risks to financial stability. In addition, after completing its first CST, the BoE published its results in December 2014 and included projected firm-level CET1 ratios in the stress scenario as well as aggregate and projected capital ratios, balance sheet composition, profitability, and credit risk profiles. The BoE furthermore publishes a range of monetary and financial statistics in relation to banking; this includes sectoral and industry breakdown of money and credit data; data on unsecured gross lending, loans and advances, deposit, consumer credit, write-offs, effective interest rates, bank funding, capital, and mortgage data. A recommendation had been at the prior FSAP that U.K. supervisors should publish nonconfidential firm-level prudential returns. However, the BoE still does not currently publish a periodic summary of banks’ regulatory returns and regular and comparable data on a bank-by-bank basis, including data from prudential returns. In this regard, firms’ Pillar 3 reports that are published represent a subset of data contained in the COREP regulatory return. Nonetheless, U.K. supervisors believe this form of Pillar 3 reporting has not proven useful to market participants. Thus the PRA has focused over recent years on making what is published more useful, working with the British bankers’ association and U.K. banks to promote greater consistency and comparability in Pillar 3 disclosures. Moreover, beginning in the fourth quarter of 2015, the BoE does intend to publish on a quarterly basis selected aggregate regulatory data from firms’ quarterly COREP submissions. |
| Additional criteria | |
| AC1 | The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period. |
| Description and findings re AC1 | IFRS and U.K. GAAP require qualitative and quantitative disclosures on a bank’s financial performance and financial position, the nature and extent of risks to which the entity is exposed during the period and at the reporting date, and how the entity manages those risks. Where information at a reporting date is unrepresentative of risk exposure, accounting standards such as IFRS 78/FRS 102 require an entity to make appropriate additional exposures. Likewise, information disclosed under Part Eight of the CRR is generally based on period end values. However, some of the disclosures are based on average values over the period or provide relevant data for the period. Examples of circumstances in which a measure other than “end of period” may be used under EU and UK guidelines appear below. Taken together, these examples suggest that the UK’s approach does broadly set adequate requirements for disclosures related to risk exposures over the course of a reporting period and not solely at the end of the period. Relevant EU Guidelines, as reported by the EBA:
Relevant U.K. Guidelines, as specified in IFRSs and U.K. GAAP:
The EBA’s guidelines on the disclosure of unencumbered assets, as required by Art. 433 of the CRR, specifies that firms should disclose asset encumbrance data on the basis of median values of at least quarterly data on a rolling basis over the previous 12 months. Firms are furthermore required to provide users with information on long term structural levels of encumbrance. |
| Assessment of Principle 28 | Compliant |
| Comments | Overall, the combined expectations set by the CRR, plus the requirements set out in U.K. financial reporting guidelines and audit frameworks, help to ensure that supervised firms are reporting on a consolidated and, where appropriate, solo basis that is easily accessible and fairly represent their condition and performance. Some changes in EU rules are, however, reducing requirements for firms to report their financial statements from quarterly to semi-annually. Up until the present, all listed Category 1 firms reported quarterly, but the EU is making this voluntary. U.K. supervisors have spoken with their firms, and most Category 1 firms (especially the seven largest) said that they will voluntarily continue to report quarterly. One recommendation that carries over from the prior FSAP is that U.K. authorities should continue to consider publishing nonconfidential firm-level prudential returns, such as balance sheet and income statements, loan and investments (sectoral information), asset quality (past dues, NPLs, charge offs), funding structure, capital structure, and off-balance sheet exposures. Such disclosures would make more comparable and consistent data available to the marketplace for analysis and monitoring. Supervisors also discussed a range of benchmarking exercises that have been proposed, including a European annual supervisory benchmarking exercise, tentatively to begin in early 2015. At the prior FSAP, assessors noted some concerns about the quality of external audits and the need for more professional skepticism. The PRA has subsequently set more explicit expectations for supervisors to meet with external auditors, including requiring that supervisors for Category 1 and 2 banks meet at least once per year with the external auditor and one additional meeting per year around the annual audit if the supervisor is the home country supervisor for the firm (see BCP 9, EC 11). The PRA has also released a SS explaining how PRA supervisors should work with external auditors called, “The relationship between the external auditor and the supervisor: a code of practice.” |
| Principle 29 | Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.148 |
| Essential criteria | |
| EC 1 | Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. |
| Description and findings re EC 1 | The FCA serves as the primary U.K. supervisor charged with combating the abuse of financial services in regulated financial services organizations including banks. FSMA 2000 sets one of the FCA’s operational objectives as protecting and enhancing the integrity of the U.K. financial system, which includes not allowing it to be used for financial crime (S1B(3)(b) and S1D(2)(b)). Under FSMA, the FCA has the power to make rules related to the conduct of banks; to supervise compliance with its rules and enforce breaches; and to supervise all authorized firms that are subject to the U.K.’s MLR 1007. Regarding this latter responsibility, the FCA estimates that 15,000 firms are subject to the MLR, of which 900 are deposit-taking institutions, primarily credit unions, but also retail and wholesale banks. Similarly, the FCA is responsible for supervising firms’ compliance with other financial crime legislation including the “Transfer of Funds Regulations 2007;” the Terrorism Act 2000; and Schedule 7 of the Counter-Terrorism Act 2008. In this regard, the FCA provides guidance to firms, such as through its “financial crime guide: a guide for firms.” As a supervisor, the FCA operates both integrated and dedicated financial crime supervision strategies, drawing on its dedicated financial crime specialist supervision team, which is part of its broader financial crime department. |
| EC 2 | The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. |
| Description and findings re EC 2 | The FCA divides all firms subject to its supervision of financial abuse-related matters into categories based on the agency’s perceptions of the financial crime risk a particular firm presents. These categories do not necessarily reflect the size of the firm and, in some cases, smaller deposit-takers may be categorized into a higher risk category alongside larger firms based on risk criteria that the FCA has developed. For newly authorized firms, this includes a review of the financial crime policy and procedure of all applicant banks. For firms in especially the two highest risk categories, the FCA examines whether firms have adequate policies and procedures, staff vetting, and reporting processes through its authorizations and risk-based supervisory work to prevent them from being used for purposes connected with financial crime. Firms wishing to become authorized must provide information that is assessed against the FCA’s Threshold Conditions and for risk to its objectives. Applications for authorization, approval, and change in control are likewise subject to review, which includes a review of AML/compliance policies and procedures of a firm. As part of its supervisory work, the FCA assesses not only whether a bank has policies in procedures in place, but also assesses whether those are working effectively in practice. It considers other factors such as the culture of a firm, governance and oversight of risk, risk-management and assurance, and the quality and effectiveness of training. FCA supervisors furthermore evaluate whether firms have considered best practices included in the FCA’s financial crime guide and other relevant guidance: among other factors, supervisors consider whether a firm has set clear criteria for escalating financial crime issues. In practice, firms in the highest risk band are subject to the most extensive and intrusive supervision. Since 2012, the FCA has employed the “systematic anti-money laundering program” (SAMLP) assessments in such firms. The program operates on a four-year, rolling cycle. The onsite portion of the work in a bank lasts about three months and involves detailed testing and interviewing of key staff responsible for the bank’s business and for implementing AML processes and controls both operations of U.K. incorporate banks outside of the EEA. Firms in the next highest risk band are subject to site visits. The FCA conducts such visits on a two-year cycle and spends two to four days at most firms in this category. For firms not in the two highest risk categories (henceforth the “lower risk” categories), the FCA relies on thematic reviews and a more responsive approach to supervising this risk. Given that this approach is relatively new and was first adopted in 2014, not enough data exists to assess the scope of the authorities’ coverage of firms in the lower risk categories over, for example, a three- or five-year period. This leaves open a question about the adequacy of the coverage of firms viewed as lower risk to ensure that “banks have adequate policies and processes that promote high ethical and professional standards” to prevent abuse of financial services, as required by this essential criterion. Both the authorities and assessors should have access to better data to evaluate this coverage of lower risk firms at the next FSAP. Supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement agencies, other domestic and overseas AML authorities, or through “thematic reviews,” proactive work considering how a sample of firms—usually 20 to 30––including those in the lower risk categories––are managing specific financial crime risks (described in more detail in the assessment of the below). The FCA also undertakes “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize |
| EC 3 | In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.149 |
| Description and findings re EC 3 | As noted earlier, the FCA’s principles compel banks to deal with their regulators in an open and cooperative way, and they must disclose to the appropriate regulator anything relating to the bank of which the regulator would reasonably expect notice. While the FCA’s rule do not contain an explicit requirement for firms to report fraud that is material to a firm’s safety and soundness, the rules do require a bank to report an incidence of “significant fraud” to the appropriate regulator immediately. The FCA rules state that a firm should consider the size of any monetary loss or potential monetary loss to itself or its customers when determining what constitutes a significant loss. In this regard, the PRA’s Fundamental Rule 7 states the following:
With regard to self-reporting of potential issues, U.K. authorities noted in discussions that over 350,000 suspicious activity reports were filed with the U.K.’s National Crime Agency from 2013-2014,150 of which about 290,000 were filed by retail banks and 23 thousand filed by building societies. The National Risk Assessment prepared by HMT and the home office identified nonetheless a variety of complaints regarding the suspicious activities report (SAR) filing process,151 which U.K. authorities summarized in discussions as reflecting the need to overhaul the IT supporting the SAR filing process as well as a potentially overly formulaic approach to filling in such forms by firms themselves. At the time of this writing, the authorities had not yet finished a public consultation on measures they would take to address concerns with the SARs filing process. |
| EC 4 | If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. |
| Description and findings re EC 4 | The U.K.’s MLR state that the FCA and all other AML supervisory authorities must promptly inform the National Crime Agency (the U.K.’s Financial Intelligence Unit) if they know or suspect that a person is or has engaged in money laundering or terrorist financing. The BoE’s policy on AML is that it will meet all legal obligations under the Proceeds of Crime Act (POCA) 2002, the MLR, and the Terrorism Act 2000. The BoE has appointed a money laundering reporting officer (MLRO) to whom staff are required to report any suspicion of money laundering. The FCA also appoints and a MLRO, who is responsible for overseeing the organization’s duty to report suspicions of money laundering as required by the MLR. The MLRO is supported by two deputy MLROs. Over the last few years, the FCA has run an awareness program to improve FCA-wide reporting of suspicious activity. FCA staff reporting requirements are covered within compulsory financial crime modules for supervisors and are also included in targeted training sessions and wider briefings provided to specific FCA departments |
| EC 5 | The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:
|
| Description and findings re EC 5 |
The MLR sets requirement for banks to retain copies of the evidence of the customer’s identity for five years after a business relationship ends, among other responsibilities. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially the top risk and, to a lesser degree, firms in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews and a more responsive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through regulatory returns, complaints, whistleblowers, media reports, law enforcement agencies, domestic and overseas AML authorities, or through “thematic reviews.” The FCA also undertakes “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 6 | The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:
|
| Description and findings re EC 6 | The MLR require banks that have, or propose to enter into, a correspondent banking relationship to apply enhanced due diligence measures to mitigate money laundering and terrorist financing risk. Banks are required to gather sufficient information from correspondents to understand the nature of its business and assess the respondent’s AML and terrorist financing controls, among other requirements. The MLR also prohibits banks from entering into, or continuing, a correspondent banking relationship with a shell bank or a bank that is known to permit its accounts to be used by a shell bank and must take appropriate measures to prevent this. As part of its risk based supervisory work, the FCA examines and tests that banks have enhanced due diligence policies and processes regarding correspondent banking. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially those in the top risk category and, to a lesser degree, firms in the second highest risk category. For firms in the lower risk categories, FCA relies on thematic reviews, monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners or through “thematic reviews.” |
| EC 7 | The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. |
| Description and findings re EC 7 | The MLR requires banks to establish and maintain appropriate and risk-sensitive policies and procedures in relation to, amongst other things, internal controls in order to prevent activities related to money laundering and terrorists financing. In response to continued poor findings regarding firms’ AML regimes, the FCA developed a supervisory strategy in 2014 to target its resources more effectively and focus on banks that present the highest risk to its financial crime responsibilities, irrespective of their size. All firms supervised by the FCA that are subject to the MLRs are now broken up into risk bands to reflect the FCA’s consideration of the level of financial crime risk they present. Firms in the highest risk category are subject to the most intrusive and proactive supervision, including the FCA’s systematic AML Program—detailed testing of firms’ AML controls in their U.K. operations and, where relevant, important or high risk overseas operations. Firms in the second highest risk category receive two to four day visits from FCA supervisors every two years. Firms in the lower risk categories are monitored by risk alerts, “event driven” supervision, when there are indicators of increased or crystallized risk, and thematic sector-wide reviews of specific financial crime risks. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement or other partners, or through “thematic reviews.” |
| EC 8 | The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. |
| Description and findings re EC 8 | FSMA gives the FCA the power to compel from banks any information or documentation reasonably required by it in the exercise of its functions (S165). Under the FSMA, the FCA may also vary or cancel the bank’s permissions to carry on regulated activities in various circumstances, including where the bank is failing, or is likely to fail, to satisfy the Threshold Conditions or where such variation is desirable in order to advance one or more of the FCA’s operational objectives. Under FSMA, the FCA can furthermore issue private censures and impose unlimited financial penalties. |
| EC 9 | The supervisor determines that banks have:
|
| Description and findings re EC 9 |
Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is focused on the highest risk firms, especially those in the highest risk category and, to a lesser degree, those in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews, monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners, or through “thematic reviews.” The FCA also undertakes ‘event driven’ supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 10 | The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate MI systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. |
| Description and findings re EC 10 | In addition to practices outlined above, the FCA examines and tests banks’ compliance with relevant laws and regulations through supervisory work, including, where appropriate, satisfying itself of the existence and effectiveness of internal controls. To do so, the FCA may review organizational charts that identify teams and individuals with responsibility for AML and sanctions; assessment of the financial crime risk ownership and the effectiveness of escalation routes within the BoE; details of committees in which AML/financial sanctions have been raised; assessment of relevant MI; the money laundering risk officer’s report; culture, governance, and “tone from the top”; and evidence of senior management acting on MI and instances of crystallized risk. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially those in the highest risk category and, to a lesser degree, those in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews, automated monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing, and, instead, are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners, or through “thematic reviews.” The FCA also undertakes ‘event driven’ supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 11 | Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. |
| Description and findings re EC 11 | POCA 2002 allows banks to disclose information that meets defined criteria;153 such disclosure will not breach any legal restriction on the disclosure of information that would normally apply. The Serious Crime Act 2015 amended POCA and introduced a specific exemption from civil liability for money laundering disclosures. The Terrorism Act 2000 and the Data Protection Act 1998 likewise provide similar exemptions regarding relevant disclosures. |
| EC 12 | The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. |
| Description and findings re EC 12 | FSMA 2000 establishes a duty on the FCA to take steps appropriate to cooperate with other persons (in the United Kingdom or elsewhere) who have functions similar to that of the FCA in relation to the prevention or detection of financial crime. FSMA 2000 permits disclosure to equivalent supervisory authorities to enable or assist them to discharge their supervisory functions. The FCA also provides the secretariat for the financial crime information network, which is a forum for intelligence-sharing on financial crime issues, made up of 110 representatives from central government, law enforcement agencies, and regulatory bodies around the world. |
| EC 13 | Unless done by another authority, the supervisor has inhouse resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. |
| Description and findings re EC 13 | The FCA has specialist expertise to tackle financial crime at all stages of the regulatory process, with 23 staff serving on its specialist intelligence services team; they support colleagues who assess the fitness and propriety of applicants for authorization or approval. The financial crime department consists of 42 staff, which includes a financial crime specialist supervision team (27 staff) who provide expert financial crime support and conduct supervisory visits, among other roles. Its financial crime policy and risk team (9 staff) work with other parts of the FCA to ensure the consistent application of financial crime policy, rules, and risk-management practices. In addition to maintaining its technical experts, within the FCA all supervisors are required to complete compulsory financial crime online training. This is supplemented with targeted training sessions and wider briefings provided to specific FCA departments. In terms of outreach to banks, the FCA publishes thematic reviews on AML and financial abuse issues; it participates in industry conferences, where its staff give speeches and presentations on recent findings; and through its relationship managers with the higher risk firms, it communicates directly with firms on financial crime issues, best practices, and supervisory expectations. The FCA publishes a document ‘financial crime: a guide for firms, which sets out examples of good and poor financial crime risk-management and conducts outreach activities such as webinars and speeches to reinforce these messages. |
| Assessment of Principle 29 | Largely Compliant |
| Comments | The U.K. supervisors appear to benefit from an appropriate legal framework and appropriate policies to oversee regulated firms’ compliance with laws and regulations that seek to prevent the abuse of financial services. Questions remain regarding depth and frequency of coverage of supervision of this risk area to evaluate compliance with expectations across supervised firms. In particular, as noted in several essential criteria above, a question remains whether sufficient testing is done to ensure that appropriate policies, procedures, controls, and training are developed and implemented by all deposit-takers, and not solely by those viewed currently as being in the highest risk categories (though, in the FCA opinion, these would capture a very large share of the transactional banking market by volume, e.g., approximately 95 percent of personal current accounts in the U.K., based on a provisional report of the CMA on the retail banking market).154 The lower–risk firms, which represent the majority of firms (in terms of numbers), are not subject to systematic reviews or testing, with the exception of thematic work and event driven work related to suspected or crystallized risk. The authorities recognized this and indicated that they do seek to ensure an appropriate “churning” of firms subject to more intensive supervision that goes beyond thematic reviews and responses to suspected or crystallized risk. Still, the process for doing so remains at a relatively early stage, and more time will be needed for the authorities to gather data on how many firms can be covered. More broadly, this weakness regarding the breadth of coverage across firms represents the key concern cited for this principle at the prior FSAP and led to the “largely compliant” assessment. Since 2014, the FCA has segregated supervised firms into categories as a means of aligning monitoring and oversight more closely with its assessment of the relative degree of risk in each firm. Those 14 investment banks and retail banks identified as being in the highest risk category receive the greatest degree of supervisory scrutiny and monitoring including the FCA’s systematic AML Program––which includes detailed testing of firms’ AML controls in their U.K. operations, and where relevant, important or high risk overseas operations. They are followed by 75 firms of varying size (63 of which are banks) in the second highest risk group. Firms in the second highest risk category are subject to a visit of two to four days every two years, led by three to four specialists, who will review 20–25 customer files representing a mix of high risk customers plus a random sample. For these higher risk firms, assessors gained the sense from conversations with supervisors that the FCA employs a greater degree of sample testing than may have been the case at the time of the prior FSAP. Assessors did not seek to quantify the scale of testing and relied on discussions and reviews of sample preparatory letters sent to firms in advance of supervisory visits; these materials suggest that FCA staff do review a sample of files while onsite at firms in the highest risk categories. The vast majority of banking organizations, however, are found in the lower risk categories. U.K. supervisors rely largely on proactive thematic reviews and information from whistleblowers, media reports, law enforcement agencies, and other domestic and international AML supervisors, as well as “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize. This more limited approach to evaluating compliance in firms thought to be lower risk raises a question about whether supervisors are indeed conducting sufficient work to ensure that “banks have adequate policies and processes that promote high ethical and professional standards” to prevent abuse of financial services (EC 2); whether “banks establish CDD policies and processes that are well documented and communicated to all staff” (EC 5); whether banks have “specific policies and processes regarding correspondent banking” (EC 6); whether “banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services” (EC 7); whether banks meet the requirements regarding internal audit, the designation of compliance officers at the appropriate level, adequate screening processes for hiring, and ongoing relevant training programs (EC 9); and whether “banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services” (EC 10). Firms in the lower risk categories are subject to periodic “thematic reviews,” which in recent years have included the FCA’s studies of small banks’ approaches to managing money laundering risk (November 2014) or controls that banks had instituted over financial crime in trade finance (July 2013). Thematic reviews typically involve two to three day visits to a sample of 20-30 firms to evaluate a particular risk-related issue; the results are published. This is supported by reviews into event driven supervisory matters relating to suspected or crystallized AML risks. Such reviews of a small sample of supervised firms appear to be the main “backstop” against failures to comply with supervisory expectations regarding financial services abuse in the majority of lower risk banking organizations. Relying on a risk-based approach to prioritizing the allocation of a supervisor’s time and resources is an understandable management decision; the international FATF has recently reiterated its support for adopting such an approach with regard to money laundering and terrorist financing. Nonetheless, in supporting the use of such an approach, FATF encourages supervisors to ensure that financial institutions are “effectively implementing” their own obligations to assess risk.155 At present, the backstop on which U.K. authorities depend for ensuring that smaller firms are effectively managing their risks regarding financial abuse appears to be limited. Firms in the lowest risk categories––the majority of banking organizations––are subject only rarely to firm-specific evaluations of compliance with rules combating money laundering and terrorist financing. In this regard, the thematic reviews that the FCA has undertaken using even small samples have indeed identified a range of weaknesses in compliance, including some that it characterized as “particularly serious” and requiring supervisory action.156 U.K. supervisors should consider additional means of ensuring more tangibly that even firms thought to be of lower risk are indeed effectively managing their risks against financial abuse; we reiterate the findings of the prior FSAP regarding “concerns about pockets of financial activities that receive less than adequate supervision.” |
| Principle 14 | Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,63 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. |
| Description and findings re EC 1 | The U.K. authorities cited a variety of laws and regulatory guidance that establish the responsibilities of a bank’s Board and senior management.
Additionally, U.K. authorities rely on the “APR” to ensure the fitness and propriety of individuals deemed capable of exercising significant influence on a firm and imposing enforceable obligations on them. While supervisors felt that the APR did result in better-qualified candidates being recommended for key roles in firms, in retrospect the regime’s weaknesses have been highlighted publicly. In March 2016, the APR was replaced with a new “SMR” that is intended to address recommendations issued by the PCBS; in particular, it implements amendments to the FSMA 2000 made by the Financial Services (Banking Reform) Act 2013. As this new regime has not yet been implemented, its effectiveness cannot be evaluated in this FSAP. Nonetheless, assessors discussed with supervisors the perceived benefits and how SMR may change the authorities’ approach to promoting sound governance and risk-management in firms in the future. Regarding guidance, assessors reviewed letters sent to firms, including to their Boards of directors, in which supervisors expressed concerns about particular governance-related issues. Examples included PSM or PSM-related correspondence in which supervisors raised concerns about a Board’s composition, such as lacking sufficient numbers of NEDs with banking experience; concerns about the structure of Board committees; concerns about Board appointments; concerns about the ability of a control function to offer enough “challenge” against business lines. Overall, the letters reviewed generally identified the supervisor’s concerns clearly and directly. What remained unclear in the letters, in some cases, was what supervisors wanted a firm to do other than to continue the discussion of the issues, though some letters contained more specific expectations regarding next steps. Supervisors note that follow-up meetings are held with the firms to clarify what actions the PRA expects firms to undertake. In addition, assessors reviewed internal staff memoranda outlining the results of governance-related reviews in supervised entities that demonstrated broadly the authorities’ focus on the responsibilities of a bank’s Board of directors and senior management. During the course of the assessment in November 2015, the PRA issued in final form an internal document outlining its broad approach to assessing corporate government in supervised firms called “the Supervision Approach to Management and Governance,” This document sets out what it calls a “map of the territory” that the PRA expects supervisors to cover in evaluating corporate governance. Specific areas of focus include understanding the collective effectiveness of Boards and separately of senior management, as well as an evaluation of “culture,” which includes assessing how well the Board’s expectations match those of the PRA. During the BCP assessment, the authorities were in the midst of implementing this guidance, including offering half-day training sessions to staff, and consequently assessors could not evaluate its effectiveness and track record. Nonetheless, the document appears to set out an appropriate direction for the future evolution of the PRA’s evaluations of corporate governance that can be evaluated at the next FSAP. |
| EC 2 | The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. |
| Description and findings re EC 2 | As noted above in CP 8, the PRA assesses “management & governance” as an element within its risk model and refreshes its views as part of the PSM and the subsequent mid-year review. In addition, especially in the largest firms, the PRA will undertake periodic governance reviews, including “deep dives” where appropriate, in which specialists may evaluate particular aspects of corporate governance. (The PRA recommends that such reviews take place every two to three years for the largest firms.) More recently, the PRA has begun to conduct corporate governance reviews in the next largest group of firms, the Category 2 banks. While the PRA takes the lead in evaluating governance, the FCA seeks to ensure that governance within a bank is sound and pays appropriate attention to conduct-related risks. The FCA’s focus for governance assessments is on its fixed firms, in line with its risk appetite. Supervisors may assess governance in flexible firms as part of work on events (such as crystallized risks) or cross-firm work, covering multiple firms. The FCA forms its views primarily: through direct liaison with key Board members and senior executives; through focused detailed reviews; and through reviewing materials provided to a firm’s Board and other key committees. In addition to reviewing letters such as those mentioned above in EC 1, assessors saw examples of letters to firms requesting changes to remuneration policies as well as examples of skilled persons reviews (S166 reviews) that included a focus on governance or governance arrangements. |
| EC 3 | The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced nonexecutive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced nonexecutive members |
| Description and findings re EC 3 | CRD IV Art. 88(2) requires that all firms that are significant in terms of their size, internal organization, and the nature, scope, and complexity of their activities must establish a nomination committee composed of managers of the management Board who do not perform any executive function in the firm. Chairs of Board committees are NEDs performing a controlled function and must apply for approval from the PRA to take up the role. Expectations for each significant committee were outlined by the authorities and include the following guidelines:
Assessors reviewed documentation arising from numerous interviews and analyzes that PRA and FCA staff had undertaken in determining whether an individual is “fit and proper” to assume a significant role in a firm as part of the legacy APR. As the authorities noted, in most cases U.K. supervisors have historically relied on supervisory dialogue and “soft power” to express views on whether an individual is “fit and proper” and encourage changes in nominations or to ensure that individuals receive adequate support and training before taking on sensitive roles in a firm. |
| EC 4 | Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty.”64 |
| Description and findings re EC 4 | S172 of the Companies Act requires a director to act in the way she/he considers, in good faith, would be most likely to promote the success of the company for its members as a whole. In addition, banks are required to comply with the statement of principles under S64(1A) of FSMA 2000 outlining expectations for “approved persons” to act with integrity, due skill and care, and in accordance with proper standards of market conduct in the discharge of his/her accountable functions, as examples. If an individual fails to comply with a statement of principle, the PRA can take disciplinary action against the person under S66 FSMA 2000, including imposing regulatory fines. As noted above, supervisors made available documentation of interviews and analyzes that the PRA and FCA had undertaken to determine whether an individual is “fit and proper” to assume a senior role at the firm; these included analyzes of candidates for roles on a Board of directors, including roles involving chairing a significant committee. |
| EC 5 | The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite65 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. |
| Description and findings re EC 5 | Supervisors at the PRA determine that the Board approves and oversees the implementation of its policies through regular meetings with Board members of Category 1 and 2 firms; specific reviews with specialists teams on corporate governance; and, for Category 3–5 firms, at least annual visits and meetings with members of the Board and senior management to gain a better understanding of their ability to provide good oversight. Offsite supervision involves reviews of Board meeting agendas, papers and minutes, and internal communications of codes of conduct, training materials, and other materials that shape corporate culture. Supervisors at the FCA seek to ensure that firms maintain the appropriate “tone from the top” and culture to ensure that (i) staff behave in manner consistent with the fair treatment of customers and reflects the integrity of financial markets and that (ii) conduct-related risks are identified and effectively managed. For major firms supervised on an individual basis, the FCA periodically seeks to understand how the Board and senior management pursue these goals and engages in direct liaison with key Board members and senior executives, occasional direct reviews, through reviews of materials prepared for the Board and key committees, and in review conduct-related incidents and the firms’ remediation of those incidents. |
| EC 6 | The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. |
| Description and findings re EC 6 | In addition to the descriptions of the U.K. authorities approach to evaluating the effectiveness of the Board, including in overseeing the firm’s organizational structure and management, U.K. authorities have relied until March 2016 on the APR to seek to assess directly the fitness and propriety of the senior managers in the firm. The PRA draws on its views regarding senior management in forming assessments agreed at the PSM held regularly for each firm. Discussions about succession planning are conducted in regular CA meetings with Board members and through specific reviews. The PRA monitors the performance of senior management partly through regular review of Board documentation and scorecards at both business and individual level, as well as through the annual remuneration round review and ongoing supervisory contact. This includes a discussion with the chair of the remuneration committee on staff assessment and on remuneration decisions. Assessors had an opportunity to review internal memoranda and letters to firms outlining the supervisors’ views on the effectiveness of both individual Board members and of the Board as a whole and overall found them indicative of the processes described above. The documents available included the PRA’s annual review of the effectiveness of a Board of directors at a major firm as well as a review of its succession planning. |
| EC 7 | The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. |
| Description and findings re EC 7 | The Remuneration Part of the PRA Rulebook sets out rules that require firms to discourage excessive risk-taking and to encourage more effective risk management. As reported by staff, the remuneration rules were introduced in 2009 in response to the FSB Principles & Standards on Sound Compensation practices and came into effect in January 2010. The rules are jointly owned by the PRA and FCA and the supervisory teams work closely together in monitoring compliance. The main objective of the remuneration rules is “to align firms’ remuneration policies and practices with effective risk management, and to ensure that they do not provide incentives for excessive risk-taking.” Supervision with the assistance of policy assesses their firms against the remuneration rules to ensure that the firm does not operate any policies that may encourage excessive risk-taking. This annual process takes place before the firm communicates their annual bonuses. Level one remuneration firms (firms with total assets over GBP 50 billion over an average of three years) are required to submit their remuneration policy statements (which details how they ensure they meet the requirements of the remuneration rules) to their supervision teams for review. The general process for Level one firms involves meetings or calls with the firm (HR and remuneration committee Chair) followed by written feedback which may include some areas of concern that requires further action from the firm and non-objection to the firms proposed bonus awards. The PRA supervision team reviews the firms’ submission alongside the FCA, providing joint feedback where appropriate. Level two (firms with total assets over GBP 15 billion but less than GBP 50 billion averaging over three years) and level three remuneration firms (firms with total assets less than GBP 15 billion) are required to complete the remuneration policy statement which should be made available to submit to the regulators on request. Malus and clawback Supervisors of firms subject to the remuneration rules will consider, on an annual basis as part of their supervision of the firms concerned, any reports made by the firm as to application of malus (reduction of unvested awards) or clawback of vested awards. They will also consider whether any circumstances they are otherwise aware of in the firm might give rise to a requirement to apply malus or clawback, and if so may require the firm to apply malus or clawback as appropriate. Staff indicated that, in the case of serious failures or misconduct, malus or clawback requirements could be imposed at any point in the year, in which case supervisors would take this up with the firm at the time. Equally procedures to determine malus or clawback will often extend beyond the normal reporting cycle in which case supervisors may follow-up on the outcomes outside of the annual bonus round. Assessors reviewed communications to firms from PRA supervisors in some cases outlining concerns about the structure of compensation packages or, in other cases, approving the release of compensation packages for individuals subject to its review. During discussions, supervisors noted the introduction of risk-adjusted performance requirements in compensation packages. While staff viewed these as having improved recently, they acknowledged the difficulties in developing such features and the need for the industry to continue to develop and apply such adjustments. |
| EC 8 | The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. |
| Description and findings re EC 8 | In the PRA’s supervisory approach document, the PRA explains its expectations that a firm’s control framework should be comprehensive in its coverage of the whole firm and all classes of risk, commensurate with the nature, scale, and complexity of the firm’s business. The effectiveness of a firms’ risk-management arrangements are monitored through the PRA’s CA program and by periodic enterprise-wide risk-management (EWRM) reviews, specialist reviews, and case studies. For the most systemically important firms, the PRA’s dedicated supervisory team monitors the relevant firms’ risk-management arrangements on a continuous basis and reaches its views through internal discussions at the annual PSM and the subsequent internal mid-year update. According to SS9/13 on securitization, a bank applying for permission for a significant risk transfer through securitization is expected to provide, inter alia, information on its governance processes, including details of any relevant committees and the seniority and expertise of key persons involved in sign-off. |
| EC 9 | The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. |
| Description and findings re EC 9 | Under S61(1) of FSMA 2000, the regulator may grant a Board candidate’s application for approval only if it is satisfied that the candidate is fit and proper to perform the controlled function to which the application relates. If the supervisor determines that a specific member of the Board is not fit and proper and/or does not possess the capabilities to carry out his role efficiently, the PRA has the power to remove his/her approval under S63(1) of FSMA. The PRA can also require a firm to hire additional Board members where it assess that a Board lacks a particular set of skills or expertise on the Board for its size, nature, or complexity of activities it undertakes. Assessors had an opportunity to review correspondence between PRA supervisors and Boards of directors or their chairs identifying particular skill sets that the PRA felt a Board might need in future members. Assessors saw as well examples of internal analyzes and recommendations to withdraw candidates from consideration for Boards given a lack of expertise or understanding on the part of some candidates regarding their intended Board roles. Supervisors stressed that, in reviewing applicants, they do not expect every director to have advanced risk measurement and management skills, etc., and instead are expecting to see that prospective Board members would offer sound judgment and, collectively, a wide range of experiences and fields of expertise for a firm to draw on for guidance. |
| Additional criteria | |
| AC1 | Laws, regulations, or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. |
| Description and findings re AC1 | As noted earlier, both the PRA and FCA require firms to report to them on any matters that reasonably each would expect to learn about from firms through the PRA’s Fundamental Rules and the FCA’s Principles for Business for supervised firms. SUP 10B.12.18 R states that if a firm becomes aware of information that would reasonably be material to the assessment of a PRA approved person’s, or a PRA candidate’s fitness and propriety, it must inform the PRA by fax or e-mail, as soon as practicable. Under SUP 10B.13, firms are required to inform the PRA of any material information regarding an approved person as soon as reasonably practical. This includes fitness and propriety. The failure to disclose relevant information to the PRA may be a criminal offence under S398 of FSMA 2000. For the FCA, under SUP 10A.14.17R, a firm is required to notify the regulator as soon as practicable if it becomes aware of information which would reasonably be material to the assessment of that individual’s fitness and propriety. |
| Assessment of Principle 14 | Largely Compliant |
| Comments | Since the prior FSAP (2013), the Basel Committee has added corporate governance to its CP given renewed attention on governance failures and broader interest among supervisors and public authorities in promoting sound corporate cultures within firms. Assessors view the existing approach to supervising corporate culture in the United Kingdom as already meeting some of the newly articulated expectations, meriting an assessment of “largely compliant.” Still, as outlined below, weaknesses remain today. Nonetheless, ongoing discussions in the United Kingdom regarding methods for strengthening supervisors’ ability to oversee and promote better corporate governance in firms are promising. Discussions on ways to strengthen corporate governance, and within that broad concept, ethical behavior and corporate cultures, are of course taking place in major financial centers worldwide. The special attention observed in the United Kingdom may reflect the prominent conduct-related scandals that have come to light recently in the London market. As one senior U.K. supervisor put it in October 2014, “we are in many ways in the second phase of the financial crisis, and this phase has at its root conduct of business, towards customers, in financial markets, and in areas of public policy such as financial sanctions and AML. At its most serious, this confluence of conduct risk can threaten the safety and soundness of firms.”66 Much of the discussion with supervisors during the current FSAP focused on problems that had emerged under the APR, still in force at the time of the assessment. While supervisors noted that their involvement in interviewing and approving candidates for key roles in firms did seem to improve the quality of the candidates that firms put forward; in retrospect it became apparent to supervisors that the existing regime had been applied inconsistently to senior managers in banks. For example, while the role of director was a specific controlled function, the role of the Chairman was not. This meant that a director joining a Board would have his/her fitness and propriety assessed by supervisors but if the same director was duly appointed Chairman of the same firm’s Board, he/she would not subsequently have his/her fitness and propriety reassessed prior to performing that pivotal role. The process allowed an individual to be evaluated once for fitness and propriety under the regime, but the person would not be subject to another evaluation under the regime as the role evolved (supervisors indicated that they have other tools available, as discussed below). The SMR is intended to address these issues. Roles and responsibilities will be clearly assigned and a new approval is required for any move into a key role, such as Chairman or the Chair of a key Board committee. These and other criticisms became more apparent in recent years; the PCBS, which was established in August 2012 as a direct response to the LIBOR scandal that had emerged two months earlier, criticized the existing regime, noting in a report in June 2013 that, “As the primary framework for regulators to engage with individual bankers, the APR is a complex and confused mess.” Beyond the APR, U.K. supervisors have undertaken a series of corporate governance review practices that assess the structure of governance arrangements and the quality and effectiveness of policies and procedures through full reviews, “light reviews,” and case studies of particular issues in firms. Based on supervisors’ comments, these reviews appear to be grounded heavily in interviewing Board members, the CEO, committee chairs, external auditors, and others. Supervisors may also observe Board meetings to understand the dynamics of Board discussions. From reviewing examples of the PRA’s corporate governance reviews, assessors determined as well that supervisors reviewed materials and reports provided to directors. Assessors also saw examples of written communications to firms’ Boards identifying observations about weaknesses in governance, though not all of the reports to which they had access included specific recommendations to Boards and instead invited dialogue on the issues. Supervisors indicated that they sought to apply “soft power” through such dialogue in encouraging firms to strengthen their controls and governance rather than in mandating particular actions. Supervisors did share examples of situations in which corporate governance reviews have led to changes in roles for individuals, in oversight mechanisms, and through other means. At present, such reviews seem to be limited to the most systemically important firms (Category 1); supervisors should consider expanding these reviews to other firms as well. Following the PCBS in 2013, the PRA and FCA developed and consulted on rules for the SMR, which replaced the APR in March 2016. Alongside this, guidance and training for supervisors following a policy decision made by the PRA Board has been developed. These two developments hold promise for much improved supervision on governance by the PRA and the FCA. As supervisors have articulated, the SMR is designed to strengthen individual accountability in the banking sector. One important way that this is achieved is by requiring each Senior Manager to have a Statement of Responsibilities, setting out clearly what he or she is responsible for, including a large number of prescribed responsibilities and stating all other responsibilities for the functions and business activities of the firm. Supervisors will continue to have an opportunity to conduct interviews of candidates for roles covered by the SMR, with PRA and FCA conducting such interviews jointly; a difference from the existing approach is that supervisors now have the power to impose binding, formal, and enforceable conditions and time limits on the approvals of individuals covered by the SMR, both at the initial approval stage and subsequently through a variation of approval. As with the APR, supervisors will be able to intervene after the interview and it is seen that SMR will enable this to be done more effectively thanks to the new powers of conditional approval. Firms, for their part, will have a legal obligation to assess the fitness and propriety of senior managers subject to this process before applying for approval and at least annually thereafter. The SMR seeks to focus accountability at the top levels of decision-making within organizations, which should lead to fewer individuals being subject to preapproval than under the predecessor regime. However, the precise number of individuals in scope of the SMR is expected to vary depending on the size, nature, scope, organizational structure, and complexity of the institution itself. Overall, the authorities’ efforts appear focused on attaching more clearly personal responsibility to individuals in key roles in firms and giving supervisors stronger tools—and potentially clearer expectations—for intervening earlier when weaknesses emerge in corporate governance. As the SMR was not yet in force at the time of the assessment, its effectiveness could of course not be evaluated during the current FSAP; it appears to address some of the concerns supervisors and others had shared about the existing APR. Given recent concerns about the prevalence of conduct issues and weak risk cultures in firms, both prior to the financial crisis and more recently after it, the assessment of “largely compliant” reflects the fact that the authorities have taken notice of weaknesses in firms’ controls and governance, and that work remains to continue to develop the tools necessary to support this work. First, weaknesses in the existing APR regime have not consistently supported the outcomes that supervisors sought; the new SMR regime is promising, but was not in force yet at the time of the assessment. Second, supervisors have been conducting reviews of corporate governance, and it should be noted that some reviews have resulted in changes in firms’ governance arrangements. Still, as this work appears to remain focused especially on the most systemically important firms (Category 1), with some work taking place in the next set of large banks, the authorities should ensure that corporate governance is appropriately considered in supervisory work beyond the largest firms. The effectiveness of these forthcoming revisions to U.K. supervisory practices will be ascertained in future assessments. |
| Principle 15 | Risk management process. The supervisor determines that banks67 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report, and control or mitigate68 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.69 |
| Essential criteria | |
| EC 1 | The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:
|
| Description and findings re EC 1 | Art. 74 of CRD establishes the legal basis requiring banks to have in place robust governance arrangements which include a clear organizational structure with well defined, transparent and consistent lines of responsibility to identify, manage, monitor, and report risks they are exposed to. The risk-management processes and mechanisms are to be proportionate to the nature, scale, and complexity of risks inherent in the business model and the institution’s activities. Arts. 97 and 98 provide the basis for the supervisory review and examination of a bank’s risk-management processes (SREP). Relevant EBA guidelines include:
The EBA guidelines on internal governance contain detailed expectations about banks’ risk management, including:
The SREP guidelines emphasize the need for involvement of the managing body (Board) and senior management, and detail a framework for the supervisor to engage and review the role of the Board and senior management proportionate with its size, scale, complexity, and risk profile. They contain detailed instructions for the supervisory review and assessment of internal governance and institution-wide controls, including:
The PRA’s Fundamental Rule 5 requires a firm to have effective risk strategies and risk-management systems. Fundamental Rule 6 requires a firm to organize and controls its affairs responsibly and effectively. In the PRA approach document,70 the PRA sets out its expectations for risk-management strategies within firms. It states that the responsibility of each firm’s Board and management is to manage the firm prudently, consistent with its safety and soundness, thereby contributing to the continued stability of the financial system. The PRA expects firms to have a culture that supports their prudent management. The Board and management of a firm should establish, embed and maintain the principle of safety and soundness in the culture of the whole organization. In its “approach to banking supervision document,” the PRA expects firms to have in place sufficient controls to minimize incentives for excessive risk-taking by management and staff by having in place clear structures of accountability and delegation of responsibilities. The PRA, also, expects a firm’s control framework to be comprehensive in its coverage of the whole firm and all classes of risk, commensurate with the nature, scale, and complexity of the firm’s business, and to deliver a properly controlled operating environment. Key to this is that firms have an effective three lines of defense operating model. The PRA expects firms to articulate for themselves the amount of risk they are willing to take across different business lines to achieve their strategic objectives. Firms are required to have an ICAAP in place, accompanied by a robust risk-management framework and its effective and consistent implementation throughout the organization. Ongoing reforms The PRA is currently consulting on guidance covering strategy and culture setting and risk appetite and risk-management in the form of a SS, consulted on in consultation paper (CP) 18/15 on Board responsibilities. The PRA proposals set out that all firms should evidence that the Board has established, and takes decisions consistent with, a sustainable business model and manages the firm to a clear and prudent strategy and risk appetite, ensuring that the firm meets its regulatory obligations. The PRA will also expect the Board to articulate and maintain a culture of risk awareness and ethical behavior for the entire organization to follow in pursuit of its business goals. The PRA expects the culture to be embedded with the use of appropriate incentives. The business strategy of firms should be supported by a well-articulated and measurable statement of risk appetite (expressed in terms that can be readily understood by employees throughout the business), which is clearly owned by the Board, integral to the strategy the Board has signed off, and actively used to monitor and control actual and prospective risks and to inform key business decisions. The PRA expects to see evidence of this active oversight of risks according to the risk appetite. The risk control framework should flow from the Board’s risk appetite. Supervision The PRA weights its supervision towards those issues and those firms that, in its judgment, pose the greatest risk to the stability of the U.K. financial system. The frequency and intensity of the supervision experienced by firms thus increases in line with the risks they pose. Along these lines, the PRA regularly assesses the significance of a firm to the stability of the U.K. financial system. This ‘potential impact’ reflects a firm’s potential to affect adversely the stability of the system by failing, by coming under stress, or by the way in which it carries on its business. The PRA categorizes firms in 5 categories based on their size, interconnectedness, complexity and business type and their capacity to cause disruption to the U.K. financial system. Please see BCP 8 and BCP 9 for a thorough description of this. Major U.K. and international firms (Category 1 firms) Supervision forms a judgment on whether Category 1 firms have appropriate risk-management strategies approved by Boards and that the Boards set a suitable risk appetite (details of how supervision forms these judgments are set out below). Supervision takes a forward-looking risk based approach, focusing on the key risks of the particular firm; supervision, reviews the role of a firm’s Board in the setting of risk appetite, the challenge put forward by the Board (or delegated Board Risk Committee) and the ability of the Board to opine on the appropriateness of the risk appetite in light of the firm’s strategy, capital and liquidity resources, and risk control framework. Supervision will review the membership of the Board and Board Risk Committee to ensure it has the skills and experience to challenge senior management on the risk appetite and risk culture of the firm. How does supervision form these judgments? As part of the judgment process, supervision analyzes firms’ MI, regulatory returns, and external information (e.g., analyst reports). Supervision takes into account in its judgment processes tools such as peer reviews, meetings with other regulators (e.g., through the regulatory colleges), meetings with internal and external auditors, and deep-dive reviews (e.g., AQRs) on a risk-based approach carried out by the PRA’s SRS (details of these deep-dive reviews are set out below). Additionally, firms are also subject to an enterprise wide risk-management review (EWMR) (details are set out below). CA meetings The key tool used by supervision to gather information and challenge the risk-management of a firm is through a series of meetings, known as “CA” meetings. During the CA meetings the firms’ risk-management is challenged by supervision on its risk-management framework and controls, its risk exposures, its risk appetite and linkages to risk limits, the independence of the risk function, the soundness of the firms’ risk culture, the measurement of risk, and the mitigation of risk. Via the CA process supervision assesses a firms’ risk management, including the interaction between the bank’s Board and risk function. The CA meetings are carried out with a variety of risk managers, across business lines and risk types (e.g., credit risk, market risk, operational risk, etc.), on a schedule proportional to the size, scale, and complexity of the firm (e.g., monthly market risk meetings for the largest firms, quarterly meetings with group chief review officers (CRO), etc.). Furthermore, supervisory specialists carry out quarterly visits to review and assess firms’ traded risk-management controls/frameworks, alternating between focusing on counterparty credit risk and market risk. This facilitates ongoing monitoring of firms’ risk-management culture, risk strategies, and risk appetite, and is also a channel for more focused risk-management reviews. For example, market risk appetite and limit frameworks were a focus topic of a recent semiannual review round. Supervision has an annual PSM, during which the risk-management of the major U.K. firms is considered in depth by senior PRA personnel, concerns are highlighted and supervisory strategy to remedy any deficiencies is discussed and agreed upon. At the PSM the CA meetings schedule is discussed and approved for the coming year. Supervision also has an annual “head of department (HoD)” review six months after the PSM to review progress in relation to the recommendations made in the PSM. The major U.K. banks’ risk-management strategies are discussed in detail again during this HoD review, and the supervisory strategy is revisited to ensure progress is being made to ensure Category 1 firms have a robust risk-management framework commensurate with their importance and complexity. Management information Alongside the CA meetings, supervisors receive from firms a range of MI on risk management. This MI generally takes the form of internal risk committee packs, used by the firms at their regular risk-management committees (e.g., the Board risk committee pack, the market and traded risk committee pack, operational risk committee pack, etc.). The amount of MI received is dependent on the size and complexity on the firm. For example, for the large, multinational firms, risk-management MI packs are received from the regional risk-management committees. For smaller firms, less MI is received and supervisors review regulatory return data and use peer comparisons to identify outliers. Supervision uses this information to form a view on the ongoing issues being faced by the firm, to assess the level of risk being run by the firms (e.g., new material transactions and existing exposures), to assess on a regular basis the firms’ risk appetite statements and risk appetite metrics, limit excesses and actions taken by the firm, key issues discussed at the risk-management committees by the firms’ executive and nonexecutives, and key projects being undertaken by the firm. Supervision uses the CA meetings to ensure the firms’ three lines of defense (front office, risk-management, and internal audit) are taking the steps necessary to monitor and control material risks and that the risk-taking is consistent with the approved strategies and risk appetite. Supervision also uses regulatory reports to analyze and identify key risk metrics of the supervised firms and uses this information for trend analysis and to form a view on emerging risks. Deep-dive reviews with SRS For key risks or material portfolios in high-impact firms (e.g., commercial real estate in the U.K.), supervision undertakes a deep-dive review of the firm in collaboration with technical specialists from the SRS unit. The trigger for carrying out a deep-dive review is risk-based; for example, if the major U.K. firm has a concentrated exposure to a particular portfolio, or has suffered significant losses from a portfolio, then supervision carries out a deep-dive review (e.g., an AQR, model reviews, internal ratings based approaches (IRB), governance reviews, etc.). The deep-dive involves a careful scoping of the review to ensure the key risks and issues are addressed, a full MI request and onsite meetings with the firms. Where appropriate, individual loan files are reviewed to test the quality of the underwriting and risk assessment ability of the firm. The information is analyzed by supervision and SRS, with comprehensive reports written; these reports are challenged via internal “challenge panels” whose members are other SRS staff and supervision, to ensure the conclusions and recommendations are robust. Based on the review, a letter is sent to the firm outlining the actions the firm must take to ensure compliance with the PRA’s requirements. EWRM reviews Risk-management reviews comprise a number of different elements. These include specialist technical reviews (credit, market, operational, etc.) and also an overall EWRM review. The purpose of a EWRM review is to consider and assess the overall risk framework within an organization from a top-down and bottom-up perspective. It includes, but is not limited to, the Board’s setting of strategy and risk appetite, the cascade down and embedding into the business, the associated policies, procedures, governance arrangements and reporting and escalation. It also considers the skills, experience, resources and effectiveness of the CRO and EWRM function. EWRM reviews form part of the CA program of supervision. The approach adopted is proportionate; the size and complexity of the firm in question and the nature of the firm-specific risks influence the frequency and nature of risk reviews undertaken by supervisors. For the largest Category 1 U.K. banks, the CA program requires a review normally to be undertaken once every 2–3 years. The review might comprise a full review or a series of smaller reviews, sometimes linked to technical credit, market or operational risks, or the use of relevant case studies. Reviews are undertaken by specialist staff working together with supervisors. For smaller firms, the reviews are linked to the program of CA, and are commissioned on a risk based basis. On occasion, the review work is undertaken by third-party skilled persons using the powers granted under S166. This is often the case when specific issues have arisen. The assessors were provided the EWRM review of the U.K. subsidiary of an overseas bank, analyzing elements of the firm’s overall risk-management framework like its culture, risk appetite, lines of defense, the link to remuneration, and its incentive structure. They examined also the relative follow-up (supervisory letter). Supervision’s assessment of risk management for Category 1 firms Throughout the process described above, supervision makes judgments on risk-appetite setting processes, the interaction between the firms’ risk appetite and the firms’ business strategy, and the calibration of the risk appetite against the firms’ capital resources and risk control framework. The firms’ stress testing processes and outputs are reviewed and considered in light of the risk- appetite statement and risk strategy. Additionally, supervision reviews the level of challenge the risk appetite statement received from the Board/Board risk committee. Supervision also reviews how the risk appetite statement translates into granular limits and lower-level risk-appetite statements (e.g., for larger, complex firms, Supervision expects to see risk appetite statements set at the legal entity/subsidiary and/or business-line level). Supervision assesses the firms’ risk culture on a continuous basis, across all types of risk (e.g., credit, market, operational, legal, reputational, etc.) and across the firms’ business lines. The risk-culture tone set by the Board and senior executives is analyzed and, if necessary, feedback is given to the firm, which the risk culture does not meet the PRA’s expectations. Category 2–4 banks and building societies As for Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms (including banks and building societies) on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk-impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy, and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes a detailed review of the firms risk appetite and capabilities in the context of their ICAAPs and internal liquidity adequacy assessment process (ILAAPs), based on interviews with key personnel (executives, risk managers, and nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of U.K. Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite and how effective the risk control systems are in practice. The evidence for supervisory judgment comes from a combination of the outcomes from interviews, review of relevant policy documents, analysis of regulatory returns data (to identify outlier behavior and trends, including in comparison with peers), review of MI provided to the Board, and relevant committees, discussions with internal and external auditors and, if deemed necessary from a supervisory risk appetite basis, the outcome of specialist reviews—either using PRA SRS resource or through commission of skilled persons reviews (under S166 of FSMA). The results of these reviews in terms of supervisory judgments on risk appetite and capabilities are presented to a PSM for each firm, at which ICG and/or individual liquidity guidance (ILG) is set and key issues are agreed for feedback to the relevant firm—typically such feedback includes both observations and a set of specific actions expected (e.g., set/amend risk appetite limits, improve quality or quantity of risk management, amend risk-management structure, etc.)—with dates by which these should be achieved. The PSM process allows for independent review of supervisory judgments in order to achieve both consistency and a sense check on whether judgment has been correctly exercised. The CA program reviews and onsite work that will be undertaken by the supervisory team are also agreed at the firm’s PSM. The outcome of the PSM, and the work undertaken by both firms and supervisors is subject to interim review six months later by the relevant HoD, or, for Category 3 and 4 firms, by an independent manager: this independent review checks progress against the stated requirements set out in the post-PSM letter to the firm, and also assesses plans for future work to be carried out in the period up to the next PSM. The intensity of the risk review process is risk-based: typically there are more meetings held with Category 2 firms and available SRS resources are concentrated on those firms with the highest potential impact on regulatory objectives. However, Category 3 and 4 firms that display poor risk-management attributes and which are judged to be more at risk of failure (PIF 3 and higher) are allocated proportionately more supervisory resources in order to understand better the extent of the risks being run and the potential outcome of failure.71 In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality, and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,72 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. Building societies are expected to inform supervisors before implementing any change of approach or agreeing internal limits that are significantly more risk-taking than those set out as expectations in SS 20/15. The PRA is currently undertaking a review of SS20/15 that is expected to result in the provision of more clarity on risk appetite and risk-management expectations applying to different levels of approach. As a result of much greater emphasis by the PRA conducting targeted EWRM reviews, examination via interviews have focused on independent NEDs (iNEDs) to ascertain if they can meaningfully articulate:
The PRA also looks closely at the quality and competence of the CRO and the risk function, including their resources and scope. FCA has responsibility for the supervision of banks on conduct matters. Although conduct risk is not a risk that can be easily quantified, the FCA is concerned to ensure that banks pay appropriate attention to conduct-related risks, both through actions taken to set the ‘tone from the top’ and create a bank’s culture and as appropriate through more formalized risk-management frameworks. The FCA seeks through its work on larger banks, which are supervised on an individual basis to understand how this is achieved. This insight is typically obtained through direct liaison with key Board members and the senior executives; through detailed reviews; through reviewing the papers produced for Board and other key committees; and through observation of conduct-related ‘incidents’ and how these are handled. The assessors reviewed the notes of meetings with the Board of an overseas bank on issues elating to model deficiencies. |
| EC 2 | The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:
|
| Description and findings re EC 2 | The PRA Rulebook requires firms’ management bodies to approve and periodically review the strategies and policies for taking up, managing, monitoring, and mitigating the risks the firm is, or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle (Art. 2.3 of the risk control section, which implements Art. 76(1) of CRD). In its “approach to banking supervision” document, the PRA expects:
Supervision Major U.K. and international firms (Category 1 firms) Supervisors of major U.K. firms assess the comprehensiveness of firms’ views across all risk types on a forward looking and judgment based approach. In addition to CA meeting of each material risk type, supervisors of major U.K. banks also have regular (e.g., quarterly) meetings with the firms’ group CRO to assess the enterprise wide risk-management and aggregate risk profile of the bank. These meetings with group CROs, reviewing the risk control framework of the whole banking group, allow supervisors to form a judgment on the comprehensiveness of the risk framework of the firm. Supervision assesses the firms’ risk-management controls and processes on a continuous basis, via CA meetings, deep-dive reviews, thematic reviews across the major U.K. firms, and the review of the MI received from firms. Deep-dive reviews are triggered by supervision having a concern about a material element of a firm’s risk-management function or the asset quality of a particular portfolio. These risks can be identified during CA meetings, review of firm’s MI (e.g., rapid growth in a loan portfolio in a higher risk area, such as commercial real estate, review of regulatory returns, or via cross-firm comparisons and thematic reviews. These reviews are normally carried out jointly by supervision and SRS, in order to use the risk expertise of the SRS staff and to get a cross-firm perspective. During deep-dive reviews supervision reviews a major U.K. firms’ policies and procedures (e.g., credit risk policies) to ensure they are fit-for-purposes and appropriately prudent (e.g., parental support frameworks in assigning internal credit ratings). Supervision tests the outcomes of the firms’ use of the policies and processes via reviews of the risks being taken by the firms. For example in retail credit, supervision will review the asset quality of the retail exposures for mortgages by looking at the firms loan-to-value profile, vintage analysis of performance, scorecard outputs, and collections data. Supervision looks across the firms’ risk types, focusing on the material risks for the particular firm, based on factors such as size of the portfolio vis-à-vis the capital size of the major U.K. firm, losses generated by the portfolio, thematic concerns raised across U.K. firms by other parts of the BoE or risks specifically raised by the firm as top or emerging risks. As part of the PSM, the systemic importance of the bank is discussed (e.g., confirming the firm’s status as a Category 1 firm) and the firm’s impact of proximity to failure of the firm on the wider U.K. financial system is considered (i.e., “PIF” score). The macroeconomic environment is of critical importance and supervision takes this into account when assessing the firms’ risk profile and risk appetite. Supervision reviews how the firm takes the macroeconomic environment into account via the setting of risk appetite, the setting of risk limits, and the hedging of risk. Supervision forms a judgment on how the firm takes the macroeconomic environment into its risk decision making and risk appetite setting by assessing factors such as how their stress testing output feed into risk limit setting. Supervision also has discussions with risk managers on their views of the economy and how those views feed into changes in risk limits. Supervision takes into account the firm’s strategy and its business model (through business model analysis) and the firm’s operating environment when assessing the risk profile of the firm. This process of assessing how the major U.K. firm takes the macroeconomic environment into account in its risk decision making happens frequently via the CA meeting process; “update on the top and emerging risks” is a typical agenda item in the meeting with CROs. In periods of market dislocation, supervision increases contact with the relevant risk-management staff at the firm to understand the firms’ exposure to the issue (e.g., Russian exposure taken by U.K. banks or U.K. subsidiaries of overseas banks; Greek exposure taken by these institutions) and what steps the firms are taking to mitigate risks and exposures. The firms’ crisis management processes are reviewed by supervision on a regular basis to ensure they are fit-for-purpose. In addition to the above, the supervisors of major U.K. firms review the firm’s internal stress testing processes and outputs, and the BOE annual stress testing outputs, when assessing a firms’ risk appetite. During the monthly market risk meetings, the firm’s market risk stress outputs are reviewed in depth with the firm’s market risk managers and the outputs are discussed in relation to the firm’s current exposures, risk limits and risk appetite. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15, 73 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to have internal policies for lending and treasury (liquidity, funding, counterparty risk, and financial risk) that express the Board’s risk appetite. Building societies are also expected to have in place the risk-management capabilities to operate to their chosen risk appetite, and Boards should receive MI that allows monitoring of how the risk appetite operates in practice. Policy statements and Board papers are reviewed by supervisors, and by relevant technical specialists, as part of the biennial review process (capital and treasury in alternate years). A similar approach applies to Category 2–4 banks, although specific supervisory expectations are not applied in the same way as for building societies (the business models of banks are more heterogeneous than those of building societies, so setting specific expectations is not possible—they need to be tailored to each bank). However, all Category 2–4 banks are expected to have internal policy statements that are in line with Board risk appetite and are agreed at appropriate levels (Board itself, or relevant Board committee): these are reviewed by supervisors and technical specialists on authorization and as part of the annual review process, with expectations for improvements discussed and communicated to banks via the PRA’s PSM process. Although conduct-related risks cannot be easily quantified, the FCA expects banks to have metrics in place for those aspects of conduct that can be quantified, together with other relevant indicators, so that management can gain meaningful insight into the nature and extent of conduct-related risks across the group. This information should be tailored so that an appropriate level of insight can be provided at all levels within the group, including at Board level. It should be sufficient to enable management and the Board to take decisions and act where necessary. The FCA expects management and the Board to understand the implications and limitations of such information. The FCA expects banks to implement policies and procedures to manage conduct risks identified within the business. Furthermore, the FCA expects Boards to understand the interplay between financial performance risk and conduct risk. |
| EC 3 | The supervisor determines that risk management strategies, policies, processes and limits are:
The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. |
| Description and findings re EC 3 | The PRA Rulebook requires that the management body of a firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to (Art. 2.3 of the risk control section, implementing Art. 76(1) of CRD). The PRA, as set out in its “approach to banking supervision document,” expects firms to have available the information needed to support their control frameworks. This information should be of an appropriate quality, integrity and completeness, to provide a reliable basis for making decisions and so to control the business within agreed tolerances. Guidance in the “approach to banking supervision document” states that an effective risk-management function ensures that material risk issues receive sufficient attention from the firm’s senior management and Board. Whenever there is a material change to the business model or in the products offered by the firms, the Board needs to take them into account and adjust its risk appetite and strategy accordingly. Supervision Major U.K. and international firms (Category 1 firms) As outlined above under EC 1 and EC 2, supervisors of major U.K. banks have an ongoing CA meetings cycle for major firms. Supervision regularly reviews the firms’ risk MI (e.g., risk committee packs) and has regular discussions on the firms’ limits, policies, and processes. For example, supervision through its CA meetings asks the firm if its risk profile or limits have changed, and reviews the firms’ risk appetite statement and current position against that risk appetite. The frequency of these meetings and discussions vary from monthly to quarterly to annually, depending on the firm and the assessment of the risk as determined by the judgment of supervision. SRS, as well as participating in these CA meetings, conduct quarterly and half-yearly reviews of risk-management frameworks in the major firms that have advanced model permissions. If there is a sudden or severe deterioration in market conditions, supervision communicates with the firm immediately. Supervision asks the firm how it is reacting to the market conditions; what the firms’ exposure is to the risks, and how the firm is mitigating its risks. For example, supervision asks the firm if it has cancelled credit limits, put “halt notices” in place, or taken out hedging positions in a crisis type situation. This is a way for supervision to test that the firm’s policies and processes are appropriate to changing market conditions and changing risk appetites given macroeconomic conditions. To assess communication within the firm, supervision analyzes this in various ways. If a new risk framework is being rolled out (e.g., a new operational risk framework), supervision asks the firm about its communication strategy and for details on the training program to embed the changes of the new framework. During the deep-dive reviews, supervision and SRS staff often have meetings with both senior and junior staff to ask about how policies and procedures are actually carried out at the firm. Additionally, supervision looks at the firms’ internal policy manuals and risk committee packs to analyze how risk processes are communicated across the firm. This is generally carried out on a risk based approach, with supervision focusing on the larger firms or current risk issues. major U.K. firm supervisors do not review firms policies on a set timetable, rather, the review of policies is driven by a risk-based approach where supervision determine there is an issue with a material risk area of the firm (e.g., if the operational risk framework is weak, as demonstrated by increasing operation losses, supervision will review the firm’s operation risk policies and processes). Supervision asks about deviations from a firms’ stated policy or risk appetite and how these are authorized. The review of these deviations could be triggered by increasing risk exposure, increasing loan impairment charges arising from a particular portfolio or picked up by the firm’s internal audit function. For example, for exceptions to a firms’ credit risk policy, supervision expects this to be approved at the appropriate level (e.g., via a group risk level or regional risk level). For exceptions to policies around issues such as single name concentration, supervision checks that this has gone through the appropriate governance challenges (e.g., Board risk committee approval if the limits are large vis-à-vis the firms’ resources). Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15, which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to have internal policies for lending and treasury (liquidity, funding, counterparty risk, and financial risk) that express the Board’s risk appetite. Societies are also expected to have in place the risk-management capabilities to operate to their chosen risk appetite, and Boards should receive MI that allows monitoring of how the risk appetite operates in practice. Policy statements and Board papers are reviewed by supervisors, and by relevant technical specialists, as part of the biennial review process (capital and treasury in alternate years). A similar approach applies to Category 2–4 banks, although specific supervisory expectations are not applied in the same way as for building societies (the business models of banks are more heterogeneous than those of building societies, so setting specific expectations is not possible—they need to be tailored to each bank). However, all Category 2–4 banks are expected to have internal policy statements that are in line with Board risk appetite and are agreed at appropriate levels (Board itself, or relevant Board committee): these are reviewed by supervisors and technical specialists on authorization and as part of the annual review process, with expectations for improvements discussed and communicated to banks via the PRA’s PSM process. |
| EC 4 | The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk MI that they receive. |
| Description and findings re EC 4 | The PRA Rulebook places ultimate responsibility for risk-management on firms’ management bodies. The management body must be actively involved in and ensure that adequate resources are allocated to the management of all material risks (Rule 2.7 in the section on risk control, implementing Art. 76(2) of CRD). It also requires firms to ensure that the management body in its supervisory function and the risk committee, where a risk committee has been established, have adequate access to information on the risk profile of the firm and, if necessary and appropriate, to the risk-management function and to external expert advice; the management in its supervisory function and the risk committee, where a risk committee has been established, must determine the nature, amount, format, and frequency of the information on risk which they are to receive (Rule 3.2 in the section on risk control, implementing Art. 76(4) of CRD). The PRA, as set out in its “approach to banking supervision document,” expects firms to have available the information needed to support their control frameworks. The information should be of an appropriate quality, integrity, and completeness, to provide a reliable basis for making decisions. Senior management is expected to have a clear understanding of the risks that are not adequately captured by internal models used. Senior management is also expected to understand the limitations of the internal models used. Ongoing reforms Further guidance regarding collective responsibilities of the Board and setting out the regulators expectations was provided through consultation paper (CP) 18/15 on Board responsibilities. Supervision Major U.K. and international firms (Category 1 firms) The PRA has an ongoing CA cycle for major firms. This includes monthly meetings that involve discussion of key exposures with management, and semiannual visits to review and assess firms’ traded risk-management controls/frameworks. As part of the CA cycle, the PRA also receives and reviews firms’ MI, which is often used as a basis of challenge and questioning during CA meetings with firms. As part of the governance reviews, the PRA determines whether the quality of data provided to the Board is sufficient to enable management to accurately aggregate, understand, and measure risks. This assessment includes the covering format, timing, and description of information flow of protocols regarding Board papers. Please see the response to EC 1 for more detail on EWRM reviews. Supervision determines whether the firm’s Board and senior management receive sufficient information to assess the risks being undertaken by the firm by receiving, on a regular basis, the same risk packs internally produced by the firm for senior management. For example, supervision teams of large firms receive monthly risk management committee packs and the Board risk committee packs. Supervision assesses the quality and depth of this MI and forms a view on whether the key risk issues, the firm’s risk profile and exposures, and top and emerging risks are appropriately captured in the risk reports. Liquidity is closely monitored by Supervision via regularly received returns; growth in assets vis-à-vis funding of those assets is reviewed. For large firms, Supervision assesses whether the granularity of information up to the higher level risk committees is appropriate. If too much information is being provided, this can lead to a dilution effect with the key issues not being given the appropriate level of review. If too little information is provided, then informed decision making cannot take place. If the level of MI is inadequate, this is fed back to the firm. The assessment of the quality of internal MI is also reviewed in deep-dive reviews. During these reviews, a significant quantity of firm MI is requested, at varying levels of the firm. This allows SRS and supervision to track issues through the various internal risk committees, to test the flow of key risk issues and concerns both up and down the risk chain. If the flow of information is not fit-for-purpose across the firm, across risk types, this is fed back to the firm and improvements to intrafirm communications are required. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management processes—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. All Category 2–4 banks are subject to an annual visit and supervisory assessment (SREP, L-SREP) that is considered in a PSM. As part of the visit preparation, supervisors request a copy of the most recent Board pack (and frequently also the packs for relevant Board subcommittees, such as ALCO and Risk and Audit). Supervisors and technical specialists review these packs to establish the type and level of MI being provided to Board members, and use the outcome of this review work to probe understanding and risk-management in meetings with management, Board members and (on a biennial basis) with the whole Board. In particular, supervisors meet with NEDs either individually or as a group to evaluate their approach to Board information and the extent to which they are able to monitor and control the business on the basis of the information provided. Shortfalls in capability are discussed and reviewed through the PRA’s PSM process, and fed back to firms (with expected actions) by way of the post-PSM letter. Any actions are time bound and followed-up by supervisors, with reviews of progress undertaken at the 6 month mid-point between PSMs. |
| EC 5 | The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. |
| Description and findings re EC 5 | BIPRU 12.2.1R74 Part of the PRA Rulebook requires a firm, at all times, to maintain liquidity resources which are adequate, both as to amount and quality, to ensure that there is no significant risk that its liabilities cannot be met as they fall due. In complying with Art. 86 of CRD, the PRA requires that firms must have in place robust strategies, policies, processes and systems that enable it to identify measure, manage and monitor liquidity risk over an appropriate set of time horizons. These strategies, policies, processes and systems must be proportionate to the complexity, risk profile and scope of the operation of the firm, and the liquidity risk tolerance set by the firm’s governing body. The ‘Threshold Condition’ 5D,75 business to be conducted in a prudent manner, requires firms to have an appropriate amount and quality of capital and liquidity and have appropriate resources to measure, monitor, and manage risk. BIPRU 2.2.4G76 states that the adequacy of a firm’s capital needs to be assessed both by the firm and the appropriate regulator. This process involves an ICAAP, which a firm is obliged to carry out in accordance with the ICAAP rules, and a SREP. As set out in the “approach to banking supervision document,” the PRA expects firms in the first instance to take responsibility for ensuring that the capital they have is adequate. The PRA itself forms judgments about how much capital individual firms need to maintain and the PRA’s judgments should inform firms’ own assessments. Firms should engage honestly and prudently in the process of assessing capital adequacy, and not rely on regulatory minima when these are inappropriate for the risks to which they are exposed. Where the PRA judges the conservatism applied in internal models not to be sufficient, it takes appropriate action to address the situation, which include requiring methodological adjustments or recalibration, setting capital floors or imposing adjustments to modeled capital requirements. Supervision Major U.K. and international firms (Category 1 firms) Supervision regularly reviews the firms’ ICAAPs and the PRA undertakes a SREP process to assess whether the level of risk being taken is commensurate with the firm’s capital resources. The cycle of SREPs is risk-based, with larger and/or riskier firms subject to more regular review. The SREP process is comprehensive and involves both supervision and risk specialists from the SRS unit. Where appropriate, peer comparisons are made across firms to assess risk appetites and risk profiles of firms. For example, a cross-firm view is taken of U.K. firms’ concentration risks to sector, single names and geography and a cross-firm view is taken of international firms’ exposure to important market risk events. Supervision regularly evaluates the levels of capital vis-à-vis risk exposure of firms. Supervision assesses how the firms internally ensure they remain within their stated risk appetite, via CA meetings and deep-dive reviews. For example, if a RWA limit is set for wholesale loans, supervision tests how a firm ensures it stays within that RWA limit and what are the consequences and/or processes for breaching that RWA limit. If a market risk limit is set on the basis of VaR or stress test limits, supervision reviews a firm’s reaction to breaches of that limit. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on their internal assessments of capital and liquidity adequacy (ICAAPs and ILAAPs). The core supervisory process applied to all smaller firms includes an annual visit to review, in alternate years, capital adequacy and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firms’ capital and liquidity adequacy, including understanding the background to the development of their ICAAPs and ILAAPs and an assessment of the adequacy of the internal policy limits and allocations for these. The assessment is based on interviews with key personnel (executives, risk managers, and nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The supervisory review process; specifically focuses on how the Board of the firm agrees and sets its capital and liquidity levels in line with its business strategy. The evidence for supervisory judgment comes from a combination of the outcomes from interviews, review of relevant documents (ICAAPs and ILAAPs), analysis of regulatory returns data (to identify business characteristics, including in comparison with peers), and assessment of allocations of capital/liquidity for key risk components. The results of these reviews and the report of technical specialists (if involved) are presented to a PSM for each firm, at which ICG and/or ILG is set and key issues are agreed for feedback to the relevant firm in explaining why numbers differ from the firm’s internal allocations (if they do). The post-PSM letter to the firm sets out these items and the expectation of the PRA for the firm’s next internal iteration of its planning documents. |
| EC 6 | Where banks use models to measure components of risk, the supervisor determines that:
The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. |
| Description and findings re EC 6 | The EBA Guidelines on common procedures and methodologies for SREP set out recommendations for use of internal models for specific risk categories not limited to those used for regulatory capital calculations (see relevant CPs). EBA has also produced an RTS on the conditions for assessing the materiality of extensions and changes of internal approaches for credit, market, and operational risk which is aimed at harmonizing the assessment of the materiality of extensions and changes to internal model approaches across NCAs. This RTS specifies the conditions for assessing the materiality of extensions and changes to help drive consistency and compliance with the regulations. The United Kingdom has implemented Arts. 77 and 78 of the CRD on the internal approaches for calculating own funds requirements and the supervisory benchmarking of those approaches. Under this regulatory framework the PRA requires firms to submit the results of their calculations of risk weighted exposure amounts or own fund requirements except for operational risk, together with an explanation of methodologies used to produce them, at least annually. The PRA approach document sets out the expectations of models used to measure risk. While quantitative models can play an important role in supporting firms’ risk management, the PRA expects firms to be prudent in their use of such models given the inherent difficulties with risk measurement. Models, and their output, should be subject to effective, ongoing, and independent validation to ensure that they are performing as anticipated. The PRA expects senior management to have a clear understanding of the risks that are not adequately captured by the models used, and the alternative risk-management processes in place to ensure that such risks are adequately measured and incorporated into the firm’s overall risk-management framework. Supervision For credit risk, where the firm has an IRB permission, the PRA takes a risk-based approach to oversight of firms’ capital models rather than following a standard CA program for each firm. Where the firms’ models, or a subset thereof, are deemed to represent a risk to the appropriateness of the firm’s own funds requirements (e.g., due to underestimation of RWA), analysis of model MI are undertaken, including an assessment of the limitations of the model and if appropriate, the adjustments made by the firm to take into account those limitations (e.g., additional buffers added on). Senior management’s understanding of the model is in this instance assessed through minutes of the committee(s) responsible for reviewing its performance. PRA risk specialist expertise is leveraged if necessary. For traded risk, where a firm has an IMA market risk permission or an internal model method (IMM) counterparty credit risk permission, the firm is subject to a semiannual review of each of these models by relevant risk specialists, owing to the closer relationship between capital and risk decision models than is the case in the credit risk (IRB) regime. Deep-dive reviews are initiated if there are serious concerns around the performance of a model, or by thematic concerns around certain models not accurately measuring risk (e.g., income-producing real estate models prior to the PRA moving firms onto the slotting approach, and wholesale loss-given default (LGD) and exposure at default (EAD) models, for which a framework has been developed to ensure that estimates are underpinned by sufficient historical recovery experience). If necessary, the PRA commissions a SPR to evaluate aspects of a firm’s rating system. The PRA’s SSs for credit, traded and operational risk internal model regimes (SS11/13–14/13) set out the expectation that on an annual basis a person in a SIF attests to the compliance of the firm’s rating systems and/or that where there is material non-compliance, a credible plan is in place for remediation. This provides a degree of assurance on any models—or other aspects of firms’ rating systems—that are not directly reviewed by the PRA. The PRA fully participates in the EBA’s annual benchmarking exercise for credit and traded risk model regimes, under CRD Art. 78, and has a permanent member on the EBA’s task force for supervisory benchmarking. |
| EC 7 | The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products, and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. |
| Description and findings re EC 7 | The EBA guidelines on internal governance set the expectations for an institution to have an effective and reliable information and communication system covering all its significant activities (see para. 30). Para. 26 sets out the overall expectations for an institution’s risk control function (RCF) to identify, monitor, and manage all risks across the enterprise. The RCF should ensure that an institution’s internal risk measurements and assessments cover an appropriate range of scenarios and are based on sufficiently conservative assumptions regarding dependencies and correlations (see para. 26.10). Furthermore, the RCF should ensure that all identified risks can be effectively monitored by the business units (para. 26.11). The EBA SREP guidelines describe the supervisor activities to test and assess an institution’s information systems (paras. 106–107) where supervisor’s should assess whether an institution has effective and reliable information systems and whether these systems fully support risk data aggregation capabilities at normal times as well as during times of stress. According to the SREP guidelines, NCAs should assess whether an institution is at least able to:
Supervision Major U.K. and international firms (Category 1 firms) ‘Supervision review firms’ information systems as part of the CA meetings (as described above in EC 1 and EC 2) and assess the level and quality of data produced by the firm via MI received. During CA risk meetings, the frequency of which are determined on a risk based approach, supervision questions the firm on the quality of its information systems, focusing on any deficiencies (e.g., lack of timeliness, lack of completeness). Where supervision has identified risk data aggregation as an issue, the firm’s remediation of its information systems is a topic of regular discussion. For the major U.K. firms, SRS review the firm’s IT systems to determine any deficiencies. Cross-firm work is sometimes the trigger for this, with some firms identified as outliers from their peers. If necessary, a skilled persons report (“S166”) is commissioned to review the firm’s ability to aggregate data. For periods of stress, supervision reviews how quickly and accurately a firm can aggregate risk data. The data received from the firm is often reconciled against existing firm MI, BoE data, and regulatory returns. Where there are discrepancies, supervision discusses these with the firm and acts as appropriate. Firms are expected to be working towards compliance with the BCBS principles for effective risk data aggregation and risk reporting (PERDARR) and to this end, supervision and SRS have had separate meetings with firms to discuss their progress, including IT system changes that are required. The assessors analyzed several ‘Board packs,’ finding them generally very detailed, and reviewed the report from a visit to a group data center supporting some of the IT systems of a major U.K. bank. The visit, sparked by past of outage incidents, focused on the analysis of backup measures, disaster recovery and business continuity plans, and cyber security measures. They got also access to a dear chairman and dear CEO exercise, an initiative aimed to: identify actions taken by firms to improve critical infrastructure and technology resilience; draw cross-firm comparisons highlighting consistencies and inconsistencies; examine the adequacy of resilience arrangements to prevent customer detriment arising from technology failures, potential impact on market integrity, and on the safety and soundness of firms. Finally, they saw the template of a letter to banks’ CEOs following the FPC 2013 initiative to assess, test and improve the resilience of the U.K. financial sector to cyber attacks. The letter announced the rolling out of a questionnaire and the start of a program of vulnerability testing against key cyber threats, on a voluntary basis. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management systems and processes—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. All Category 2–4 firms (including banks and building societies) are subject to an annual visit and supervisory assessment (SREP, L-SREP) that is considered in a PSM. As part of the visit preparation, supervisors most cases request a copy of the most recent Board pack (and frequently also the packs for relevant Board subcommittees such as ALCO, risk and audit). Supervisors and technical specialists review these packs to establish the type and level of MI being provided to Board members, and as the basis for discussions with Board members and senior management about the source and reliability of such information. Some elements of the MI are cross-checked against regulatory data returns to identify potential inconsistencies, and peer group analysis is used to identify those firms where the data appears to be against expectation. Should serious systems or data deficiencies be identified that are beyond simple rectification, supervisors (and will) ask for specialist reviews to be carried out—either by PRA specialists (SRS) or by external skilled persons (S166 FSMA). Shortfalls in capability are discussed and reviewed through the PRA’s PSM process, and fed back to firms (with expected actions) by way of the post-PSM letter. Any actions are time bound and followed-up by supervisors, with reviews of progress undertaken at the six month mid-point between PSMs. As described in EC 4, the PRA receives from all banks copies of the MI routinely provided to the Board and to its committees (‘Board packs,’ e.g., group Board, regional Boards, risk committee, audit committee, and asset & liability committee). |
| EC 8 | The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,77 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. |
| Description and findings re EC 8 | The EBA guidelines on internal governance set out the expectations for an institution to have a framework in place with regards to the development of new products (para. 23). Institutions are expected to have a well-documented new product approval policy approved by the management body, which addresses the development of new products, products and services, and significant changes to existing ones. The expectation is for institution’s to ensure that the decision making process consider regulatory compliance, pricing models, impacts on risk profile, capital adequacy and profitability, availability of front, back and middle office resources, and adequate tools and expertise to understand and monitor the associated risks. The guidelines describe the role of the managing body in regards to new product approvals. EBA SREP guidelines recommend that the supervisor take new products into account when assessing the internal control framework and assess whether the institution has a new product approval policy and process with a clearly specified role for the independent risk function, approved by the managing body (para. 104(h)). Supervision Major U.K. and international firms (Category 1 firms) As part of supervision’s deep-dives, AQRs, (carried out on a risk-based approach, outlined above in EC 1 and EC 2) and during CA meetings (carried out on a regular basis such as monthly or quarterly dependent on the risk type), supervision asks the firm about new products and the firm’s process for approving new products, material modifications to existing products and major management initiatives. Quite often these changes are discussed in both front office/strategy meetings and risk-management meetings, particularly if they are of a material nature to the firm. Supervision asks the firm about the challenge and degree of understanding of the changes/new product by senior management and the Board. If Supervision is not assured that a robust process of challenge has been undertaken, this is fed back to the firm, along with recommendations to improve the process. Supervision ensures these processes are followed by regularly reviewing the relevant MI (e.g,. risk committee pack detailing new products coming to market) and in CA meetings. As part of a recent EWRM review, the supervisory team reviewed the firm’s new products approval process, through a desk-based review of relevant policies and guidelines (including procedures for escalation to executive management and the Board). In addition, during the follow-up interviews, the team discussed specific case study examples of new product/process launches with Line 1, Line 2, executive management and the Chair of the Board risk committee, with a particular focus on how the new product approvals committee functions. For the relaunch of the product offered by the firm, the PRA also placed particular focus on the degree of challenge and understanding posed by the Board on this issue. The supervisory team also discussed with the risk function and Chair of the Board risk committee how the firm could better ensure that sufficient information was provided to the Board regarding the potential challenges of the new product, to ensure robust challenge. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on aspects of their risk-management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firm’s business model and product range, as well as future plans embedded in the current corporate plan. The supervisory judgment reached is based on interviews with key personnel (executives, risk managers, nonexecutive chairs of key committees) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every 4 years (for each of capital and treasury). The capital specialists focus on the risks inherent in any lending products, in order to assess whether the allocation of capital in the firm’s ICAAP is adequate to cover the inherent (mainly credit) risks involved, and the treasury specialists also focus on funds transfer pricing (FTP) methodologies and systems to ensure that correct pricing signals are being transmitted to the front line. In reviewing products and business models, supervisors also test the understanding of Board members and senior managers of the risks and benefits inherent in individual products, and assess the new product approval process to gauge whether it adequately addresses the relevant risk-management issues in bringing a new product to market. The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite for new products, how this is promulgated in setting limits and controls, what capacity the firm has to deliver the new business (does it have the requisite skills and capabilities?) and how effective the risk control systems are that challenge this. In the case of building societies, SS20/15 sets out specifically the risk implications that Boards and management of societies are expected to take into account in determining whether or not to go ahead with a new product, and place an expectation on societies that they will consult their supervisors ahead of embarking on new initiatives that would represent more than 5 percent of capital or 10 percent of future revenue—any such initiatives and developments would be subject to specific supervisory review and feedback. The FCA expects banks to place customers at the heart of their business and to reflect this in product design, the sales process and after sales. This means that the FCA expects banks to ensure that products are designed with particular markets in mind, that they are suitable for these target markets, that risks are explained and that products are regularly stress tested to ensure they are performing in line with expectations. The FCA expects banks to have policies and procedures to take this into account in their processes both to design new products and amend existing ones. The FCA expects senior management, including Boards, to be satisfied that a bank has appropriate controls in this regard. The FCA carries out work both on individual banks and thematically across groups of banks to ensure that they meet regulatory expectations. |
| EC 9 | The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. |
| Description and findings re EC 9 | Laws and regulation The risk control part of the PRA Rulebook requires firms to establish, implement, and maintain adequate risk-management policies and procedures, and where appropriate and proportionate, establish and maintain a risk-management function that operates independently from the operational functions, has sufficient authority, stature, resources, and access to the management body. The risk-management function implements risk-management policies and procedures, and provides reports and advice to senior management. Rule 3.4 of the PRA Rulebook—risk control part (transposing Art. 76(5) of CRD) requires that a bank’s risk-management function be independent from the operational functions and have sufficient authority, structure, resources, and access to the management body. The bank must ensure that the risk-management function is able to report directly to the management body in its supervisory function, independent from senior management. The same rule also requires the risk-management function to ensure that all material risks are identified, measured, and properly reported. It must be actively involved in elaborating the firm’s risk strategy and all material risk-management decisions, with the ability to provide a complete view of the risks the firm faces as a whole. The banks must ensure that the appropriate reporting lines are in place, so that the risk-management function can report directly to the management body in its supervisory function, independent from senior management. The risk-management function should also be able to raise concerns and warn the management body where specific risk developments affect or may affect the firm, without prejudice to the responsibilities of the management body. The risk committee (notably its Chair) should provide a channel for the CRO to do this. Ongoing reforms Under the SMR there are distinct prescribed responsibilities allocated to senior managers, which ensure independence of responsibilities. For small firms (assets of GBP 250 million or less) these are:
For larger firms the responsibility is the following:
Supervision Major U.K. and international firms (Category 1 firms) Supervisors of major U.K. firms regularly question the firm’s senior risk-management about the level of resourcing in the risk function in the firm via CA meetings, the frequency of which vary depending on the firm and the risk type. Staff attrition rates are discussed, particularly in areas where high staff turnover is an issue. As part of the supervisor’s review of the firm (via CA meetings), supervision asks the risk-management staff about how they establish their independence and authority from front office/risk-taking functions of the firm. The frequency of this questioning of the authority of risk varies depending on the firm—a risk-based, judgment approach is taken—for firms where supervision is concerned over the strength of risk-management vis-à-vis risk taking functions, this is a regular item on the agenda when meeting risk staff. Where it is clear that risk-management have the independence and authority expected by the PRA, this issue is monitored less frequently (e.g., annually requesting organizational chart updates). During deep-dives of the risk function (see EC 1 and EC 2, which set out the triggers for undertaking deep dives), the independence of the risk function are reviewed. The ability of risk to be the final decision making on transactions and risk limits is questioned. Supervisors of major U.K. banks regularly look at the internal audit reports produced on the risk-management function. This happens on a risk-based frequency, with the reports reviewed more frequently; where the risk function is perceived to be weaker, as determined via CA meetings. During deep-dive reviews, internal audit reports on the risk area being reviewed are requested as part of the pre onsite MI review. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy, and liquidity/treasury adequacy, as part of a comprehensive SREP process. The visit includes detailed review of the firms risk appetite and risk-management capabilities, based on interviews with key personnel (executives, risk managers, nonexecutive chairs of key committees, and internal and external auditors) and, in alternate years, the outcome of a meeting with the full Board (typically split into sessions including and excluding executive Board members). There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms, depending upon the focus of that year’s supervisory work. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every four years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite and how effective the risk control systems are in practice. The evidence for supervisory judgment come from a combination of the outcomes from interviews, review of relevant policy documents, analysis of regulatory returns data (to identify outlier behavior and trends, including in comparison with peers), review of MI provided to the Board and relevant committees, discussions with internal and external auditors and, if deemed necessary from a supervisory risk appetite basis, the outcome of specialist reviews—either using PRA SRS resource or through commission of skilled persons reviews (under S166 of FSMA). The independence and capability of risk-management is a key factor in the assessment of each firm, and supervisors seek to assurance that risk managers have independent access to Board members and the chair of the Board risk committee. However, whilst an independent risk function would be usual for Category 2 firms, it is not always the case that a fully independent function can be justified for very small firms that undertake low risk business (e.g., retail mortgage lending): the PRA therefore adopts a proportionate approach to setting expectations in this area. Where no fully independent risk function exists, the PRA expects to see proper segregation of duties and collective decision-making (at a minimum, “four eyes” coverage and separation between business development and risk sanctioning. The PRA continually encourages the development of additional risk capability ahead of growth in firms, so that the business is appropriately controlled. The PRA also discusses coverage of risk-management by internal audit as a standard part of its review process. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,78 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. Societies are expected to inform supervisors before implementing any change of approach or agreeing internal limits that are significantly more risk-taking than those set out as expectations in SS20/15. The PRA is currently undertaking a review of SS20/15 that is expected to result in the provision of more clarity on risk appetite and risk-management expectations applying to different levels of approach. |
| EC 10 | The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. |
| Description and findings re EC 10 | Under Art. 76(5)(4) of the CRD all banks are required to have a risk-management function. Although this function must be headed by an independent senior manager with distinct responsibility for the risk-management function, it does not need to be headed by a specially appointed person solely responsible for this role. However, taking into account their size, nature, and complexity, for some banks it is appropriate to appoint a CRO. The EBA guidelines on internal governance recommend that a chief risk officer be appointed with exclusive responsibility for the RCF and for monitoring the institution’s risk-management framework across the entire organization (para. 27.1). The CRO should be responsible for providing comprehensive and understandable information on risks, enabling the management body to understand the institution’s overall risk profile. He/she should be sufficiently expert and experienced to discharge the role and challenge decisions that affect the risk profile of the organization (para. 27.3). In relation to the appointment and dismissal of the CRO, the guidelines recommend that the institution have documented policies in place to assign the position of the CRO and to withdraw his or her responsibilities. If the CRO is replaced, it should be done with the prior approval of the management body in its supervisory function; generally the removal or appointment of a CRO should be disclosed and the supervisory authority informed about the reasons for the removal. In the SYSC Section of the PRA Rulebook (on senior management arrangements, systems and controls), Rule 21.179 sets out the PRA’ expectations for the CRO. Banks need to seek approval for a CRO to perform the systems and controls function. The CRO should:
The CRO should also alert the firm’s governing body to and provide challenge on, any business strategy or plans that exceed the firm’s risk appetite and tolerance. The CRO should report into a very senior executive in the firm. In practice, the PRA expects this to be to the chief executive, the chief finance officer or to another executive director. The CRO should be a dedicated independent senior manager. In cases where this arrangement is disproportionate, another senior person within the firm may be appointed, provided there is no conflict of interest. SYSC 21.1.4G requires firms to ensure that the CRO may not be removed from that role without the approval of the firm’s governing body. Supervision Only Category 1–2 firms are normally large and complex enough to require appointment of a CRO. Smaller firms are expected to have risk-management appropriate to their scale and complexity. CROs are subject to preapproval by the PRA as CF28s (systems and controls) functions under the current APR and will be a PRA (SMF4 3.4 in the SMFs chapter of the Rulebook) under the new SMR. Consequently, firms need to notify us if a CRO is dismissed or ceases to perform that function for another reason using a specific form (Form C to be used in both the old and new regime). Rule 3.5 of the risk control chapter of the PRA Rulebook includes provision that the CRO must not be removed without the approval of the management body of the firm: “The head of the risk-management function must not be removed without prior approval of the management body and must be able to have direct access to the management body where necessary.” |
| EC 11 | The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book (IRRBB) and operational risk. |
| Description and findings re EC 11 | The following articles of the CRD are relevant to standards for specific risk types:
EBA’s SREP guidelines also provide set of recommendations for supervisory assessment related to risk-management of specific risk categories. For the implementation in the U.K. of the standards mentioned by the essential criterion, see CPs 17, 22, 23, 24, and 25. |
| EC 12 | The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. |
| Description and findings re EC 12 | Art. 74 of the CRD establishes the basis for institutions to have in place recovery plans for the restoration of an institution’s financial situation following a significant deterioration (see para. 4). The plans need to be reflective of the size, complexity, and scale of the institution. Furthermore, NCAs shall cooperate closely with the resolution authorities and provide them with all information necessary for the preparation and drafting of viable resolution plans setting out the options for orderly resolution of the institution in the case of failure. EBA SREP Guidelines set out the requirement that NCAs consider any findings and deficiencies identified in the assessment of recovery plans and recovery planning arrangements (para. 108). The relevant parts of CRD have been implemented in the U.K. as of January 1, 2014. In implementing Art. 74 thereof (regarding recovery and resolution planning), the requirements of CRD were addressed by planned amendments to the financial stability and market confidence sourcebook rules, as consulted on by the FSA in FSA CP 11/16 and which the FSA provided feedback on in FS12/1. The PRA has indicated its compliance with the EBA guidelines specifying common procedures and methodologies for carrying out supervisory reviews (SREP) (into force since January 1, 2016). The PRA has had in place a recovery and resolution planning framework since January 1, 2014 (setting out the PRA’s information requirements necessary to inform the authorities’ selection of the preferred resolution strategy, identification of barriers to its implementation and proposed means of improving resolvability); the framework has been subsequently amended following the U.K. implementation of the BRRD (January 1, 2015). In brief, recovery and resolution planning in the U.K. today is driven largely by the requirements of the BRRD. Specifically, the BRRD requires that recovery and resolution plans are drawn up. Moreover, should authorities identify barriers to resolvability in the recovery and resolution planning process, they can ask firms to take appropriate measures, with a view to ensuring that the firm can be resolved with the available tools without posing a threat to financial stability. Supervisors benefit from a wider range of tools relative to the pre-BRRD period, including early intervention measures (e.g., removal of management and the appointment of a temporary administrator). The resolution authorities in turn are equipped with a range of resolution tools (sale of business, asset separation, bail-in, and setting up a temporary bridge bank). A number of EBA standards and guidelines on recovery and resolution matters are mandated by the BRRD, for example, recovery plan indicators, simplified obligations, failing or likely to fail, etc. The U.K. has up until now either indicated its intention to comply with all finalized guidelines or fulfill standard requirements. Under the new SMR, for larger firms,80 there is a prescribed responsibility for developing and maintaining the firm’s recovery plan and resolution pack and for overseeing the internal processes regarding its governance, allocated to a Senior Manager. PRA rules require firms to produce recovery plans and submit resolution information to ensure that they:
The PRA as the consolidated supervisor ensures institutions write and maintain recovery plans covering the European group, which take into account the overall structure of the banking group, including any nonbank subsidiaries of that group. The PRA’s rules on recovery planning and the SS 18/1381 incorporate requirements of the BRRD. Arts. 5 and 6 set out the requirements and assessment criteria for recovery plans prepared for firms subject to the BRRD that are not in an European consolidated group. Arts. 7 and 8 apply those same requirements at the European consolidated group level for the group recovery plans contents and assessment requirements. The supervisors expect their firms to incorporate recovery planning within their existing risk-management framework. Both the individual and group recovery plan (whichever is applicable) needs to demonstrate to the competent authority how the group as a whole or an institution in the group can be stabilized during a stress in order to remove the causes of the distress and restore the financial position of the group or the institution in the group. Supervisors assess whether these plans demonstrate adequate governance arrangements and escalation processes, critical functions and core business lines, internal and external interconnectedness and strategic analysis of recovery options, minimum list of quantitative and qualitative recovery plan indicators and the range of scenarios. The recovery plan, whether it is at the individual or group level, needs to include at least three scenarios of severe macroeconomic and financial stress relevant to the firm or group’s specific conditions including at least one system-wide and one idiosyncratic stress. The global systemically important institutions (G-SIIs) are required to include at least four scenarios. Following a review of the recovery plans, the new BRRD framework requires supervisors to notify their firms about any material deficiencies in the plan and/or material impediments to its implementation. Firms have a further two months (extendable to three, if the supervisors permit it) to address the material deficiencies and impediments. For the 2015 plans, the PRA supervisors have asked the major U.K. systemic banks to submit their recovery plans during the annual capital stress-testing process to ensure that the reviews of the recovery plan options and the scenarios are aligned to the stress-testing management actions. The supervisors of the nonsystemic banks and the international banks request the recovery plans from their firms at their discretion—though this does not preclude the requirement for firms to take ownership for updating their plans on at least an annual basis or following a change to the legal, organizational structure, business or financial situation of the individual firm or the group. Since the new updated BRRD requirements came into force in January 2015, the consolidating supervisors have set up a joint decision processes so that all the competent authorities for the subsidiaries and significant branches in the group can assess the group recovery plan against the risks arising from all entities in the group. Internal processes for the approval of assessments are being implemented to strengthen senior management’s exposure to plans. Although PRA supervisors have been assessing individual and group recovery plans and providing feedback to the firms since 2012, the new BRRD requirements updated in January 2015 require a more structured assessment of the firm’s risks and assessment of the proximity to failure. Supervisors assess whether the plans demonstrate adequate governance arrangements and escalation processes, critical functions, and core business lines, internal and external interconnectedness and strategic analysis of recovery options, minimum list of quantitative and qualitative recovery plan indicators and the range of scenarios. The PRA expects the indicators to cover contagion and reputation risk within this. The PRA judges a firms proximity to failure using the PIF. The PIF score takes into account elements of the supervisory assessment framework that reflects the risks faced by a firm and its ability to manage them—external context, business risk, management and governance, risk-management and controls, and capital and liquidity. This is calculated and assessed annually; however, the elements of the framework are monitored regularly. The PRA works closely with the RD of the BoE on their resolution planning, in line with Art. 10 of the BRRD. If the PRA considers an institution to be failing or likely to fail, as per the EBA guidelines, it notifies RD, as the resolution authority. The PRA supervisors only need to share the recovery plans with the RD if the supervisors identify anything that has an adverse impact on the resolvability and/or resolution strategy for the firm. The current work on EBA guideline on triggers for early intervention, coming into force on January 1, 2016, will further clarify when supervisors should increase focus on resolution planning. Supervision For Category 2–4 firms, supervisors request and review firms’ recovery plans as part of the annual capital and liquidity visits. Supervisors have six months to identify any material deficiencies in the recovery plan and to provide feedback to the firm. The review focuses on identifying and removing barriers to credible recovery options. Category 2–4 firms—building societies in particular—have limited capital and liquidity recovery options beyond shrinking or merging with a larger firm. This lack of optionality means an appropriate trigger framework is essential. This is reflected in the PRA’s supervisory strategy; supervisors assess the relevance of triggers and early warning indicators and consider how they are incorporated in the firm’s risk-management and monitoring. Early intervention and use of early intervention powers are necessary to avoid urgent recovery work or resolution actions. Examples were provided to the assessors during their visit. In some cases, firms overestimate the outcome of a recovery option by not taking into account market conditions (i.e., they suggest assets would sell at a greater value than supervisors believe). In others, firms neglect to take the step of identifying potential buyers for these assets. Supervisors see this step as an important part of due diligence for recovery planning. Another common deficiency encountered by supervisors is that firms monitor insufficient indicators of their own financial strength and threats to it—they need to think more broadly about events that they should be aware of which might impact them. PRA supervisors require firms to prepare and maintain recovery plans which are mean to prepare firms for periods of stress. Supervisors assess the firm’s readiness to deal with a stress by considering the firm’s approach setting appropriate indicators for monitoring potential causes of stress (financial and nonfinancial), and the options the firm has on hand for dealing with a stress as a result of their planning. Supervisors also ensure firms have sufficient governance arrangements in place, which would allow the firm to take appropriate action in a stress. The result of these plans is that firms can demonstrate they have credible options to deal with a stress, which would restore the firm to viability. |
| EC 13 | The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program:
The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process. |
| Description and findings re EC 13 | Art. 97 CRD sets out the basis for NCA’s to evaluate the risks revealed by stress testing taking into account the nature, scale, and complexity of an institution’s activities (para. 1(c)). Art. 98 sets out the technical criteria for the supervisory review to include the results of stress tests carried out by institutions using an internal model to calculate market risk own funds requirement. Art. 99 states that NCAs shall at least annually adopt a supervisory examination program that has due regard for the results of an institutions stress testing that might indicate significant risks to their ongoing financial soundness or indicate breaches (para. 2(a)). EBA SREP guidelines contain detailed supervisory assessment criteria to encompass stress testing (para. 103): NCAs should assess the institution’s stress testing program, covering the appropriateness of the selection of the relevant scenarios, and the underlying assumptions, methodologies and infrastructure, as well as the use of the outcomes. Specifically in relation to this EC:
EBA guidelines on stress testing (GL 32) contain a thorough guideline for the application of stress testing by institutions in terms of the development of the framework, methodologies, assumptions, validation, etc. The PRA Rulebook requires that, as part of its business planning and risk-management obligations, a bank carries out stress tests and scenario analyzes that test its business plan to failure (reverse stress test) (SYSC 20.2.1R).82 In carrying out such stress tests and scenario analyzes, a bank should at least take into account each of the sources of risk identified in accordance with GENPRU 1.2.30R(2)83 (SYSC 20.2.4G). The bank must identify a range of adverse circumstances, which would cause its business plan to become unviable and assess the likelihood that such events could crystallize; and where those tests reveal a risk of business failure that is unacceptably high when considered against the firm’s risk appetite or tolerance, adopt effective arrangements, processes, systems or other measures to prevent or mitigate that risk. The design and results of a firm’s reverse stress test must be documented and reviewed and approved at least annually by the firm’s senior management or governing body (SYSC 20.2.3R). A bank must update its reverse stress test more frequently if it is appropriate to do so in light of substantial changes in the market or in macroeconomic conditions. Reverse stress testing should be appropriate in nature, size and complexity of the firm’s business and of the risks it bears (SYSC 20.2.5G). Where reverse stress testing reveals that firm’s risk of business failure is unacceptably high, the firm should devise realistic measures to prevent or mitigate the risk of business failure, taking into account the time that the firm would have to react to these events and implement those measures. As part of these measures, a firm should consider if changes to its business plan are appropriate. These measures, including any changes to the firm’s business plan, should be documented as part of the results. Supervision Much of the BoE’s approach to firms own stress testing is summarized in the SS6/1384 on stress testing, scenario analysis, and capital planning. This statement sets out the PRA’s expectations of firms in relation to stress testing, scenario analysis and capital planning, and the requirements set out in the PRA Rulebook in Chapter 12 of the ICAAP assessment rules. Specifically it addresses:
On a regular basis, the PRA issues a scenario that provides an indication of the level of severity to which it expects firms to stress their corporate plan. This may be used directly by firms where it is relevant to their business model and the risks to which they are exposed. Both scenarios issued by the PRA and those developed by firms themselves implicitly incorporate feedback effects and system-wide interactions. For all U.K. regulated firms supervised by the PRA, supervisors also make use of stress tests set out in firms’ ICAAPs, including reverse stress testing, and where appropriate running internal supervisory models and analysis to inform their judgments of individual firm capital adequacy. Latterly the FSA, and more recently the PRA, has undertaken sequential stress testing of the largest and most complex regulated firms in the U.K., making use of the scenario issued by the PRA, but adapting it for the specific risks faced by each individual institution. These sequential stress tests used a variety of internal supervisory models and analysis to inform supervisory judgments of individual firm capital adequacy. The sequential supervisory stress tests have now been superseded by the CST framework. The CST framework established by the BoE seeks to support the understanding of feedback effects and amplification mechanisms. This will help inform the design of future scenarios, but also the review of firms’ stress tests, even where not within the scope of the CST. The CST also incorporates a qualitative review of firms stress testing capabilities and practice. This includes an assessment of the engagement of the firms’ Boards. The PRA undertakes SREP reviews of firms’ ICAAPs and this encompasses three key components:
The SREP work undertaken reflects the scale and complexity of the firms supervised by the PRA. It is also supplemented with targeted, deeper reviews either of individual risks (such as interest rate risk on the banking book) or of the capital management and stress testing processes. SREP reviews are a combination of desk based reviews of firms’ documentation and on site interviews of a range of firms’ staff from the governing body to analysts. The PRA expects firms to carry out ICAAPs annually and reserve the right to call in any year (e.g., if the firm changes its business model via acquisition). The PRA has an ongoing CA cycle for major firms. This includes monthly meetings that involve discussion of key exposures with management, and semiannual visits to review and assess firms’ traded risk-management controls/frameworks. The CA cycle includes not only reviewing firms’ stress testing frameworks, but the output of the stress tests, for example, through regular reviews of MI and discussion of risk-management/mitigation actions taken by the firm. Category 2–4 Banks and Building Societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management—but the level of intensity of the work is less, in line with the PRA’s risk impact methodology. The core supervisory process applied to all firms includes an annual visit to review, in alternate years, capital adequacy as part of a comprehensive SREP process. The visit will include detailed review of the firms’ ICAAPs and that will extend to a review of the stress testing that has been undertaken. The review work will be carried out by supervisors in conjunction with capital specialists. For smaller firms, there are also PRA models for specific portfolios against which the outcomes of individual firm’s stress tests can be benchmarked. For Category 3 and 4 firms that are judged to be lower risk, the specialist review of capital will take place at least every four years (but a biennial supervisory review will take place in intervening years). The PRA/FPC publishes standards scenarios that are intended to “anchor” the stress testing performed by firms, to ensure that the scenarios used are of adequate relevance and intensity. In addition, firms are expected to develop and use their own scenarios that specifically test the vulnerabilities of their business models. For banks not taking part in the CST, the scenario is provided as a guide to calibrating their own scenarios for Pillar 2 stress testing purposes. The PRA is conscious of the challenges of developing a single macroeconomic scenario that will be relevant for a diverse set of firms, operating under different business models and exposed to a variety of risks. So responsibility for developing scenarios for Pillar 2 purposes still lies with firms themselves. The ‘anchor’ scenario is intended to help firms calibrate the severity of these scenarios. The results of the reviews in terms of supervisory judgments on the level of capital planning buffer (CPB) required are presented to a PSM for each firm, at which ICG+CPB is set and key issues are agreed for feedback to the relevant firm. The PSM process allows for independent review of supervisory judgments in order to achieve both consistency and a sense check on whether judgment has been correctly exercised. As part of a SREP review, supervisors would look at the outcome of the firm’s own stress testing and the assumptions underlying it. Supervisors expect firms to use stress scenarios that are relevant to their business model and operations, and will comment if they consider that the work has not been undertaken sufficiently rigorously, requiring improvements (either immediately or at the next iteration, dependent upon materiality). The results of stress testing are expected to be integrated with the firm’s own corporate plan and ICAAP, and to inform both the level of any P2A add-ons (where stress testing suggests that the P1 charge is insufficient) and of the CPB (now PRA buffer). Where, in the judgment of the supervisor (informed by technical specialists and confirmed by a PSM), the firm has not performed an adequate stress test, the PRA will use the results of its own stress test or add an amount for conservatism pending provision of more credible numbers. This will involve an expectation that the firm should improve its stress testing capability (within a defined period). |
| EC 14 | The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement, and new product approval process for all significant business activities. |
| Description and findings re EC 14 | BIPRU 12.3.15 requires firms to incorporate liquidity costs, benefits, and risks into product pricing, performance measurement, and the approval process for new products. Supervision along with SRS ensures compliance with the requirements as part of their annual or ongoing liquidity reviews. During deep-dive reviews, supervision and SRS question the firm on many aspects of its products, including the new product approval process. As part of the CA process, during the monthly trading book reviews, supervision asks for information about new products and significant new transactions from firms. This also applies to the pricing of risk. The firm is asked how factors such as liquidity and credit risk are taken into account when origination deals and risk management’s involvement in approving those transactions. In 2014, SRS conducted a cross-firm FTP review on seven Category 1 U.K. banks. The review focused on a select, but representative set of retail and corporate banking products. The purpose of the review was to provide an understanding of firms’ pricing structures and what they implied for both firms’ own business models and the financial system more widely. The work gave insight as to how institutions determine product margins and any potential perverse incentivization at firms. The FTP components assessed included fees/cash backs, liquidity costs, interest rate hedging costs, securitization credits (for certain types, e.g., mortgages), commercial margin, and management overlays. The review concluded that, although the firms had made some developments regarding their FTP frameworks, there still remained weaknesses revolving around:
These messages were fed back to firms in a series of subsequent face-to-face meetings. In addition, where risks were considered material by supervision they were incorporated into the firms’ CA schedule. Category 2–4 banks and building societies As for the Category 1 banks, the PRA operates a CA process to review and provide feedback to Category 2–4 firms on the effectiveness of their risk-management—including their pricing of risk. There are teams of dedicated specialist resources (both capital specialists and treasury specialists) available to support supervisors of Category 2–4 firms in their work. These specialists are deployed in alternate years for the larger/more complex firms. For Category 3 and 4 firms that are judged to be lower risk, the specialist reviews take place at least every four years (for each of capital and treasury). The supervisory review process specifically focuses on how the Board of the firm agrees and sets risk appetite, how this is promulgated throughout the business in terms of limits and controls, what capacity the firm has to operate to its chosen level of risk appetite (does it have the requisite skills and capabilities?), and how effective the risk control systems are in practice. Included in the discussion with firms are reviews of the extent to which potential credit costs are factored into product pricing, the process for agreeing new products (including the setting of overall prices to recover costs and generate a return on capital), and the arrangements for FTP (to ensure correct pricing signals are given to those developing or managing product lines). The intensity of the review process is risk-based: typically there are more meetings held with Category 2 firms and available resources are concentrated on those firms with the highest potential impact on regulatory objectives. Category 3 and 4 firms tend to have smaller and simpler product lines, and therefore on a proportionate basis do not need the same sophistication of pricing and monitoring systems as their larger and more complex competitors. The PRA adopts a proportionate approach in setting expectations for this group of firms. In the case of building societies, the PRA has set out its expectations of what it considers to be appropriate risk-management for different levels of business model, recognizing the need for proportionality and that risk capability needs to be matched to risk appetite. The expectations are set out in SS20/15,85 which focuses specifically on risk-management expectations for lending and treasury activities. All building societies are expected to align themselves to the most appropriate (for them) of the risk approaches, and supervisors then assess their capability to operate safely at the level of their chosen approach. The SS does include expectations on pricing activities, and these are due to be expanded upon in the updated version of the document that is planned for consultation later in 2015. |
| Additional criteria | |
| AC1 | The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. |
| Description and findings re AC1 | The SREP guideline includes the need for NCAs to assess the key vulnerabilities to which an institution’s business model and strategy are exposed to or maybe exposed to, including:
Furthermore the SREP includes consideration of assessing the sustainability of an institution’s strategy and the risk level of the strategy. BIPRU 9.1.6R states that risks arising from securitization transactions in relation to which a firm is investor, originator or sponsor, including reputational risks, must be evaluated and addressed through appropriate policies and procedures, to ensure in particular that the economic substance of the transaction is fully reflected in risk assessment and management decisions. The GOR Part 5.1 of the PRA Rulebook requires firms to ensure that the management body approves and oversees implementation of the firm’s strategic objectives, risk strategy and internal governance. GOR 2.1 requires firms to have robust governance arrangements, which include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility, effective processes to identify, manage, monitor, and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems. For further details please see EC 2, 5, and 8 of BCP 14. Supervision It was noted above that, as part of the CA process, firms are required to provide supervision with details of new products authorized and significant new transactions. Supervision’s assessment of the firm’s risk-management of these transactions, carried out as part of the CA process, includes an assessment of the firm’s management of reputational risk, exposure to extreme events, and any other risks which may fall outside the Pillar 1 framework. Supervision conducts regular analyzes of firms’ business models and examines critically the viability of these models and their embedded risks. In support of these analyzes, supervision reviews firms’ P&L accounts to identify the quality and sustainability of their income streams. |
| Assessment of Principle 15 | Compliant |
| Comments | The PRA has set up a comprehensive and articulated framework for the supervision of bank’s risk-management systems, which allows it to perform a range of analyzes and reviews with more breadth and depth than it was the case at the time of the previous BCP assessment. In particular, the review of banks’ EWRM, through a combined top-down/bottom-up perspective, has now become an integral part of the CA for the largest banks. The introduction of the CST for major U.K. banks has significantly raised, in the opinion of the same banks’ CROs, the standard of risk-management practices inside the banks. This is a representation of the approach adopted for the largest banks (Category 1 and, to a more limited extent, Category 2 banks) and operated mainly by the risk specialists. The smaller institutions receive a lower degree of attention and are rarely examined by SRS: which, per se, is quite natural, given their more limited degree of complexity, but raises legitimate questions that have been further elaborated elsewhere (see CP 8 and 9). There are shades, in this approach, even for the PRA supervisory action on the same large institutions, as the increasing competition of requests towards a fixed pool of skilled specialist resources imposes frequent reprioritizations. All in all, the interpretation of the general approach to the oversight of banks’ risk-management frameworks needs to be read jointly with the other aspects of the PRA’s operating model (see also CP 2 and CP 16). |
| Principle 16 | Capital adequacy.86 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. |
| Description and findings re EC 1 | Part II of CRR defines the components of own funds following Basel capital tier structure, which reflect varying degrees of loss absorption capacity. In line with Basel III standards, CRD has introduced a ‘capital conservation buffer’ (Art. 129) and related capital conservation measures (Art. 141), which entail restrictions on distribution of dividends, payments of variable remuneration, payments on additional tier 1 instruments whenever such dividends and/or payments would result in a breach of the combined buffer requirement. Also, Art. 54 CRR provides for the write down or conversion of additional tier 1 instruments when the CET1 ratio of a bank falls below 5.125 percent. FSMA Threshold Condition 487 requires all banks to maintain adequate financial resources. All banks are required to comply with CRD/CRR which set out minimum capital requirements and qualifying components of capital. CRR is directly applicable in U.K. law. The PRA has used certain discretions in the CRR in a prudent way to ensure that the outcome is consistent with Basel III. For example, the PRA requires banks to deduct significant investments in insurance entities, subject to Threshold Conditions, rather than risk weight such investments. In addition, all AT1 instruments issued externally by U.K. banks have a trigger of 7 percent CET1 rather than the CRR minimum of 5.125 percent. In line with Basel III, the PRA has grandfathered certain state owned ordinary shares for one bank, which do not fully comply with the CET1 criteria, until December 31, 2017. In addition, the PRA’s PS 7/1388 supplements the CRR with additional rules in the PRA Rulebook. These include rules on connected funding of a capital nature, connected transactions, preissuance notification regime as well as the PRA’s implementation of national discretions and transitional provisions. The eight largest U.K. banks89 are held to a higher standard than other banks in respect of minimum risk based CET1 ratios and leverage ratios (SS3/13)90: in particular, they are expected to meet a 7 percent CET1 ratio, based on end-point definition of CET1 which does not take account of the transitional provisions for CET1, such as the phasing in of deductions. |
| EC 2 | At least for internationally active banks,91 the definitions of capital, risk coverage, method of calculation, and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. |
| Description and findings re EC 2 | The whole of Part II and III (Arts. 25–386) of CRR and Title VI, Chapter 4 (Arts. 128–142) of CRD implement the Basel capital standards in the EU. The CRR and CRD are complemented by EBA RTS on own funds. The compliance of EU legislation with the Basel capital framework has been assessed by the Basel committee in 2014 Program RCAP—assessment of Basel III regulations—EU, December 2014). The assessment has found the implementation of the Basel framework in the EU materially noncompliant; in particular, the EU framework has been found compliant in terms of scope of application, transitional arrangements, capital buffers, IMA for market risk, operational risk, supervisory review process, and disclosure requirements; largely compliant for definition of capital, standardized approach for credit risk, securitization framework, standardized approach for market risk; materially noncompliant for the IRB approach for credit risk; noncompliant for the counterparty credit risk framework. The assessors had access to some of the results, for the U.K. banks, of the EU RCAP exercise and found that certain sources of divergence with the Basel framework can be considered as having limited materiality (within 10 bps of CET1 capital ratio overestimation): e.g., small-and-medium Enterprise (SME) multiplier; absence of 1.06 scaling factor for non-IRB formula exposures. Also, for other sources of divergences, there is no impact, as the non-compliant treatment of the EU framework does not apply to any internationally active U.K. bank: e.g., original exposure method for counterparty credit risk; other risk-transfer mechanisms (different from insurance) under AMA; calculation of capital requirements for market risk using the credit risk rules; zero capital requirement on the net long or short position in an index contract if exchange traded and appropriately diversified. On the other hand, the broader range of counterparts exempted from the CVA requirement under CRR—as opposed to the Basel standard—determines an impact on CET1 capital ratios significantly larger than 10 bps in all cases. However, in exercising its options with respect to the so-called ‘national discretions’ offered by the CRR, the U.K. authorities have tended to adopt the more conservative ones; which, to a certain extent, are likely to partially compensate––though not in a precisely quantifiable way—for the increase in apparent capital ratios determined by the abovementioned source of divergence. Moreover, the PRA required institutions to apply all filters and deductions from CET1 in full from January 1, 2014, i.e., reaching the end point definition of CET1 as soon as permitted under the CRR. The discretion to phase in certain requirements more slowly has not been exercised. These include the full deduction of deferred tax assets (DTAs) that rely on future profitability and arise from temporary differences DTAs (Rule 10.7 in PRA Rulebook part definition of capital) as well as equity holdings in insurance undertakings, reinsurance undertakings, and insurance holding companies (Rule 10.8 in PRA Rulebook part definition of capital), from CET1 subject to a threshold amount. As a consequence of this choice, that represents an element of ‘super-equivalence’ with respect to the Basel framework during the transitional period, the PRA estimated that the average CET1 ratio for the largest four U.K. banks in 2015 would be almost 2 percent lower under the U.K. implementation, compared with the minimum transitional path allowed under the CRR. |
| EC 3 | The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)92 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. |
| Description and findings re EC 3 | Art. 104 of CRD requires that supervisors have the power to require a bank to hold own funds in excess of the minimum capital requirements (for any risk or element of risk not covered by such minimum requirements); to restrict or limit a bank’s businesses, operations or network or to request the divestment of activities that pose excessive risks to a bank’s soundness; to require the reduction of the risk inherent in a bank’s activities, products and systems. Art. 5 of CRR clarifies that the exposures on which capital requirements for credit risk are to be computed include assets and off-balance-sheet items. The risk-based capital adequacy regime requires banks to hold capital commensurate with the level and nature of all risks, both on and off-balance sheet, to which they are exposed as well as the risks they can pose to the financial system. Specifically the PRA can apply capital add-ons under Pillar 2 for risks that are not captured under Pillar 1 (e.g., defined benefit pension risk, IRRBB, concentration risk, governance and risk management, conduct risk, etc.) and for risks that are not fully captured under Pillar 1 (e.g., credit risk, market risk, and operational risk). The PRA requires firms to hold a capital buffer to ensure that they can continue to meet their capital minima under a severe stress. All firms are required to hold additional capital under Pillar 2, with some partial exceptions (e.g., banks subject to international sanctions, which are not subject to a Pillar 2B add-on as they do not undertake new activity). The PRA’s methodology for setting Pillar 2 capital was updated in July 2015.93 It confirms the PRA’s approach to setting tailored capital requirements to cover firm-specific risks while avoiding duplication with the new Basel III/CRD capital buffers. The PRA is further developing its internal processes to ensure consistency of approach across firms, enhance comparability of Pillar 2 capital and reinforce peer reviews. In particular, the PRA is developing a Pillar 2 database that captures relevant information; and introducing business intelligence solutions that allow better analyzes for individual firms and the sector. The PRA has implemented the FPC’s June 2014 recommendation to limit to 15 percent the proportion of new residential mortgages at loan to income ratios at or greater than 4.5. The FPC has also been granted powers of direction over loan-to-value and debt-to-income ratio limits for owner-occupied mortgage lending. |
| EC 4 | The prescribed capital requirements reflect the risk profile and systemic importance of banks94 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. |
| Description and findings re EC 4 | Art. 131 CRD sets a capital surcharge for global and other systemically important institutions. EBA technical standards and guidelines on methodology and disclosure for G-SIIs provide consistent parameters and specify a harmonized methodology for the identification of G-SIIs across the EU and determine their adequate levels of capital in excess of the minimum requirements. Art. 130 and following of CRD establish a bank-specific CCB that depends on the weighted average of the CCB rates applied in the different jurisdictions where the bank’s credit exposures are located. From a microprudential perspective, national jurisdictions cannot set higher overall prudential standards than the applicable Basel requirements, which under CRR have been harmonized at the Basel minima. However, Art. 133 of CRD grants supervisors the power to impose a systemic risk buffer––in excess of minimum capital requirements, Pillar 2 add-ons and other capital buffers, but in parallel with G-SIIs buffers––in order to prevent and mitigate long-term non-cyclical systemic or macroprudential risks not covered by CRR. Such systemic buffers may be imposed by local macroprudential authorities (not necessarily the supervisor) up to 3 percent upon prior notification to the EC, ESRB, EBA, and concerned countries. To set the buffer between 3 percent and 5 percent, the country needs to wait for the opinion of the EC before introducing the requirement. The buffer may be imposed on country-level exposures, or on all exposures, on all banks, or on subsets of banks. Also, Art. 458 of CRR allows the macroprudential authority of a MS (which is not necessary coincident with the banking supervisor) to enact stricter national measures; if it identifies changes in the intensity of macroprudential or systemic risk in the financial system with the potential to have serious negative consequences to the financial system and the real economy; in such a case, the macroprudential authority must notify the European parliament, the council, the commission, the ESRB, and EBA of that fact, and submit relevant quantitative or qualitative evidence (clause No. 2); after the notification, the council, acting by qualified majority on a proposal from the commission, can reject the draft national measures (unless they consist in increased risk weights on residential and commercial property sector or intrafinancial sector exposures): in particular, ESRB and EBA must provide their opinions to the commission within one month from notification and within one month after receiving ESRB and EBA’s opinion, the commission can propose to the council an implementing act to reject the draft national measures if it finds “robust, strong, and detailed evidence that the measure will have a negative impact on the internal market that outweighs the financial stability benefits resulting in a reduction of the macroprudential or systemic risk identified;” in the absence of a commission proposal within that period, the MS concerned may immediately adopt the draft national measures for a period of up to two years or until the macroprudential or systemic risk ceases to exist if that occurs sooner. Art. 87 of CRD requires supervisors to ensure that banks have policies and process in place for the identification, management, and monitoring of the risk of excessive leverage and that they address the risk of excessive leverage in a precautionary manner. Arts. 429–430 of CRR introduce a leverage ratio (compliant with the version of the leverage ratio (LR) standard known at the time of the drafting of CRR), but only as a reporting requirement (with obligation of disclosure from 1/1/2015). The PRA operates a stress testing regime under which the PRA requires banks to apply additional capital buffers. Under Pillar 2, the PRA assesses individual firms’ ability to continue to meet their minimum requirements under a severe, but plausible stress and sets additional capital buffers (to be renamed PRA buffers from January 2016) where the existing capital resources are deemed insufficient. Firms must hold this additional capital upfront and are able to use it if the stress materializes. The BoE has further enhanced its stress testing framework by adopting ‘CST of major firms and common scenarios of prescribed severity to explore system vulnerabilities. This information is intended to be used to inform the setting of a CCB for the entire system and the firm-specific PRA buffers. The 2015 stress test assesses a wider range of stresses including stresses in certain overseas markets, such as Asia, which are of critical importance to some of the U.K.’s largest banks. The largest U.K. banks and building societies are currently expected to meet a 3 percent Tier 1 leverage ratio (SS3/1395). On July 1, 2015 the FPC directed the PRA to implement a 3 percent Tier 1 minimum leverage ratio requirement for these firms in advance of the implementation dates under Basel III/CRR. The FPC’s leverage ratio framework also introduces two leverage ratio buffers, a countercyclical leverage ratio buffer to address systemic risks that vary over time, and a supplementary leverage ratio buffer to reduce systemic risks attributable to the distribution of risks within the financial system. The PRA intends to implement the framework from January 1, 2016. The FPC proposes to extend the minimum leverage ratio requirement to all PRA-regulated banks, building societies and investment firms from 2018, subject to a review in 2017 of progress on international leverage ratio standards. The FPC has been granted macroprudential powers to direct the PRA to introduce two different capital buffer tools to address emerging risks to financial stability.96 The CCB tool allows the FPC to change capital requirements above normal microprudential standards in relation to all loans and other exposures of banks to borrowers in the United Kingdom. The SCR tool is more targeted, allowing the FPC to change capital requirements above microprudential standards on exposures to specific sectors judged to pose a risk to the system as a whole. The FPC can adjust SCRs for banks’ exposures to three broad sectors (residential property, including mortgages; commercial property; and other parts of the financial sector), as well as more granular subsectors (for example, to mortgages with high loan-to-value or loan-to-income ratios at origination). The CCB and SCRs apply to all U.K. incorporated banks, building societies and large investment firms (such as large broker dealers). |
| EC 5 | The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:
|
| Description and findings re EC 5 |
At the time of the assessment, there were 18 banks in the U.K. with IRB approved models for credit risk (9 Advanced Internal Rating-Based approach for credit risk (AIRB), 5 foundation internal ratings-based approach for credit risk (FIRB), 4 retail only), 15 with IMA permission for market risk, 8 with IMM permission for counterparty credit risk, 2 with AMA permission for operational risk. a) Such assessments adhere to rigorous qualifying standards Credit risk All first-time notifications for IRB models are subject to a review by the risk specialists division. The PRA adopts a risk based approach to model reviews by applying a materiality based risk appetite to determine which models should be subject to detailed review. A full suite of documentation is required from firms in support of any such model change, covering development, validation, governance, and the firm’s own self-assessment against the CRR. For model subject to SRS review, a desktop review of firms’ documentation is undertaken, supplemented by onsite visits where necessary. The review follows a standard format that covers all material aspects of CRR compliance. The report and recommendation are challenged through a risk specialist-led Q&A process with mandatory contribution from supervision, policy, and other credit risk experts. Legal opinion is sought if necessary. The final decision is taken through the PRA decision-making framework. For model changes below the PRA’s risk appetite, and for models that do not change, the PRA has relied since 2013 on the firm’s own self-assessment against the CRR, the PRA’s SS, and annual attestation by a person in a SIF to the effect that the firm is materially compliant with the CRR or that a credible plan is in place for a timely return to compliance. Risk appetite is based on the category of firm, materiality of the relevant exposures, and the impact of the model change. This leads to a classification of the change as “material,” “intermediate” or “immaterial,” and review of model changes is prioritized according to this hierarchy. Immaterial changes are typically not subject to any review; intermediate changes are typically only subject to review after discussion with line supervision; material changes are always subject to review. The PRA observed that out of four IRB notifications of model changes that were considered intermediate, the risk specialists reviewed one and supported a supervisory-lead review of a second one (a request for reversion to standardized). The remaining two were not agreed, in agreement with the line supervisors, as pertaining to a firm that had recently undergone a thorough review of the most material models. However, this approach based on prioritization entails that a smaller bank could introduce significant model changes without being subject to a full review by the PRA, should the specialist division be too absorbed in other matters to provide the needed support: it all depends on the contingencies of the moment, does not provide the needed assurance about the robustness of internal models, and ultimately, does not guarantee that an adequate incentive structure is in place to avoid an opportunistic use of the possibility to adopt internal models. Beyond the individual firm reviews, the PRA periodically assesses compliance on a thematic basis where there are known or suspected weaknesses, for example through its wholesale LGD/EAD framework (see SS11/13).97 If necessary, the PRA will commission a SPR to review aspects of a firm’s rating system. The EBA Art. 78 RTS on benchmarking defines an annual comparison of key IRB/market risk and counterparty credit risk metrics across European banks. This benchmarking is expected to enable the PRA to identify outlying values that may be indicative of modeling weaknesses. The EBA is currently developing a RTS on the assessment methodology for IRB. This is expected to mandate a minimum level of oversight of firms’ IRB regimes by all EU competent authorities. The PRA intends to comply with this once it comes into force (expected 2016). Market and counterparty credit risk For traded risk internal models, the approval process is usually composed of a technical panel recommendation from SRS to supervision. Supervision takes the recommendation and its own views on the firms’ supervisory strategy to decision making committees. Banking policy and legal are consulted in the decision/recommendation. The risk specialists undertake desktop reviews and annual meetings with the banks. Normally, reviews take into account an understanding of the firms’ trading business models as well as the quality of their trading controls. The review takes into consideration most material aspects of compliance against CRR requirements for risk-management and risk measurement. The PRA monitors model performance through back-testing, capital trends, and internal risk-MI on a quarterly basis for 9 firms with the most material trading books. On an annual basis, the PRA holds CA meetings with these 9 firms. The PRA has a thematic agenda to investigate the level of standards of certain models. For, example, in the last two years the PRA has completed the following cross firm comparisons:
(For model change policy see above in this EC, under ‘Credit Risk’). Operational risk The qualifying standards for regulatory model(s) for operational risk––the AMA––are documented in the draft RTS required by CRR Art. 312.4(a). The RTS broadly follows historic FSA practices; however, there have been no recent applications for AMA permissions. Compliance with these standards is considered during periodic reviews and may be considered in response to notification of extensions of changes to the AMA. Evaluation of compliance with the relevant criteria is undertaken by supervision and operational risk specialists (SRS). To qualify for use of the Standardized Approach (TSA), institutions must meet the criteria set out in Art. 320, in addition to meeting the general risk-management standards set out in Arts. 74 and 85 of Directive 2013/36/EU. However, the PRA does not formally assess banks that use the TSA against the qualifying criteria specified in the Basel Accord paras. 660–663 and CRR Art. 320. Institutions shall notify the competent authorities prior to using the Standardized Approach. (For model change policy see above in this EC, under ‘Credit Risk’). b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor Credit risk Cessation of use is subject to PRA approval. Material modifications are subject to PRA approval to the extent that they are deemed material under RTS EBA/RTS/2013/06 on the conditions for assessing the materiality of extensions and changes of internal approaches when calculating own funds requirements for credit and operational risk in accordance with CRR. Market risk Cessation of use is subject to PRA approval. However, for market risk, the CRR does not have an explicit requirement preventing firms from reverting to standard rules, although in practice this would likely lead to increases in capital requirements so firms are unlikely to make this switch. Firms are expected to notify the PRA when switching to standard rules. The RTS on conditions for assessing IMA is under development and will define a materiality threshold that needs to be covered by internal models. The need to satisfy this threshold will effectively limit firms’ ability to move positions into standard rules. The PRA can detect a material switch to standard rules by banks by monitoring the COREP C 02.00 summary template, or the specific market risk templates i.e., C 18.00 to C 24.00. Counterparty credit risk Cessation of use is subject to PRA approval in accordance to CRR Art. 283.5. The PRA’s SS12/13 for counterparty credit risk defines the PRA’s expectations on IMM model changes and provides a definition of material model changes that require prior notification to the PRA before implementation. Operational risk Institutions will only be permitted to use a less sophisticated approach for regulatory capital computation with the express permission of the competent authority (CRR Art. 313.1) c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken Credit, market and counterparty credit, and operational risks The PRA has dedicated specialist resources for each of the risk types (credit risk, market and counterparty credit risk and operational risk). Where issues are identified, the PRA will either conduct in depth review work or ask the firm to validate their models using external consultants (through the PRA’s powers under S166 of FSMA). Should reviews highlight material concerns the PRA has the power to impose capital add-ons on firms or to revoke model permissions. d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so Credit risk The CRR provides that where certain conditions are met, the competent authority must permit institutions to use internal approaches (for example Art. 143 CRR). The PRA, as the competent authority must not add conditions. In other words, either the conditions are met, in which case the PRA must grant permission, or the conditions are not met, in which case the PRA must not grant permission. However, once the PRA has granted permission, it may use its power under S55M FSMA to impose requirements that relate to the permission. For example the PRA sometimes requires firms that have a model permission to report certain data. Market and counterparty risk Through S55M requirements the PRA can impose either reporting requirements or conditions that need to be met on an ongoing basis for firms to continue to use internal models for capital requirements calculations. These conditions typically require firms to monitor whether certain risks remain immaterial or require added mitigants to be imposed such as capital add-ons for risks not captured in VaR. Operational risk The competent authority can impose additional requirements where it is considered necessary (CRD IV Art. 101). e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval Credit risk CRD IV Art. 101.4 states that permission shall be revoked where a firm is unlikely to restore compliance within an appropriate deadline. To date, the PRA has not exercised this power. Market risk and counterparty credit risk The PRA has removed model approvals and imposed significant capital add-ons or multipliers on firms. The PRA removes permissions when the firm does not comply with CRR requirements and, based on the PRA’s judgment, the firm does not have a credible plan for the timely return to compliance. Capital add-ons are imposed when:
Operational risk The PRA has the power to revoke AMA permission or require a firm on the standardized approach to adopt the basic indicator approach (BIA). In practice, a remediation program will be put in place to assist the firm in meeting the required qualitative and quantitative standards within a time frame prescribed by the competent authority. |
| EC 6 | The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).98 The supervisor has the power to require banks:
|
| Description and findings re EC 6 | Art. 177 CRR requires IRB banks to have in place sound stress testing processes for use in the assessment of its capital adequacy; they must identify possible events or future changes in economic conditions that could have unfavorable effects on a bank’s credit exposures. Art. 296 CRR requires banks with approved IMM for counterparty credit risk to have a comprehensive stress testing program in place, including for use in assessment of its capital requirements for counterparty credit risk; it must identify possible events or future changes in economic conditions that could have unfavorable effects on a bank’s credit exposures. Art. 368 CRR requires banks with approved IMA for market risk to frequently conduct a rigorous program of stress testing, addressing a number of possible shocks. EBA guidelines on SREP require supervisors to regularly assess banks’ stress testing programs as part of the review of their ICAAP; in particular, they should:
EBA guidelines on SREP also recommend supervisors to take into account the outcomes of the stress tests and consider whether and which measures (possibly including capital add-ons) are necessary to address any breaches of the requirements Pillar 1+Pillar2) or any other relevant target ratio set by competent authorities for system-wide stress tests. In any case, the supervisor should require a bank to submit a credible capital plan, ensuring that it is able to meet its total capital ratio or any other relevant target ratio set by competent authorities for system-wide stress tests over the assumed time horizon. The SREP guidelines (paras. 359 and 360) recommend supervisors establish and maintain a routine and rigorous program of stress testing and take prompt steps to manage the specific vulnerabilities highlighted by the stress tests. Major U.K. firms are subject to CST. This stress testing assessment is done simultaneously using a common scenario and its outputs are used to assess system as well as individual firms’ vulnerabilities. It is also used as an input for setting additional capital buffers for the participating firms. For smaller U.K. banks, the PRA uses an inhouse model to benchmark firms’ stress-testing of their own mortgage books which are typically (although not always) the largest component of their balance sheets. If the results are found to be materially lower than the PRA’s without good reason, the PRA would use its own numbers to derive the capital buffer. For all banks, as part of their ICAAP, firms are expected to assess their ability to continue to meet capital requirements under a severe stress. This is a forward looking view over 3–5 years. As part of the SREP, the PRA reviews firms’ assessments and can set an additional capital buffer where existing capital resources are deemed insufficient. The PRA routinely adds capital buffers to the extent that these stress tests show capital depletion in the event of the stress. On a regular basis the PRA issues a scenario that provides an indication of the level of severity to which it expects firms to stress their corporate plan. Where directly relevant to a firm, the PRA would expect firms to run this scenario as part of their regular stress testing, in addition to other scenarios selected by the firm. Where not directly relevant, the PRA expects firms to use the scenario to calibrate the severity of at least one scenario to test their corporate plan. The PRA has broad powers to require individual firms to take specified action [under Section 55M of FSMA] and to make generally applicable rules [under S137G of FSMA] which can be and have been used to require banks to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. For example, as part of the capital shortfall exercise in 2013 of the eight U.K. major banks and building societies the PRA required three firms to submit plans for additional actions to strengthen their capital position and the PRA has made generally applicable rules requiring firms to draw up and maintain recovery plans providing for measures to be taken by the firm to restore its financial position following a significant deterioration of its financial situation. The PRA also notifies firms of an amount of capital they should hold as a PRA buffer over and above their minimum requirements and CRD4 buffers. The PRA buffer is based on a firm—specific supervisory assessment taking in account the risks revealed by stress testing. The PRA’s methodology for setting the PRA buffer reflects a firm’s systemic importance. The PRA has a published policy on the consequences for firms of using the PRA Buffer—. In summary—the PRA expects that where a firm has a PRA buffer in place, it should only use that buffer to absorb losses or meet increased capital requirements if certain adverse events materialize. A firm which does not meet its PRA buffer is subject to enhanced supervisory action and expected to prepare a capital restoration plan. If the PRA is not satisfied with the plan or the firm’s reasons for using the buffer it may consider using its powers under S55M of FSMA to require the firm to raise sufficient capital to meet the buffer within an appropriate timeframe. This may include imposing restrictions on distributions or requiring firms to use net profits to strengthen their capital position. For the purposes of the CSTs of the major U.K. banks and building societies the BoE publishes a hurdle rate framework including a strong presumption of action if in the stress a bank falls below key thresholds. Buffers for systemically important banks will be included in the hurdle rate framework but the supervisory response will be less intensive than if the firm was projected to breach minimum capital requirements. One of the participating firms in 2014 was required to submit a revised capital plan which was accepted by the PRA. |
| AC1 | For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application, and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks. |
| Description and findings re AC1 | CRD and CRR apply to all credit institutions (i.e., deposit-takers) and investment firms in the EU, irrespective of their size or intensity of international activity. The PRA applies capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application, and the capital required, in the same way to noninternationally active banks as to internationally active banks. U.K. credit unions are exempt from the European CRD and are supervised in accordance with the rules set out in the PRA’s specialist sourcebook, whose key features prescribe simple capital and liquidity regimes, lending limits, share limits, and provisioning. Their regulatory capital includes audited reserves, interim net profits, shares, subordinated debt (subject to certain conditions) and revaluation reserves (again subject to certain conditions and not exceeding 25 percent of the total capital). For the majority of credit unions, only the audited reserves and interim profits are relevant. Capital requirements are based on a simple capital/assets (i.e., leverage) ratio, without the overlay of risk weighting. |
| AC2 | The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.99 |
| Description and findings re AC2 | CRD and CRR are applied both on a standalone and consolidated basis, with few exceptions (Art. 7 CRR) that are anyway subject to conditions aimed at ensuring an adequate distribution of capital between parent and subsidiary/ies. Art. 73 CRD, in requiring banks to have in place sound, effective, and comprehensive strategies and processes to assess and maintain on an ongoing basis the adequacy of internal capital (with respect to the nature and level of risks), explicitly refers to the amount, type and distribution of such internal capital. As well as applying CRD and CRR on a standalone and consolidated basis (with some exceptions subject to strict criteria), the PRA exercises the discretion in Art. 49(2) of the CRR to deduct from own funds, on a standalone basis, significant investments in financial entities included in the consolidated group. The purpose of this deduction is to help ensure that adequate capital is located in all regulated entities within the group. If the deduction were not made, this could lead to capital being inappropriately allocated within the group. The main exception to supervising on a standalone basis is under Art. 9 of the CRR. Under this article, the PRA may waive standalone requirements on a case-by-case basis to incorporate in the solo capital adequacy calculation certain subsidiaries subject to strict criteria. Referred to as “solo consolidation.” One of the main conditions for allowing solo consolidation is that there is no current or foreseen material practical or legal impediment to the prompt transfer of own funds or repayment of liabilities between the subsidiary and the parent. Around 40 banks have been granted the permission to use this form of consolidation. The PRA does not use the more general derogation in Art. 7 of the CRR to waive supervision on a standalone basis. |
| Assessment of Principle 16 | Largely Compliant |
| Comments | The CRD and CRR implement the Basel capital standards in the EU. The CRR and CRD are complemented by EBA RTS on own funds. The legislation transposing the Basel capital framework in the EU has been assessed by the Basel committee as materially noncompliant RCAP—assessment of Basel III Regulations—EU (December 2014), particularly as a consequence of relevant misalignments in the IRB approach for credit risk and in the counterparty credit risk framework with respect to the Basel standard. The assessors had access to some of the results, for the U.K. banks, of the EU RCAP exercise and found that certain sources of divergence with the Basel framework can be considered as having limited materiality (within 10 bps of CET1 capital ratio overestimation) and for others there is no impact, as the noncompliant treatment of the EU framework does not apply to any internationally active U.K. bank. On the other hand, the broader range of counterparts exempted from the CVA requirement under CRR—as opposed to Basle—determines an impact on CET1 capital ratios significantly larger than 10 bps in all cases. However, in exercising its options with respect to the so-called ‘national discretions’ offered by the CRR, the U.K. authorities have tended to adopt the more conservative ones; which, to a certain extent, are likely to partially compensate—though not in a precisely quantifiable way—for the increase in apparent capital ratios determined by the abovementioned source of divergence. Moreover, the PRA required institutions to apply all filters and deductions from CET1 in full from January 1, 2014, i.e., reaching the end point definition of CET1 as soon as permitted under the CRR. The discretion to phase in certain requirements more slowly has not been exercised. These include the full deduction of deferred tax assets that rely on future profitability and arise from temporary differences (DTAs) (Rule 10.7 in PRA Rulebook Part Definition of Capital) as well as equity holdings in insurance undertakings, reinsurance undertakings, and insurance holding companies (Rule 10.8 in PRA Rulebook part definition of capital), from CET1 subject to a threshold amount. As a consequence of this choice, which represents an element of ‘super-equivalence’ with respect to the Basel framework during the transitional period, the PRA estimated that the average CET1 ratio for the largest four U.K. banks in 2015 would be almost 2 percent lower under the U.K. implementation, compared with the minimum transitional path allowed under the CRR. The figures analyzed by the assessors tend to suggest that this understatement of the CET1 capital ratios might compensate the net overstatement of capital ratios determined by the abovementioned divergences between the CRR and the Basel framework. However, the figures come from separate calculations that were disclosed to assessors in the form of final results and refer to different samples (four vs. five largest banks); also, any compensation effect stemming from the choice of adopting an end point definition of CET1 will progressively contract, down to full disappearance, as the end of the transitional period approaches. Overall, the assessors could not ensure a degree of comfort sufficient to reach a definitive conclusion about the net impact of these two effects, but, given the inherent uncertainties, they deem it appropriate to adopt a conservative approach, by not considering the capital adequacy regime resulting from the U.K. implementation of the EU capital framework as fully compliant. The deviations of the EU framework from the Basel standard give rise to deficiencies in Pillar 2 requirements that should be compensated by specific Pillar 2 add-ons. While this is the approach generally followed by the U.K. authorities, in order to address the lower capital requirements stemming from noncompliance with the Basel rules for CVA capital charges, the U.K. authorities are waiting for indications from the EBA Guidelines on the treatment of CVA risk under SREP, in consultation at the time of the assessment. As regards the review of banks’ internal model (for credit, market, operational, and counterparty credit risk), the assessors, while understanding the PRA need to better prioritize the use of its scarce specialist resources, found the PRA internal policy around the review of banks’ internal model not entirely reassuring in terms of the control the supervisor maintains on the robustness of models and on the absence of opportunistic behaviors on the side of the banks; assurance that would require a more intense degree of scrutiny than warranted by the policy, given the well known and documented tendency of banks (all over the world) to ease up once the initial permission is granted. The model change policy seems to be the reflection of a more general phenomenon inside the PRA. The line supervisors recognize that the adoption of internal models is an effective way of raising the bar of risk-management in the banks and to gain a better insight into risk-management practices; the PRA is beginning to see increasing demand for IRB permissions, particularly from mid-size and small banks (the largest ones being already authorized). This may result in additional demand for specialist resources. The specialist resources needed to perform the job are increasingly under pressure and unable to deal with these concurrent requests.100 Clear signs of difficulty in addressing this situation emerge: the assessors found, for example, evidence of a specialist team reducing the scope of examination of an internal model due to insufficient time available to review in full the documentation submitted by the applicant. The assessors reviewed also internal documents showing an ongoing debate within the PRA, with the quest for solutions able to reduce the pressure on skilled resources, but at the risk of a diminished assurance about the robustness of the models, such as the abovementioned model change policy; or the exploration of impervious alternatives, like external validation, which would entail the lack of any meaningful degree of analysis by the PRA and could represent an outsourcing of its prudential responsibilities to third parties (in violation, inter alia, of CP 9–EC 11). Given the high number of U.K. and international banks with approved internal models and considering the centrality of high levels of capitalization in the supervisory approach of the PRA (capitalization that can only be as good as the RWA against which it is measured), assuring that banks’ models maintain a high degree of robustness and are not used opportunistically should represent, in the opinion of the assessors, an absolute priority for the PRA. At the same time, the assessors recognize the existence of a constraint and of an inherent trade-off, and, in this regard, offer some further considerations. It must be noted that the engagement of supervisors, specialists and financial stability experts with the banks in occasion of the CSTs seems to have the advantage of raising the standards of banks’ risk-management more effectively than the usual model reviews, as the same bank managers met by the assessors confirmed. Probably this is also the result of a better incentive structure, as the stress test exercise imposes on banks a recurrent yearly challenge (that of avoiding to present a capital plan, in case of breaching the hurdle), while in the ‘usual’ pattern of internal model approval the incentive for banks to meet the supervisor’s expectations drops dramatically once the permission is granted. Hence the CST could represent, in terms of impact on the robustness of the banks’ internal models, an interesting complement—or even alternative—to an intense program of model reviews; on the other hand this would not probably address the resource constraint, as the absorption of skilled resources for the CST is unlikely to be less significant than for model reviews (especially if the adoption of internal models expands towards a wider population of banks, as the line supervisor would like). Other tools that the authorities may want to take into consideration to improve the robustness of banks’ internal models are the hypothetical portfolio exercises (HPE), which they already plan to run jointly with the EBA, but could also run independently in the interim periods (allowing for a better tailoring of the exercise to the U.K. market); and a benchmarking exercise (e.g., in the case of IRB, cross comparison of banks’ parameters on a portfolio of ‘real,’ common obligors), based on a regular collection of exposures and parameters from all the banks with approved models. |
| Principle 17 | Credit risk.101 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk102 (including counterparty credit risk)103 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. |
| Description and findings re EC 1 | The CRD establishes general requirements for risk-management and the risk-management function (Art. 76) and requires banks to have internal methodologies that enable them to assess the credit risk of exposures to individual obligors and also at portfolio level (Art. 79). In the U.K. the two articles are transposed into the risk control and internal capital adequacy assessment (ICAA) sections of the PRA Rulebook, respectively. EBA guidelines on SREP (which will apply from January 2016) set the supervisor’s expectations with respect to a bank internal credit risk processes; in particular:
The PRA and the FCA have both committed to comply with the guidelines.104 The PRA Rulebook requires that all material risks be identified, measured and properly reported, including credit, counterparty credit risk and associated potential future exposure, including where relevant, on a consolidated basis. The document ‘The PRA’s approach to banking supervision’ sets the PRA’s expectations with respect to risk-management in general (see CP 15). While there is no legal or supervisory documents stating in detail the supervisors’ expectations on credit risk-management for the generality of credit institutions, more detailed indications are provided to specific types of banks:
Also, the PRA’s SS 11/13 and SS 12/12 set out the PRA’s expectations on IRB approaches and counterparty credit risk, respectively; however they revolve mostly around the conditions for internal model approval, and so only tangentially concern the supervisory expectation listed in this EC. The PRA’s general supervisory approach of CA is delivered through supervisors maintaining an up-to-date view of the firms’ credit risk-management practices. This is supported by a rolling program of supervisory assurance work, consisting of both core and discretionary elements. The core elements are carried out regardless of a supervisor’s view of the idiosyncratic risks of the firm. The focus and quantity of discretionary elements are determined by the findings from core work, idiosyncratic risks, and business type. The CA work program for each firm is agreed annually at the firm’s periodic PSM, subject to any changes made in the interim review. This work program is rolled out through the annual cycle supported by inhouse credit risk specialist resources to assess the standards of credit risk-management practices of a firm and its adherence to regulatory expectations regarding risk-management and controls. Credit risk specialists also undertake targeted technical risk reviews, AQRS, and thematic reviews based on a firm’s risk appetite and systemic importance in combination with the market and macroeconomic conditions. This approach varies depending on the size of the bank, with specialist resources focused primarily towards Category 1 firms, conducting asset quality and other reviews at smaller banks (Category 2–4), based on the key risks of the firms and subject to resource availability. The assessors reviewed a number of documents prepared by the credit risk specialist in the SRS division, addressing a number of aspects of Category 1 banks’ credit risk management, including: underwriting standards; credit risk-management and control; adequacy of asset classification; consistency of credit growth strategy with external market conditions, internal risk appetite and risk control framework; valuation; monitoring. |
| EC 2 | The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,105 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. |
| Description and findings re EC 2 | EBA guidelines on SREP require the supervisors to verify that the management body approves the policies for managing, measuring and controlling credit risk and discusses and reviews them regularly, in line with risk strategies (para. 182). As part of the PRA’s approach to CA, supervisors regularly hold meetings with Board members, NEDs and senior management to ensure, amongst other things, that the firm implements the Board approved credit risk strategy. This includes assessing how well the Board set, monitor and control risk appetite; how effectively powers are delegated to the senior management; and what level of oversight exists. Such reviews provide comfort that senior management implements the credit risk strategy approved by the Board and develops the appropriate policies and processes. At a more detailed level, supervisors and credit risk specialists also undertake targeted reviews at selected firms based on their key risks, to ensure that the credit risk (including counterparty credit risk and associated potential future exposure) management strategy, policies, processes and controls at each firm are approved at an appropriate level and that they are consistent with the stated risk appetite. This is carried out in a variety of ways, both on and off site, including reviewing policy papers, review of assurance work from the firm’s Internal Audit, Board minutes, and MI presented to the Board and senior management. These are assessed to ensure they fully capture the actual level of credit risk the firm is exposed to, and that they are presented to senior management and the Board in a timely manner. The assessors found evidence of work conducted by the supervisors on the control of credit risk by senior management. Issues can be escalated to the attention of the banks’ Boards, if needed, as an outcome of annual PSMs or—if anything material surfaces in the interim period between PSMs—also by sending ad-hoc letters. In the case of building societies, SS20/15 specifically requires Boards to set and review lending policies, with material changes to such policies to be notified to supervisors ahead of implementation. Compliance with these policies was the subject of a PRA-mandated review by societies’ own internal audit functions in 2014, which found a number of deficiencies in the way in which the building societies had taken account of the PRA’s expectations as set out in the SS20/15, in particular in setting and monitoring risk appetite limits. The individual outcomes were discussed with the relevant societies, and remediation plans agreed where necessary. The results of the review were fed back to all building societies, and will be taken into account in the current review of the sourcebook. At the PRA’s request, a similar exercise was conducted on smaller U.K. banks, again via the banks’ internal audit functions, focusing on lending outside of policy. In this case the benchmark, absent a common sourcebook, was represented by their own lending policies. Similar work was carried out on compliance of smaller U.K. banks with their own lending policies, again undertaken by these banks’ internal audit functions at the PRA’s request, focusing on lending outside of policy. The assessors were provided examples of some targeted reviews; in particular:
|
| EC 3 | The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:
|
| Description and findings re EC 3 | A number of requirements on policies and processes for credit risk managements are present in the EU legislation and in EBA guidance (the latter taking effect from January 2015):
The PRA conveys its expectations on banks’ policies and processes for credit risk-management through dialogue with firms and feedback following SREP and other supervisory assessments. In addition, key figures from the PRA make speeches from time to time which are published on the PRA website and may contribute to convey the PRA’s stance on a particular issue. While topics such as IT systems, exception management and escalation may not be explicitly specified in the PRA Rulebook or other sources, the PRA considers them core to risk-management and as such to be assessed in order for the PRA to carry out its supervisory duties as set out in its approach to supervision and elsewhere. Assessment by the PRA of whether a firm has appropriate policies and processes and a properly controlled credit risk and counterparty credit risk environment is carried out on a risk-assessed basis through the PRA’s CA—see EC 1. The process includes an assessment of all the credit risk and counterparty credit risk-management issues as highlighted above and will focus on the key issues affecting each firm. For Category 1 and 2 firms, the PRA supervision approach includes regular interviews with the firm’s executive and NEDs and senior management. For credit risk and counterparty credit risk assessment in particular, this would include meetings with chief credit officers and chief risk officers as appropriate. Any material issues in respect of credit risk and counterparty credit risk arising from the CA process is investigated further by the PRA’s credit risk and traded risk specialists in the SRS directorate covering credit risk measurement, corporate, and financial institution credit risk, retail credit risk, structured finance credit risk and counterparty credit risk. The PRA can also appoint independent experts to supplement inhouse resource under FSMA S166. Technical risk reviews and thematic reviews of this nature also cover more detailed analysis of a firm’s processes around governance, risk appetite, credit risk, and concentration policies and how they are implemented. The reviews also cover monitoring, control, and mitigation of exposures, risk grading systems, collateral management, MI systems and reports, exceptions, identification and curing of problem assets, setting provisions, and taking impairment write-offs. The PRA also has a program of semiannual reviews, including onsite visits, of counterparty credit risk-management and measurement practices for firms with material trading books. It also draws on specialist credit risk modeling resource to review IRB capital models and models in general use in the business, such as loan affordability provisioning models. The PRA’s regular stress testing programs covering very high impact firms and building societies also address this criterion (see EC 8 below). For Category 2–4 banks and building societies, a similar review process is undertaken, but credit specialist resources are less readily available and thus review cases are prioritized on the basis of revealed risks from regulatory reporting and other supervisory activities. Local credit specialist are used for policy and file reviews, supplemented by work commissioned from the firm’s internal auditors or via appointment of “skilled persons” under S166 of FSMA. Building societies are expected to take account of supervisory expectations set out in SS 20/15 (see EC 1). Changes of policy or diversification into new areas of lending are subject to particular scrutiny to confirm that appropriate expertise and risk-management are in place. The assessors found evidence of work done—mainly offsite, but also onsite and sometimes via external experts’ review—at banks of different categories on a number of various aspects of credit risk management, such as:
|
| EC 4 | The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. |
| Description and findings re EC 4 | The EBA guidelines on SREP require the supervisors to assess the risk-management of FX lending risk, measurement and control frameworks, policies and procedures and whether the bank periodically reviews the hedging status of borrowers (para. 159.b). For Category 2–4 banks, the PRA’s approach is to review the competence and independence of the control functions, including risk management. This will include, where applicable, reviews of the second and third lines of defense in terms of an effective risk-management framework. In addition, the PRA has also undertaken thematic work to look at controls for smaller banks. For example, a review was recently undertaken of lending outside of policy at smaller banks in the U.K., with results being fed back to the industry in aggregate and to individuals firms where required. For building societies, SS 20/15 states that building societies’ should address and consider within their lending policies “information required to assess the extent of the investor-borrower’s broader exposure to the buy-to-let sector (e.g., the total number of properties in a portfolio and whether encumbered or unencumbered).” There are no specific supervisory expectations in place on monitoring FX lending risk (for banks possibly exposed to such risk). Foreign currency lending represents a small proportion of total lending for the U.K. The PRA observes that in 2011 the ESRB agreed that the U.K. was one of 12 EU MSs which sufficiently explained a lack of specific action in respect of their recommendations on foreign currency exposure, on the basis of the U.K.s low levels of foreign currency lending. The share of FX lending with respect to U.K. banks’ total assets was around 11 percent at that time and has not significantly moved from that level, according to an elaboration provided by the supervisor. PRA supervisors gain an understanding of a firms’ approach to credit assessment and the appropriateness of policies and procedures in relation to credit assessments through discussions with senior management and review of firm’s MI. Factors such as total indebtedness and foreign exchange risk of entities to which they extend credit risk are considered in this process. The application of wider credit risk policies is assessed through reviews of firms’ risk credit risk-management policies, procedures, and controls. The assessors found evidence of credit risk-management reviews at banks focusing, inter alia, on the total indebtedness of customers. |
| EC 5 | The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. |
| Description and findings re EC 5 | There is not a specific and explicit requirement that banks should make credit decisions free from conflicts of interest and on an arms-length basis, although Rule 3.2 in the ‘skills, knowledge and experience’ part of the PRA Rulebook requires senior personnel of a firm to define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest. Also, it does require that competent and, where appropriate, independent control functions oversee the risk-management framework. Also, the EBA guidelines on SREP require the supervisors to assess whether the bank demonstrates to have in place policies to identify and avoid conflicts of interest (para. 85). In practice, supervisors assess a firm’s governance framework and credit risk controls. This includes an evaluation of how the firm manages conflicts of interest to ensure that credit decisions are made on an arm’s length basis. Supervisors examine the independence of the risk function and its effectiveness via CA and other credit reviews to gain further insights. The assessors found evidence of supervisory examinations of these aspects. Forthcoming legislative and regulatory changes around structural reform will introduce additional governance arrangements reinforcing the independence of ring-fenced banks, including the credit decisioning framework. |
| EC 6 | The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. |
| Description and findings re EC 6 | The PRA has not explicitly articulated the requirement for a bank’s credit policy to prescribe that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital be decided by the bank’s Board or senior management. However, the PRA approach document sets a general expectation that key decisions, both on assuming new risks and managing existing ones, be taken at the appropriate level, including at the level of the Board where they are sufficiently important. As part of its CA processes, the PRA will assess, as appropriate, whether limits have been established for credit (including counterparty credit risk) exposures, including single name and sector limits, and that approval processes are clearly defined. The PRA will also assess whether materially large and/or high risk exposures have to be approved by senior management, and are reported to, and regularly reviewed by the Board. In carrying out AQR of corporate exposures, the PRA’s credit risk specialists review individual loans and amongst other checks, ensure that each loan has been approved at the appropriate level. The PRA’s credit risk specialists, together with the BoE’s Financial Stability Directorate, also carried out a review of commercial real estate and leveraged finance underwriting practices, which included a review of loans made outside policy to ensure that they were appropriately authorized (see EC 3). |
| EC 7 | The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. |
| Description and findings re EC 7 | Art. 4 of CRD requires MSs to ensure that supervisory authorities are able to obtain the information needed to assess the compliance of banks and banking groups with the requirements of the Directive and of the CRR (para. 3), that banks and banking groups provide the supervisory authorities with such information (para. 5) and register all their transactions and document systems and processes in such a manner that supervisors are able to check their compliance (para. 6). Under the FSMA, the PRA has the power to request all information maintained by a firm, certain third-party providers and its employees which is necessary to carry out its functions. The PRA’s Rulebook also specifies what level of information, at a minimum, a firm should maintain in the course of running and managing its business. |
| EC 8 | The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. |
| Description and findings re EC 8 | All U.K. banks are required to test their credit exposures under a stress scenario as part of the ICAAP. For smaller firms, ICAAPs are reviewed by the PRA proportionate to the materiality of the firm; they are required to consider, for their own stress test exercises, the scenarios adopted by the FPC for the CST (see below). Their internal stress-testing framework is reviewed and, where relevant, the stress-test results are compared with the outcome obtained from a PRA-developed model (on residential mortgages), in order to challenge loss projections and to calibrate capital buffers. The PRA undertakes regular CST of the largest U.K. banks (currently the largest seven). The stress testing program aims at obtaining an estimate of the potential losses and capital and liquidity requirements that could arise under a number of stress scenarios determined by the FPC and the PRA Board. The PRA’s credit risk specialists, traded risk specialists and the BoE’s financial stability team jointly challenge firms’ loss projections under the stress scenarios using a suite of models, as well as quantitative and qualitative assessment of firms’ results. Adjustments to the firms’ own forecasts can be made if the BoE believes the firm to have been overly optimistic or pessimistic in the likely impact of the stress scenario on individual portfolio or asset class exposures. If the cumulative results of the stress tests demonstrate that the firm is under-capitalized in the event of such a scenario occurring, the PRA may, as part of its broader capital assessment, take a number of actions, including requesting the firm to increase its capital resources. Information gathered as part of a stress test on the quality of assets and likely performance under stress also contributes towards the CA supervision process of firms, providing evidence to support the challenge of current business strategies, risks management practices and governance where there are perceived weaknesses. |
| Assessment of Principle 17 | Largely Compliant |
| Comment | Credit risk was one of the most critical areas in the assessment of the previous FSAP mission: at that time the mission observed and acknowledged first solid signs of an improvement in the supervisory process on credit risk, but moving from a very dissatisfactory situation, by many considered a concurrent cause of the problems that triggered a number of bank failures. While recognizing this initial progress, it also highlighted the need for a much more proactive, extensive detailed work, including transaction testing. It recommended the development of a strategy for “materially enhanced in-depth review of credit risk,” to be resourced adequately and executed immediately. The situation, five years later, has definitely improved: the PRA has introduced a program of AQRs that represents a definite step forward in terms of scrutiny and intrusiveness, even though in the assessors’ view its use could be further extended (see also CP 18); the skill set of the specialist unit allows to cover a wide range of asset classes (e.g., from SME loans in Asia to leveraged loans in the U.S.); the supervision on individual firms is increasingly supported by cross-firm and thematic reviews. As observed elsewhere (CP 15), these developments concern mainly the largest firms (Category 1 and, to a lesser extent, Category 2). On the other hand, unlike for other risk areas (e.g., liquidity), the PRA expectations with respect to banks’ credit risk-management are quite general and scarcely articulated. Frequently the EBA SREP guidelines are clearer and more detailed than the PRA Rulebook or SSs as regards the supervisory expectations on banks’ credit risk management; however the guidelines were not in force at the time of the assessment, they are not binding (unlike EBA’s technical standards, once endorsed by the EC) and the PRA has only committed to comply, which does not give the required degree of comfort with respect to the PRA’s full compliance with this principle. The following are the main requirements in this principle that are lacking in the PRA’s guidance:
The lack of explicit supervisory expectations on how banks should manage their credit risk can be less of a problem with the largest banks, which through its ‘CA’ approach the PRA engages regularly with and to which it can then more easily convey its expectations in a direct way. But it entails a much less clear supervisory guidance for medium-small banks (with the possible exception of building societies): these are the kind of institutions that structurally lack a sufficiently wide range of diversification opportunity and easily tend to converge on the same business of the moment, competing in the same markets and eventually heading towards a creeping relaxation of underwriting standards. The supervisor could strengthen its oversight of banks’ credit risk-management framework also by enhancing its access to loan level data on a regular, periodic basis. The PRA already receives loan level data through the Mortgage Product Sales Data report, managed by the FCA: it provides information of ‘positive’ nature (like loan size, loan characteristics, borrower characteristics, etc.) and, since 2015, also of ‘negative’ nature (like credit impairment) for all the loans in the database. However it does not cover other asset classes and has only just started to accumulate information on default. The availability of credit data could be enhanced through access to databases like those managed by the credit reference agencies, in order to obtain a more exhaustive coverage (at least for the household lending sector) and a deeper credit history. This would enhance the supervisor’s ability to monitor and interpret credit trends across the industry and to develop techniques for a more detailed offsite analysis of loan portfolios’ performance, leading to more efficient monitoring of credit conditions and of banks’ asset quality. |
| Principle 18 | Problem assets, provisions, and reserves.106 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.107 |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. |
| Description and findings re EC 1 | The EBA Guidelines for common procedures and methodologies for the SREP set the expectation that NCAs assess whether banks have a sound, clearly formulated and documented credit risk strategy, approved by the management body, which covers, inter alia, the management of NPLs (para. 180); whether they have an appropriate organizational framework to enable effective credit risk management, measurement and control (para. 181); whether they have appropriate policies for the identification, management, measurement and control of credit risk, including criteria for loan classification, forbearance, restructuring, and management of NPLs (para. 182). Accounting standards applicable in the U.K. require banks (and other preparers) regularly to assess whether loans and other assets valued at amortized cost have become impaired, and if so to raise an appropriate provision. This means that banks must have systems in place to identify and review problem assets, the associated level of provisions, and whether an impaired loan should be written off. An ‘incurred loss’ accounting approach to loan losses is currently found in both IFRS (IAS 39) and U.K. GAAP (FRS 102). A loan is impaired if a ‘loss event’ has taken place which means that the full contractual cash flows are no longer expected to be collected. The provision is the difference between the contractual cash flows and the best estimate of those expected following a loss event, both discounted by the original effective interest rate of the loan. Write-offs are determined by banks’ own policies and generally take place when there is no reasonable prospect of further cash flows being collected. The PRA does not provide specific supplementary guidance to banks’ on the regular review of their problem assets (at individual and portfolio level) and of their asset classification, provisioning and write-off. The approach to problem assets, like credit risk in general (see EC 17), is based on the idea that, in the first place, problem asset management is the banks’ Boards and senior management responsibility; and, in the second place, it’s the external auditors’ role to form an opinion on whether a bank’s financial statements, taken as a whole (thus including asset classification and provisioning), represent a true and fair view. The PRA relies on its frequent interaction with banks’ external auditors as a fundamental source of information on the adequacy of banks’ practices in this area; this is complemented by further evidence collected through the analysis of ‘MI packs’ and, in selected cases (and mainly for the larger banks), also as a result of AQRs. Specifically: For Category 1 firms that are headquartered in the U.K.: As part of the CA framework the PRA discusses the existing troubled assets, the book as a whole, and the risks it faces (such as emerging problem assets/portfolios), including with the Chair of the Board risk committee, the CRO, regional CROs, and also front office. It also addresses the processes, procedures, and MI they have in place and its efficacy. The MI contains, amongst other things, data on the performance of the book, emerging trends, profiles and nature. Analyzes are performed on data, regulatory returns, and trends (such as LE build up to sectors or regions and the analytics) to develop evidence that the firms’ processes are adequate. The PRA also meets with the auditors a number of times in the year to discuss (amongst other things) provisions and troubled assets etc. It receives the audit reports that relate to the provision assessment and use this to frame the agenda and to challenge the banks where necessary; the accounting specialists support supervisors in asking questions about provisioning levels and the audit thereof. The focus of the more specific reviews of asset quality carried out by supervisors themselves can vary. Nevertheless, they invariably focus on an assessment of the firm’s grading systems, how it values and manages collateral, its processes around identifying emerging risks and the handling of troubled assets (for example, the speed with which they are classified as NPLs), defaulted assets, forbearance and the appropriateness of any impairment provision raised. If deficiencies are found, these can be addressed by asking the firm to perform remedial work on their framework. If the PRA deems an additional provision necessary, it can impose “extra” provisions through starting point adjustments in the base case of stress testing; or, alternatively, factor it into the P2A assessment. In addition, seven Category 1 firms headquartered in the U.K. are subject to the CST. This program assesses the balance sheets of the firms, including how they perform in a hypothetical adverse scenario. As part of the Pillar 2 framework, the PRA can set additional capital requirements based upon either a reflection of their balance sheet i.e., concentrations in high risk sectors/countries/products, etc., or underlying deficiencies in their risk-management, i.e., inappropriate collateral valuations, overly benign credit grades, etc. For branches and subsidiaries of overseas headquartered banks: The work performed on asset quality by the supervisors of the International Banking Directorate is similar to the work described above, except that they do not use the PRA’s credit risk specialists for AQRs. For smaller banks, building societies: All but one of the U.K. building societies and all U.K. smaller banks with significant mortgage portfolios are required to submit twice a year detailed loan book data that provide a detailed analysis of a firm’s loan book by product, indexed LTV, arrears and provisions (the latter two against each product’s LTV band). This loan book data allows to see whether a firm is going up the risk curve in terms of higher LTV lending or higher risk products as well us whether arrears are increasing (and, if so, in respect of which products and LTV bands); the data contain also information on additional provisions. This information is used as a background for discussions/challenge about provisions and their adequacy with the bank and also with their external auditors (whom the PRA meets or speak to at least once a year). Asset quality discussions with smaller firms (Category 3 and Category 4) will tend to take place when the analysis suggests changes in the relationship between asset quality and provisioning levels, although provisioning will typically be covered in every annual meeting/call with the firm’s external auditors. All U.K. building societies and most U.K. smaller banks are audited by a Big Four audit firm and the PRA meets with each of these audit firms once a year to discuss issues around these banks, including the auditors’ assessment of their approaches to provisioning. More generally, discussions about banks’ approach to lending and managing arrears—informed by loan book data and the firms’ lending policy statements as well as by the Board MI––will take place at almost every visit to the firm. For credit unions: Credit unions are all required—by PRA rule—to make prescribed minimum provisions: 35 percent of balances for loans in arrears by 3–12 months and 100 percent of balances for loans in arrears by 12 months or more. The 23 Category 4 credit unions are visited by the supervisory team once a year and at those meetings lending will always be discussed. Those discussions will often be informed by Board MI and strategy documents requested and reviewed prior to the visit. |
| EC 2 | The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes |
| Description and findings re EC 2 | The document ‘The PRA’s approach to banking supervision’ states the supervisor’s expectation that banks ensure that assets and liabilities are appropriately valued and that provisions are adequate. However there is no specific supervisory guidance in place with respect to banks’ policies and processes for identifying and managing problem assets. Supervisors review banks’ problem assets, individually and on a portfolio basis, as well as asset classification, provisioning and write-offs through the CA meetings and by reviewing regular MI. In its routine supervision, the PRA relies significantly on external auditors to assess the appropriateness of provisioning systems and the levels of loan loss allowances. Partly for that reason, the PRA attaches considerable importance to the dialogue between auditors and supervisors. The arrangements for this are set out in a formal Code of Practice:. Supervisors are required to meet with external auditors of all high impact or U.K. headquartered banks at least annually, and more frequently for larger firms. The auditor’s assessment of the bank’s provisioning policies is a typical item on the agenda for those meetings and helps to inform supervisory judgment on problem assets. As a part of this dialogue, the PRA presented to auditors of large banks in 2014 on detailed areas of regulatory focus in loan loss provisioning. In August 2015, the PRA sent a list of questions to auditors around their assessment of bank’s provisioning practices, requesting written responses. (see also CPs 26 and 27). Other tools that supervisors use are AQRs and thematic reviews, which review a number of firms to provide peer comparisons. These reviews can be conducted by supervisory staff or by expert third parties (under S166 FSMA). The FRC focuses on promoting high quality corporate governance and reporting, in particular through the work of the Conduct Committee and the Audit Quality Review team. The Conduct Committee’s review focuses on corporate financial reporting, and the team monitors the quality of the audits of listed and other major public interest entities together with the policies and procedures supporting audit quality at the major audit firms in the U.K. This includes their 2014 review of the quality of audits of banks. The PRA highlighted to the FRC some concerns about the audit of loan loss provisioning, as a result of which this was the focus of their most recent (2014) work on audit of banks. |
| EC 3 | The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.108 |
| Description and findings re EC 3 | When an off balance sheet asset meets the accounting definition of a derivative under IFRS and FRS 102, it will be measured at fair value and the valuation should reflect, amongst other things, the credit quality of the counterparty. IFRS requires most other off balance sheet items, such as loan commitments and guarantees, to be subject to provisioning where appropriate. Currently the relevant standard will sometimes be IAS 37 Provisions, contingent liabilities and contingent assets, but IFRS 9 Financial Instruments will require most loan commitments and written guarantees to be subject to expected credit loss provisioning. The U.K. accounting standard setter, the FRC, has stated that it will consider amending FRS 102 to bring it into closer alignment with IFRS 9. Banks with IRB permission are required to have risk-management policies, processes and systems that ensure off balance sheet items are categorized and measured appropriately. This would be verified through model reviews, thematic reviews and self-attestations. It is the role of the supervisor to ensure that the bank’s provisioning process takes into account off balance sheet or contingent liabilities that would have a high probability of coming on balance sheet should a stress event occur or as a result of a change in credit quality of the on balance sheet assets. This process is supported by the Credit Risk Specialists who as a matter of course check the evolution of off balance sheet commitments as part of the AQR process and quarterly C&C meetings where changes in contingent liabilities and provisions are reported and discussed. |
| EC 4 | The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. |
| Description and findings re EC 4 | Accounting standards require banks to establish loan loss provisions in a timely manner and, where correlated to loan losses, to take account of economic conditions (IAS 39, para. 59 (f) (ii) under IFRS; FRS 102, para. 11.22(e) and 11.23]. Market and macro-economic conditions are also factored into provisioning through the work of the FPC. For example, the FSA wrote to banks at the request of the FPC ahead of their 2012 financial statements being finalized because––based significantly on analysis by supervisors––the FPC considered that loan loss provisions did not fully reflect macroeconomic and market conditions. The FSA’s letter noted that the recession had continued for longer than had been widely anticipated and that there were particular concerns about provisioning for commercial real estate exposures. This was part of a broader FPC initiative, which concluded that major U.K. banks’ and building societies’ capital positions could be overstated by GBP 30–40 billion as a result of unrecognized expected loan losses (and, in addition, by GBP 10–20 billion as a result of unrecognized conduct costs and some GBP 20 billion arising from imprudent risk weighting)—see FSR, June 2013, pp 62–3. AQRs are used by supervisors (as part of CA for the major firms and more generally for others) to determine whether appropriate classification of assets and timely provisioning are in place. EWRM reviews are also used as a tool to determine appropriateness. Risk management reviews in respect of credit risk would consider both the policies and procedures established by a bank and the extent to which these policies and procedures are actually implemented throughout a bank. |
| EC 5 | The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, and 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). |
| Description and findings re EC 5 | Classification of contractual arrears by days past due is not currently mandated by accounting standards, but is required in the context of regulatory reporting: the supervisory reporting framework of the EBA governs the collection by supervisors of data on impaired loans and debt securities, nonperforming exposures, forborne exposures, as well as past-due loans and securities and associated impairment (see templates FINREP F4, F7, F12, F18, and F19 in Annex 3 of the ITS on supervisory reporting). Supervisors conduct AQRs or thematic reviews in order to be sure the firms are classifying problem assets appropriately and promptly, without circumventing standards. They may also ask Internal Audit and/or external auditors to review/provide comfort that the firm is behaving appropriately. To test banks’ treatment of assets, in November 2013 the PRA introduced a program of AQRs at Category 1 banks led by credit risk specialists and covering key retail and corporate loan portfolios. The aim is to assess the adequacy of accounting provisions and Pillar 1 and 2A capital. AQRs are typified as having four levels of granularity, ranging from reviews of regulatory returns, banks’ data and MI (Level 1), to more detailed reviews including transaction testing on a limited judgmental sample of loan files (Level 3) or on a larger and statistically robust sample (Level 4). The Level 1/2 assessments include reviewing policies and procedures to ensure that they cover the criteria for assessing borrowers’ creditworthiness and collateral evaluation and those for loan classification; verifying that the bank can detect, measure and regularly monitor the credit risk inherent in all on- and off-balance-sheet activities with regard, inter alia, to collateral coverage, contractual terms and agreements, covenants; assessing the level and quality of CRM; assessing whether the institution has appropriate skills, systems and methodologies to measure risk at borrower/transaction and portfolio level, and, in particular, to differentiate between different levels of borrower and transaction risk. Portfolio-level and file-level (i.e., Level 3/4) reviews are undertaken—primarily in respect of corporate loans—by credit risk specialists to ensure that lending decisions (new exposures and renewal and refinancing of existing exposures) comply with policies and procedures. AQRs are targeted at areas of exposure with potential material problems and are aligned to the FPC’s assessment of risks in setting the annual stress test scenario. AQRs have been conducted across a range of banks simultaneously for certain portfolio types (e.g., commercial real estate, SME/Mid-corporate), to allow comprehensive benchmarking and rank ordering of risks. While AQRs of the Level 3 and 4 type have been occasionally performed on banks not belonging to the first category, in the two and a half years since legal cutover the number of these detailed reviews performed by the credit risk specialists on the smaller banks has been limited: 8 on Category 2 firms and 3 on Category 3 firms (no AQRs on Category 4 or 5 banks). There are no plans to subject the remaining banks to similar review within a given time frame, though AQRs can be programmed and executed at any time, should the PRA envisage the need to and have the necessary resources for. Some AQRs are also conducted by the ‘line’ supervisors. |
| EC 6 | The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. |
| Description and findings re EC 6 | The PRA has access to six sources of relevant information:
Receiving regular MI is part of the CA process and allows qualitative reviews of the information. Regular regulatory reporting for all firms includes data on arrears levels for different asset classes and the corresponding provisions raised against those asset classes by the bank. Supervisors therefore get a regular insight into any discrepancy arising between arrears and provisions. For banks who are supervised on a portfolio basis (i.e., small banks) mandatory reporting i.e., COREP/FINREP allows point in time reviews and trend analysis enabling supervisors to assess firms’ provisioning both individually and on a peer basis. There is no specific requirement for banks to have adequate documentation in place to support their classification and provisioning levels, but the PRA considers this requirement covered by its Fundamental Rules. The PRA expects firms with appropriate governance to have processes in place that enable them to justify provisioning levels to their Board committees. External auditors will also expect their clients to have properly documented their provisioning methodology, assumptions, inputs and assessments. The assessors were provided examples of information received by the PRA on asset classification and provisioning; they found it adequately detailed. |
| EC 7 | The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. |
| Description and findings re EC 7 | Art. 104 of CRD establishes that NCAs should have the power to require institutions to apply a specific provisioning policy or treatment of assets in terms of own funds requirements. The PRA assesses the adequacy of classification and provisioning levels through the regular review of MI, interviews with senior management, and dialogue with the external auditors, and any subsequent reviews. Given that the PRA does not have formal powers over provisioning in banks’ financial statements, the approach that would most commonly be taken to a concern that loan loss provisions in a bank were insufficient would be to persuade directors to adjust provisioning levels, or for the PRA to make an appropriate deduction from a bank’s capital in determining the starting point in the CST exercise. Alternatively, the required extra provisions could be factored into the Pillar 2A add-on. In 2013 the FPC asked the PRA to conduct a detailed analysis of the largest banks’ capital adequacy, including by investigating overvaluation of some assets through under-provisioning against expected future credit losses. As a result, the PRA identified an aggregate shortfall of around GBP 13 billion (net of actions already planned) in the capital of eight major U.K. banks and building societies and invited them to take additional actions to completely close the capital shortfalls. |
| EC 8 | The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. |
| Description and findings re EC 8 | Supervisors ensure that the governance arrangements within a firm are adequate to confirm that collateral is appropriately valued and monitored. This could be through model reviews for an IRB bank or through a review of the risk-management policies in place. AQRs and cross-firm thematic reviews also allow for assessment of the management of collateral, including peer comparison taking into account market conditions and the economic cycle. Risk management reviews dealing with credit risk would consider the management and valuation of collateral and other risk mitigants—because risk mitigants are crucial in assessing what level of provisioning for a problem asset or portfolio is appropriate. |
| EC 9 | Laws, regulations or the supervisor establish criteria for assets to be:
|
| Description and findings re EC 9 |
An exposure shall remain classified as nonperforming while those conditions are not met, even though the exposure has already met the discontinuation criteria applied by the reporting institution for the impairment and default classification. Also, for exposures that are both nonperforming and forborne, the ITS set the conditions for discontinuing their classification as nonperforming (para. 157):
The ITS clarify that those specific exit conditions shall apply in addition to the criteria applied by reporting institutions for impaired and defaulted exposures. Para. 176 of the ITS set the conditions for discontinuing the classification of an exposure as forborne. In 2011 the FSA published a specific guidance on forbearance and impairment provisions for mortgages, explaining the authority’s view on good and poor practice in the overall provision of forbearance to customers and on the adequacy of controls, oversight, reporting, and disclosure. The new EBA definitions are not hard coded into the work the PRA does on the identification of and provisioning for problem assets, although these are factors that are taken into account in the work done on the quality of assets, both through regular offsite monitoring (COREP reports, FSA015 report, MI ‘packs’) and, in selected cases, by means of AQRs. The reviews focus, inter alia, on the bank’s processes around identifying emerging risks and the handling of troubled assets (for example, the speed with which they are classified as NPLs), defaulted assets, and forbearance. Supervisory work in this regard varies, from reviewing MI, performing AQRs or potentially instructing a third-party to perform a thematic analysis. The flexibility allows the PRA to focus on either or both of nonperforming assets or “newly” performing assets, assessing the criteria of how an asset is classified as non-performing/newly performing and how well these criteria are applied in practice. |
| EC 10 | The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. |
| Description and findings re EC 10 | Supervisors look into what pro-active work the Board initiates, e.g., deep-dive reviews into areas that they are less familiar with or which in their judgment could present a future risk. Supervisors receive bank Board papers, which allow them to see directly what information is presented to the Board. The CA schedule requires supervisors to meet with the Board members and, in doing so, can confirm both the level of information they receive and challenge they provide. Regular meetings with the bank’s auditors offer an independent view of how the Board interacts with the bank’s risk-management and any subsequent Board induced action. |
| EC 11 | The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. |
| Description and findings re EC 11 | From a supervisory perspective, the regular MI the PRA receives (both from COREP and banks’ own MI) highlights significant exposures and the criteria which classify them. Regular meetings with banks’ risk personnel are used to discuss these exposures, their classification, the strategy around them, and mitigants to the risk, i.e., collateral, diversification, etc. If the assets are troubled, this then extends into the workout strategy and prudency of provisioning. The PRA does not require banks to set a threshold beyond which an exposure should be individually assessed. |
| EC 12 | The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. |
| Description and findings re EC 12 | Individual bank supervisors undertake CA of firms’ annual risk appetite and lending plans, including various concentration limits and triggers. This engagement is supported by the SRS credit team’s cross-firm review of collections & recoveries and asset quality assessments. One example of the risks identified recently through this process is challenge around buy-to-let concentrations and provisions coverage. At the system level, the FPC monitors the potential build-up of risk and makes recommendations when it considers necessary. In November 2012 the FPC noted that, based on information from supervisory intelligence and banks’ own public disclosures, provisions in areas including the commercial real estate sector and vulnerable euro area economies might not have taken full account of expected losses. As a result, the FPC recommended that the FSA took action to ensure that capital reflected a ‘proper valuation’ of assets in these areas. The subsequent detailed exercise by the FSA resulted in a provisions shortfall of around GBP 30 billion, and the banks in question were required in 2013 to raise capital or adjust balance sheets as necessary. Another example is the action to contain the rise in mortgage lending with high loan to income ratios. This recommendation was made given analysis that there were risks to financial stability from a significant increase in the number of very highly indebted households. FPC has also published a statement on how it views risks in the housing market, and in particular how it monitors the build-up of those risks. Regular monitoring includes analysis of the distribution of risk metrics both within the household sector and the banking sector, indicators of housing market conditions, and assessment of the outlook and risks around that. The FPC may also ask for a stress test scenario to be adopted to explore a risk further. A good example of this is the 2015 stress test scenario which was intended to explore U.K. banks’ exposure to emerging market economies, given the combination of strong lending to some of these economies by some U.K. banks, and the risk that NPL could start to rise. FSSR staff supporting FPC monitors emerging risks to U.K. banks, including through reporting by supervisory intelligence as well as trends in bank profitability, NPLs, aggregate lending data, LE, important markets (particularly property markets) and international developments, as can be seen in the FSR and FPC records. It also coordinates across directorates (PRA, International, Financial Market Infrastructures, etc.) to arrive at a Quarterly Risk Pack providing assessment of the risks to the outlook for U.K. Financial System to FPC and PRA Board. Finally, a Credit Risk Forum has been established for those, within the BoE/PRA, concerned with U.K. credit risk, to share risk assessment on the macro and micro side. Examples of recent topics include U.K. credit cards, challenger banks, BTL market, and U.K. CRE. The assessors got access to the presentation pack of a recent Credit Risk Forum a number of cross-firm reviews on different topics: U.K. CRE lending and slotting, Mid Corporate / SME, collection and recoveries on U.K. mortgages and, in preparation of the 2014 CST, U.K. residential mortgage. The assessors also found evidence of reviews by credit risk specialists on individual banks focusing, inter alia, on potential threats to the asset quality through concentration, market and macro-economic issues. |
| Assessment of Principle 18 | Largely Compliant |
| Comments | The PRA basic philosophical approach to banks’ credit risk and problem asset management is that these are areas whose primary responsibility is with the banks and that is mainly the external auditor’s role to ensure that the banks’ practices are appropriate and lead to a true and fair representation of their financial situation. This explains the importance assigned by the PRA, in its supervisory approach, to a frequent interaction with banks’ external auditors and with the auditing profession in general. While external auditors can represent a precious source of information and insight into banks’ management of problem assets, this clearly needs to be complemented by a more direct supervisory analysis, as the PRA also recognizes. In particular, this core principle includes the requirement (introduced by the 2012 review of the BCPs) that supervisors test banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (EC 5). This entails a direct scrutiny of banks’ asset classification and provisioning via, inter alia, transaction testing, i.e., a detailed analysis of a sample of loan files (especially for non-retail portfolios). In November 2013, the PRA introduced a program of AQRs at Category 1 banks, led by credit risk specialists and covering key retail and corporate loan portfolios. The aim is to assess the adequacy of accounting provisions and contribute to a decision on the appropriate Pillar 2A buffer. AQRs are typified as having four levels of granularity, ranging from reviews of regulatory returns, banks’ data and MI (Level 1), to more detailed reviews including transaction testing on a limited judgmental sample of loan files (Level 3) or on a larger and statistically robust sample (Level 4). While AQRs of the Level 3 and 4 type have been occasionally performed on banks not belonging to the first category, in the two and a half years since legal cutover the number of these detailed reviews performed by the credit risk specialists on the smaller banks has been limited: 8 on Category 2 firms and 3 on Category 3 firms (no AQRs on Category 4 or 5 banks). There are no plans to subject the remaining banks to similar reviews within a given time frame, though AQRs can be programmed and executed at any time, should the PRA envisage the need to and have the necessary resources for. Also, a certain number of detailed AQRs are run directly by the line supervisors, though the assessors could not obtain statistics on this. The duration and staffing of visits for Level 3 and 4 AQRs delivered by the Risk Specialist Division—as well as the number of files examined––present a wide range of variation; from the material reviewed the assessors got the impression that the median AQR might be staffed with around three specialists plus one line supervisor, last less than two weeks, and review around 100 loan files representing a share of the portfolio that can go from 5 percent to 50 percent, depending on the asset class examined. This approach appears consistent with the PRA’s interpretation of its mandate and its intention to pursue a risk-based and proportionate approach to banking supervision. However it does not ensure that the fundamental reliance on external auditors’ contribution to the analysis of banks’ problem asset management practices be always appropriately accompanied by a more direct supervisory scrutiny, as this principle requires. It also entails that a large number of banks, while regularly monitored offsite and more intensely engaged whenever credit risks are perceived to increase or accumulate, can expect––with a high probability––not to be subject to a more direct and intrusive scrutiny by the supervisor for several years (possibly spanning a whole credit cycle). As pointed out for CP 17, these are the kind of banks most likely to converge towards the same promising business or market, when profitable opportunities emerge. The PRA has put in place an offsite monitoring system which relies on the identification of outliers or banks moving up the risk curve (e.g., by shifting towards higher LTV buckets for mortgage lending) and that can then well serve its purpose in capturing idiosyncratic risks in terms of individual banks drifting away from a safe and sound growth path; but it does not provide sufficient reassurance that emerging risks can be identified sufficiently in advance (e.g., creeping deterioration of underwriting standards within a formally unchanged lending policy). While these banks might represent a modest share of total assets, and hence reasonably pose no threat to the financial stability, they might still serve a share of bank customers large enough to cause embarrassment to the PRA, should any of the largest among them fail and lead their customers to question the effectiveness of the supervisor’s job. So, even if the risk-based philosophy underling the PRA’s approach is understandable and broadly shareable, to protect itself from reputational risk, the PRA should consider introducing elements of mitigation with respect to the risk of missing important ‘pockets’ of risk from its monitoring tools. As loan-file-based AQRs tend to absorb a relevant amount of scarce and increasingly overburdened specialist resources, the PRA may want to consider the possibility of relying to a greater extent on ‘line supervisors’: after all, loan file reviews are the staple activity for ‘standard’ bank supervisors in many jurisdictions, often since their apprenticeship. While line supervisors already conduct credit reviews and credit risk training is part of the supervisory training for all new supervisors, this could be reinforced as to allow supervision to autonomously conduct AQRs more frequently. In the short term this would put further pressure on the specialist resources (who provide on the job training to line supervisors) and would likely affect also their ordinary activity; but in the longer term it would allow increased flexibility in the use of resources and less need for too tight prioritizations. Should that prove not sufficient yet to avoid an excessive burden on resources, the PRA could consider, as a minimum, to incorporate forms of ‘backstop’ in its approach, such as—for example—random AQRs at banks of less than large size that do not present evident issues: this would help to mitigate the expectation, for these smaller banks, to be able to get away with less intense and intrusive supervision for prolonged periods, provided they manage not to attract too much attention. All in all, the assessors came to the conclusion that the current PRA approach to problem assets and provisioning is not fully compliant, but not materially non-compliant either, as they got comfort from the observation that the supervisors have established an intense and fruitful dialogue with the external auditors, even for the smaller banks, and that the PRA can (and does) substantially influence the work done by the auditors according to its own priorities as regards their assessment of banks’ asset classification and provisioning (see EC 27); this, especially in the current benign environment—with NPL ratios close to their historical lows––substantially mitigates what the assessors perceive as inherent limits in the PRA approach; which they nonetheless warmly invite the authority to address, possibly––though not necessarily—along the abovementioned lines. Another requirement introduced by the 2012 review of BCPs is for the supervisor to require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold (EC 11); the PRA does not require this. |
| Principle 19 | Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.109 |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.110 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. |
| Description and findings re EC 1 | Part IV of the CRR (Arts. 387–403) contains a comprehensive regime for the treatment of LE, capturing on-balance sheet exposures, off-balance sheet exposures and contingent liabilities. Banks are required to have sound administrative and accounting procedures and adequate internal control mechanisms for the purposes of identifying, managing, monitoring, reporting and recording all LE and subsequent changes to them (Art. 393). Art. 81 of CRD––transposed into PRA Rulebook ICAA 6––require firms to establish written policies and procedures to address and control concentration risks. Specifically, firms must establish policies and procedures to control concentration risk arising from:
Banks are also required to monitor the concentration of their funding sources (by product and by counterpart) and of the products representing their liquidity counterbalancing capacity (see CP 24). Market risk concentrations are addressed under Pillar II: banks are required to hold additional capital to cover market risks that are underestimated or not covered under the market risk framework in Pillar 1; the majority of such risks relate to illiquid, one-way and concentrated positions. The assessors got access to data on the capital add-ons applied to major banks and verified the methods and processes used to account for market risk concentration. The PRA assesses and scores institutions’ management of credit concentration risk as part of the risk-management and controls category of the PRA risk model. Furthermore, under the SREP, the PRA assesses whether additional capital is needed, applying a methodology that generates a suggested capital add-on for single-name, sectoral and geographic concentration risk, separately. A revised methodology was finalized recently and will be implemented in January 2016.111 In addition, PRA Rulebook ICAA 6 refers to concentration arising from CRM. This encompasses concentration risk arising via collateral and/or guarantees. For wholesale asset classes, both sectoral and geographic concentration risk assessment applies. Retail asset classes only attract a geographic (international) concentration risk charge. Collateral is inherently accounted for in the assessment methodology, which is based on RWAs. For single name, sectoral, and geographical concentration risk, firms are required to report banking and trading book assets. The assessors got access to a number of reports which focus on concentration risk within different asset classes (e.g., U.K. mortgage portfolios, Asian Mid-Corporate and SME). |
| EC 2 | The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and LE112 to single counterparties or groups of connected counterparties. |
| Description and findings re EC 2 | If the PRA has reason to suspect that an institution’s information systems are failing to identify and aggregate information on LE (or, indeed, other relevant information) adequately, it may conduct a review of the institution’s systems and procedures for managing operational risk. If, after such a review, the PRA is still not satisfied that the institution has adequate systems to identify and manage risks, it can commission a ‘skilled persons’ review of the firm under S166 of the FSMA Act 2000. Within the last five years, the PRA has reviewed reporting systems of a number of large firms, using the powers provided to it under FSMA S166. The PRA may also impose additional capital requirements for firms where it suspects deficiencies in information and reporting systems. The assessors found evidence of a concentration risk assessment performed by the risk specialists and of a skilled person report on the same subject. |
| EC 3 | The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. |
| Description and findings re EC 3 | Institutions are required to ensure their ICAAPs are materially up-to-date and reviewed by their Boards at least annually. The PRA expects institutions to update their ICAAPs more frequently if changes in the business, strategy, nature, or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate. The PRA Rulebook’s ICAA Section, Chapter 6, require banks to address and control concentration risk, by means which include written policies and procedures, but does not set out a requirement to specify limits. The PRA expects Boards to take ownership of the ICAAP. While there are no rules for building societies, the Building Societies Sourcebook (SS 20/15—supervising building societies’ treasury and lending activities) sets out supervisory expectations re certain mortgage and treasury concentrations (e.g., max proportion of balance sheet that should be sub-prime or CRE). The PRA expects Boards to take ownership of the ICAAP, keeping it materially up-to-date and reviewed at least annually. As specified in the ICAA part of the PRA Rulebook, firms ICAAPs must include an assessment of concentration risk. The assessors reviewed a report analyzing the limits for concentration risk in place at a large U.K. bank with respect to a number of different dimensions, including single name concentration, top 20 exposures, specialized lending, sovereigns. |
| EC 4 | The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. |
| Description and findings re EC 4 | As regards LE, CRR Art. 394 sets out reporting requirements for LE and certain largest exposures, including the identification of client or group of clients, the value of the exposure before CRM, type of credit protection, and expected run-off of the exposure. In addition, the EBA has developed COREP templates and instructions in relation to LE (Commission’s Implementing Regulation (EU) No 680/2014 on supervisory reporting and subsequent amendments, Annex VIII and IX). The annexes include identification of the counterparty by general sector (government, credit institutions, households), and statistical sectoral codes for individual counterparts which are non financial corporations. The PRA collects information on LE and capital adequacy on a quarterly basis. Firms report information on their LE through COREP template ‘COR002.’ This provides the PRA with information on banks’ exposures to different sectors and economic activities, including by 2-digit nomenclature of economic activity (NACE) codes. Banks are required to provide geographical breakdowns of their exposures through COREP template ‘COR001.’ Information on currency exposures is available through liquidity reporting templates (COR003 and COR004). Firms required to comply with ‘FINREP’ reporting requirements submit information on concentrations through templates F20.01–20.07. For firms within the FINREP reporting framework, exposures are also broken down into high-level economic activities (that is, by top-level NACE Codes). These exposures are not subject to reporting thresholds. Firms are also required to submit data on credit concentration risk within their ICAAP, as specified in PRA Rulebook (ICAA). Credit concentrations to sectors and geographic regions are assessed under Pillar 2. The PRA requests data from firms in advance of assessments and expects firms to self-assess concentration risk as part of the ICAAP. The assessors had access to examples of concentration risk data—by sector, country, U.K. region—that the PRA collects for Pillar 2 reviews under both the current and the new approach, to be implemented in 2016. |
| EC 5 | In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. |
| Description and findings re EC 5 | CRR Art. 4(39): defines ‘group of connected clients’ as any of the following:
There is a possible exception for natural and legal persons connected with the government, which “may be considered as not constituting a group of connected clients. Instead the existence of a group of connected clients formed by the central government and other natural or legal persons may be assessed separately for each of the persons directly controlled by it in accordance with point (a), or directly interconnected with it in accordance with point (b), and all of the natural and legal persons which are controlled by that person according to point (a) or interconnected with that person in accordance with point (b), including the central government. The CEBS ‘Guidelines on the revised LE regime,’ Part I (currently being updated) provide guidance on how to apply the definition of ‘group of connected clients’ in practice: para. 24 of the Guidelines clarifies that “in cases of divergence between the opinion of the institution and that of the competent authority, it is the competent authority which decides whether a client must be regarded as part of a group of connected clients.” Under the FSMA part XIV, the PRA can, on a case-by-case basis, require banks to treat counterparties as a group of connected clients if it feels that such a treatment is warranted. In reaching a judgment about whether a group of counterparties constitutes a group of connected clients, the PRA takes into account the ‘Guidelines on the implementation of the revised LE regime’ issued by the CEBS in 2009. In addition, the PRA adheres to the principles for identifying groups of connected clients established in FSA Policy Statement 12/21, which contains rules on the treatment of LE to structured finance vehicles. The assessors found evidence of how the PRA can require that a bank consider a group of entities––reported as non-connected––as a group of connected clients. |
| EC 6 | Laws, regulations or the supervisor set prudent and appropriate113 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. |
| Description and findings re EC 6 | The EU LE regime is broadly aligned with the Basel 2014 LE framework, but there are likely to be gaps: in particular, exemptions wider than under the Basel text and more generous treatment for certain asset classes (e.g., covered bonds, exposures to G-SIBs). However, the Basel framework for LE was published in 2014. It will take effect from January 1, 2019. ‘Exposures’ are defined by Art. 389 CRR as any asset or off-balance sheet item referred to in the standardized approach for capital requirements on credit risk, without applying the risk weights or degrees of risk; it thus includes on- and off-balance sheet exposures and all the claims and transactions that give rise to counterparty credit risk. This in line with the Basel standard, except for exposures considered ‘low-risk,’ which receive a 0 percent credit conversion factor (CCF) in the CRR (consistently with the standardized approach for credit risk), while a 10 percent floor applies to all CCF in the Basel LE framework. Any exposure to a client or group of connected clients equal to or greater than 10 percent of a firm’s eligible capital is to be considered a LE (Art. 392). CRR Art. 395 sets out limits to LE at 25 percent of a bank’s eligible capital, after taking into account the effect of CRM. If the client is a credit institution or investment firm, the limit is the largest between 25 percent and EUR 150 million; if the EUR value is higher than 25 percent of the bank’s eligible capital, the exposure must not exceed a “reasonable limit,” to be determined by the institution’s internal policies and procedures, which must not exceed 100 percent of the institution’s eligible capital. CRR Art. 6 establishes that LE limits must be complied with on both individual and consolidated basis. In the U.K. the exemptions provided for by Arts. 400 (1) and (2) CRR take the form of two different kinds of permission (see also SS 16/13):
The PRA will only grant either of these intragroup LE permissions where it is satisfied that the reporting firm and the respective intragroup entities effectively operate as a single party. More specifically, firms must demonstrate that there are no current or foreseen material, practical or legal impediments to the prompt transfer of capital or the repayment of liabilities from the entity to the firm. At the time of the assessment there were 13 core U.K. group permissions and 20 noncore LE group permissions currently in force. The PRA reviews firms’ reporting on their LE, which is conducted quarterly through reporting template COR002, on both a solo and a consolidated basis (see EC 4). The PRA’s RDG performs plausibility, checking on the consistency and reliability of these reports, and supervisors review the returns to identify key risks arising from LE. In addition, the largest investment firms report MI to the PRA on a weekly basis, which includes information on LE. The PRA also makes ad-hoc requests for information on firms’ LE and their risk concentrations, as appropriate, based on market intelligence. The assessors analyzed some examples of MI sent by banks to the PRA and a review of single name concentrations. |
| EC 7 | The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk-management purposes. |
| Description and findings re EC 7 | The PRA requires banks to include the impact of significant risk concentrations within stress-testing and scenario analysis that forms part of their ICAAP reviews. Banks are expected to apply particular stresses to identified significant risk concentrations in order to test that the capital held for concentration risk under Pillar 2 is sufficient. The CST scenarios by design highlighted the impact of specific concentrations. For example, the 2014 CST focused on a U.K. downturn with emphasis on residential mortgage portfolio valuations. This highlighted the stress impact on U.K. centric firms (geographic concentration risk) and specific mortgage loan portfolios (product concentrations), e.g., Nationwide, LBG, etc. The 2015 CST focused on an Asian stress (geographic concentration risk) with a combined trading book shock (product concentration), which impacted mainly HSBC, SCB, Barclays, etc. Additionally, the 2015 CST required firms to identify and rank their top ten Asian trading book exposures under the stress scenario. From this list, they had to default at least the two most vulnerable counterparties (or default more than two if the firm deemed that more than two names are likely to default under the scenario. In respect of European counterparties, perform the same exercise, but default at least the most vulnerable from the top ten. |
| Additional criteria | |
| AC1 | In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:
Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. |
| Description and findings re AC1 | The EU definition of LE and the LE limits are compliant with the abovementioned criteria (see also EC 6), except for the exemptions granted by Art. 400 CRR, which are neither temporary nor necessarily related only to very small or specialized banks. Also, under CRR Art. 395(1) small credit institutions and investment firms (those for whom EUR 150 million is more than 25 percent of their eligible capital) are exempted from some elements of the LE requirements. For such institutions, LE to other credit institutions may be up to 100 percent of their eligible capital, or EUR 150 million, whichever is the higher. |
| Assessment of Principle 19 | Compliant |
| Comments | The CRR sets the LE regime and determines the limits to be observed. While the framework is broadly aligned with the Basel 2014 LE framework (which will take effect from January 1, 2019 and will be applicable to internationally active banks, regardless of size) and the ECs, there are likely to be gaps. Some exceptions under CRR 400(1) seem to go beyond the Basel LE framework and weaken the limit, such as for some off-balance sheet contingent facilities (which, in the LE framework, are subject to a 10 percent CCF floor). In addition, exemptions under national discretion provided by 400(2) may not be compliant with the LE regime: for instance the Basel LE regime establishes that a covered bond meeting certain conditions can be assigned an exposure value of no less than 20 percent of the nominal value of the banks covered bond holding. The national discretion provided under 400(2) doesn’t mention the 20 percent floor. The eligible covered bonds under CRR Art. 129 also seem to be broader than the eligible covered bonds under para. 70 of the LE framework, as underlying assets in the EU can be exposures to banks, and maritime liens on ships. There is no stricter LE limit for G-SIBs as per the Basel LE framework. Some of these elements of noncompliance in the EU regime for LE are likely to be non material in the case of the U.K.: for example, it is unlikely that there be significant concentrations of covered bonds in the banks’ balance sheets, given that covered bond holdings are typically not relevant for U.K. banks in the first place. However, an exhaustive analysis of the nature and materiality of divergences between the EU and Basel framework for LE (of the kind of the EU RCAP on the capital requirement framework, for example) is not available; similarly, there does not exist an analysis of the materiality of those divergences in the specific case of the U.K. Also, EC 6 clarifies (footnote 193 of the BCP document) that the “prudent and appropriate requirements to control and constrain large credit exposures” should ‘reflect’ the applicable Basel standards. Considering all this, the assessors came to the conclusion that, at the best of their knowledge and understanding, given the information available, the EU framework for LE, as applied in the U.K., does not seem to present deviations of such a materiality that it no longer reflects the Basel standards. As regards concentration risk, the PRA framework appears overall robust and the assessors could examine a number of detailed and analytical reviews conducted by the risk specialists on different dimensions of credit concentration risk and information received on concentration in funding sources and liquid assets. Also, the PRA has further reinforced its approach to concentration risk by introducing a standard methodology to set, for all banks, Pillar 2 capital buffers against credit concentration risk stemming from single name, sector and geographic credit concentration. The PRA also considers market risk concentrations; while its approach in this area is less structured than for credit risk, the assessors found evidence of supervisory action based on the analysis of market risk concentrations, such as Pillar 2 add-ons for illiquid, one-way and concentrated positions. The main notable divergence from the essential criteria of this principle is that the PRA does not require banks to have risk-management policies and processes that establish thresholds for acceptable concentrations of risk, as expected under EC 3. Requiring banks to set internal limits for concentration risk within their risk tolerance is important to promote a higher level of discipline in the management of their risk concentrations and the assessors recommend that the authorities explicitly introduce and enforce this requirement in their regulation. The lack of this requirement in an explicit form is partially compensated by the fact that, at least for credit risk concentrations, the Pillar 2 approach entails now a penalization in terms of capital buffers. Another divergence relates to the requirement that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board (EC 3): this is achieved implicitly, through the PRA expectation that Boards ‘own’ the bank’s ICAAP, which, in turn, requires that credit concentration risk is addressed. The assessors then considered these deviations not material enough to change their perception of an otherwise fairly robust overall framework for concentration risk and to deviate from an assessment of full compliance. |
| Principle 20 | Transactions with related parties. In order to prevent abuses arising in transactions with related parties114 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties115 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. |
| Essential criteria | |
| EC 1 | Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties.” This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. |
| Description and findings re EC 1 | The PRA Rulebook defines “related parties” in relation to a firm as:
The PRA has the power to require, on a case-by-case basis, a firm to recognize a person or entity as a related party, where it has not already done so (PRA Rulebook’s section on related party transaction risk). |
| EC 2 | Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.116 |
| Description and findings re EC 2 | Under the PRA Rulebook, a firm must enter into transactions with related parties at market value or on terms no more favorable than would be agreed if the transaction was not with a related party. For the purposes of the instrument, ‘transactions’ are defined as any arrangement or circumstance that gives rise to, or varies, an on-balance sheet or off-balance sheet asset or liability (whether contingent or otherwise). Transactions may also refer to dealings such as service contracts, asset acquisitions and disposals, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The prohibition on firms entering into transactions with related parties on more favorable terms does not apply to beneficial terms that are part of firms’ overall remuneration packages, such as favorable interest rates for employee loans. In addition to the PRA Rulebook on related parties, the Building Societies Act (BSA) 1986 contains a number of provisions and restrictions relating to building societies’ transactions with directors and other persons connected with building societies. S63 sets out requirements around disclosure of transactions and arrangements with directors; S64 imposes restrictions on substantial property transactions with directors and connected persons; and S65 imposes restrictions on societies’ ability to make loans to directors or persons connected with directors on more favorable terms than with other parties. S66 contains sanctions for breeches of S65. S68 contains requirements for transactions with directors and connected parties to be recorded and reported to the societies’ members and for this information to be made available to the FCA and the PRA. Finally, under S69, there must be disclosure and recording of income by a director or officer of a building society obtained via the provision of certain services to the society. |
| EC 3 | The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. |
| Description and findings re EC 3 | The PRA Rulebook requires firms to set a ‘materiality threshold’ above which transactions with related parties (including write-offs) receive prior approval from the firm’s management body. The PRA Rulebook further requires firms to prevent a related party from taking part in the firm’s decision making process in relation to any transactions with that related party |
| EC 4 | The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. |
| Description and findings re EC 4 | The PRA Rulebook requires that a firm’s policies and procedures on related parties’ transactions must prevent a related party from taking part in the firm’s decision making process in relation to any transactions with that related party. PRA supervisors address banks’ policies and processes for identifying and mitigating conflicts of interest as part of periodic ‘governance reviews’ and ‘EWRM’ reviews, tailored to the particular risks and circumstances of individual firms (see BCP 15, EC 1). The frequency of such reviews depends on the size and complexity of the firms; for ‘Category 1’ U.K. firms, they take place once every two or three years; for lower categories of firms, the PRA conducts governance reviews and EWRM reviews every 2 to 3 years and the depth of the reviews will depend on the size and complexity of the firms. |
| EC 5 | Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. |
| Description and findings re EC 5 | Before the entry into force of the CRD-CRR framework, the matter was regulated by FSA’s (first) and PRA’s (then) BIPRU; in particular, BIPRU 10.5.6 required banks to “ensure that the total amount of its exposures to the following does not exceed 25 percent of its capital resources (as determined under BIPRU 10.5.2 R, BIPRU 10.5.3 R and BIPRU 10.5.5 R):
“Connected counterparty” was defined (by BIPRU 10.3.8) as “another person (‘P’) to whom the firm has an exposure and who fulfils at least one of the following conditions:
The term ‘associate’ includes, for individuals, related family members and trustees of which the individual’s family is a beneficiary or discretionary object. The assessors found evidence of how this rule was used to intervene on a bank where the total exposure to connected parties was in breach of the regulatory limit. Under the current EU legislation and regulation, banks’ exposures to related parties are subject to the same requirements as exposures to other entities, i.e., the EU LE framework. Where related parties are financial sector entities included within the scope of regulatory consolidation, firms may apply for a Core U.K. group permission or a noncore LE group permission (see BCP 19, EC 6). These permissions allow the firm to exceed the 25 percent LE limit as long as certain criteria are met. In addition to the general LE and intragroup LE rules, the PRA can limit the activities of firms, including their ability to conduct transactions with other entities, on a case-by-case basis. In particular, under Part 4A of the FSMA 2000, the PRA has the power to vary the permissions of, or impose requirements on PRA authorized firms. This may be at the request of the firm or on the PRA’s own initiative. Under these powers, the PRA has the power to:
In a consultation paper of October 2013 (CP 8/13), the PRA has explained that it intend to use these powers where it records failings in the firm’s establishment, implementation and maintenance of the risk control requirements on related party transaction risk. Going forward, the PRA may impose additional restrictions on firms’ transactions with related parties as a consequence of its structural ring-fencing reforms, which are part of the implementation of the BRA 2013. The PRA has not yet issued its final rules in relation to ring-fencing. |
| EC 6 | The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. |
| Description and findings re EC 6 | The PRA Rulebook’ section on related parties transaction risk requires firms to establish, implement, and maintain effective policies and procedures to identify, evaluate, and manage risks arising out of transactions with their related parties. To meet this condition, firms’ policies and procedures must ensure that the firm records and monitors the details and amounts of any related party transactions using an independent credit review or audit process. Furthermore, firms must only permit exceptions to those policies and procedures if those exemptions are reported to the firm’s senior management or management body as appropriate. Building societies are required to submit annually a copy of information provided to the FCA relating to loans to directors and connected parties and income received by directors for the provision of certain services. These sections of the 1986 Act are the responsibility of the FCA. However, PRA supervisors examine the information received to assess, in particular, whether a small society has made a large loan (relative to the size of the society’s balance sheet) to an executive director, which might give rise to repayment problems were that executive to be dismissed (and, therefore, might influence that Board’s assessment of that executive). If PRA supervisors suspect an offence under the 1986 Act had been committed, they would pass this on to the FCA. The PRA requires firms to provide information on policies and procedures for transactions with related parties on a case-by-case basis; the assessors could examine such an example. The PRA monitors senior management’s policies and procedures for managing transactions with related parties when it deems it necessary and appropriate for the attainment of its statutory objectives. In particular, the PRA conducts governance reviews and enterprise wide risk-management reviews, which may examine banks’ policies and procedures for handling conflicts of interest policies. Whether such reviews would assess conflicts of interest typically depends on supervisors’ knowledge of the firm and their view of the particular risks to which it is exposed. |
| EC 7 | The supervisor obtains and reviews information on aggregate exposures to related parties. |
| Description and findings re EC 7 | The PRA Rulebook enables the PRA to obtain information on aggregate exposures to related parties on an ad hoc basis. Some information on transactions with related parties is provided in regular reporting on LE (part of COREP, quarterly frequency). In addition, the PRA regularly obtains information on banks’ transactions with related parties as part of the FINREP reporting framework, which is semi-annually. Template F31 of FINREP specifically asks for information on exposures to related parties. Reporting is on a consolidated basis only (not individual). The information is available only for banks submitting FINREP. Furthermore, as discussed under EC 2 and EC 6, the PRA obtains information on building societies’ loans to directors and connected parties. This information is obtained on an annual basis. The assessors examined the COREP and FINREP reports. |
| Assessment of Principle 20 | Compliant |
| Comments | The PRA Rulebook complies with the BCP definitions of related parties and related party transactions and sets out most of the requirements cited in the principle, as recommended by the previous FSAP mission. Under the pre-CRD regime (BIPRU) the PRA could set specific limits on aggregate exposures to related parties. Under the current EU legislation and regulation, banks’ exposures to related parties are subject to the same requirements as exposures to other entities, i.e., the EU LE framework. However, FSMA assigns to the PRA the power to: set limits for exposures to any natural or legal persons; deduct a firm’s exposures under transactions with related parties from its capital resources when assessing capital adequacy; or require a firm to collateralize that firm’s transactions with related parties. The PRA has granted intragroup exposure exemptions from the LE regime to a number of U.K. and international banks (CP 19–EC 6): this means that for these exposures there are no limits in place. On the other hand the PRA, when it envisages the need to mitigate risks to safety and soundness of U.K. subsidiaries arising from other entities within the group, has the power (and used it on several occasions) to implement ‘supervisory ring-fences’ or ‘specific supervisory measures’ (CP 12–EC 6). Apart from the regular quarterly COREP reporting on LE, the PRA receives information on transactions with related parties in a semiannual FINREP report that contains information on an aggregate basis. It is available only for the 32 banks submitting FINREP. It means that the majority of U.K. banks only provide information on transactions with related parties in their annual reports (unless they represent LE, in which case they are covered by COREP reporting). Considering this finding as a manifestation of the reduced supervisory intensity on less systemically important firms, already flagged elsewhere in this assessment (see CP 8), the assessors didn’t weigh it against the degree of compliance with this principle, but still recommend that the authorities introduce a regular infra-annual reporting of transaction with related parties applicable to the generality of the banks and a routine monitoring of their compliance with the rules. |
| Principle 21 | Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk117 and transfer risk118 in their international lending and investment activities on a timely basis. |
| Essential criteria | |
| EC 1 | The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. |
| Description and findings re EC 1 | Supervisors noted in discussions that staff from the SRS department conduct periodic reviews (two per year) of Category 1 firms’ management of country and transfer risk, including the appropriateness of reserves established against those risks (less resources are available for firms in the lower categories). The PRA handbook sets out expectations for firms to identify, control, and quantify their exposures, including to country risk and transfer risk. Firms are required to report to the PRA quarterly all country risk limits and exposures and are required to notify the PRA of any breaches in those limits. Rules which require firms to identify, control and quantify their exposures, including to country risk and transfer risk, are contained within the risk control chapter of the PRA Rulebook, Rule 2.1, which sets out PRA requirements regarding risk policies and procedures that firms must adhere to. The PRA Handbook requires firms to have sound administrative and accounting procedures and adequate internal control mechanisms including for the purposes of identifying and recording country and transfer risks and for monitoring these exposures in the light of the firm’s own exposure policies. These requirements are outlined in the record keeping chapter of the PRA Rulebook, Rule 2.1. Firms are required to report all country risk limits and exposures to the PRA through quarterly reporting requirements and are required to notify the PRA of any breaches of these limits. The usual reporting mechanisms are the CA program and COREP. Supervisors, supported as required by risk specialists, review the governance procedures that set out the country and transfer risk-management policies, process and appetite at each firm. This review includes assessing how well the Board set, monitor and control country and transfer risk appetite, how effectively these powers are delegated to senior management, and what level of oversight exists. It is the role of the supervisor, with SRS specialist support, to determine if a bank’s policies and processes give due regards to the identification, measurement, monitoring, and control of country risk and transfer risk. Exposures need to be measured and identified on an individual country basis. With the larger and more systemically important firms, country risk analysis tends to be done as part of a broader technical risk review or an AQR. In other firms, evaluations of country and transfer risk are generally conducted on at least a quarterly basis. Such reviews of other firms’ exposures to country and transfer risk coincide with the receipt of the COREP COR001 regulatory return, which categories exposures based on the residence of the obligor, supplemented by the COREP COR002 regulatory return, which details the counterparty and the nature and structure of the exposure. |
| EC 2 | The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
| Description and findings re EC 2 | U.K. supervisors review banks’ strategies, policies, and process for the management of country and transfer risk through the review of policy papers, Board minutes, and MI presented to the Board and senior management, as well as through discussions with Board members, management, and NEDs. |
| EC 3 | The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. |
| Description and findings re EC 3 | As noted under EC 1, the Risk Control chapter of the PRA Rulebook sets out expectations for firms to establish, implement, and maintain adequate risk-management policies and procedures to aggregate, monitor, and report country exposures on a timely basis. |
| EC 4 | There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:
|
| Description and findings re EC 4 | U.K. supervisors do not prescribe or set guidelines on provisioning. Instead, data relating to country and transfer risk are reported to the PRA through the FDSF on a quarterly basis. Supervisors noted in discussions that staff from the SRS department conduct periodic reviews of Category 1 firms’ management of country and transfer risk (less resources are available for firms in the lower categories). Where shortfalls in provisions are noted, supervisors indicated that they could require firms to increase their capital held against country and transfer risks by requiring firms to hold an additional prescribed amount of “Pillar 2A” capital. Supervisors shared with assessors summaries of recent processes they had run to evaluate provisions held against exposures to obligors in European jurisdictions that were experiencing fiscal or economic distress and that resulted in requiring firms with relevant exposures to increase their capital through the Pillar 2A capital ad-on process. In some cases, SRS have conducted AQR in overseas locations to understand the adequacy of provisions and capital against exposures to obligors in those jurisdictions. Assessors also had an opportunity to review analyzes prepared by PRA or BoE staff of the risks associated with certain countries or regions that may require heightened attention by supervisors, and those reports shared with assessors offered evidence of the supervisors’ efforts to evaluate the sufficiency of firms’ mitigants against country and transfer risk. |
| EC 5 | The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. |
| Description and findings re EC 5 | The PRA requires all banks to test their credit exposures under a stress scenario as part of the ICAAP. For smaller firms, the PRA reviews such assessments proportionate to the materiality of the firm. |
| EC 6 | The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). |
| Description and findings re EC 6 | As noted above under EC 1 and EC 4, U.K. supervisors obtain and review information on country and transfer risk on a quarterly basis. When necessary, the PRA has the power to obtain additional information, such as in crisis situations. Supervisors summarized in discussions the process used to gather and analyze such data in response to concerns that have arisen recently in certain jurisdictions within Europe. |
| Assessment of Principle 21 | Compliant |
| Comments | Overall, U.K. supervisors appear to have adopted appropriate policies and procedures regarding firms’ obligations to manage their exposures to country and transfer risk. At the prior FSAP, assessors recommended that U.K. supervisors adopt a more proactive approach to the supervision of these risks; with regard to Category 1 firms, our discussions with supervisors suggested that the PRA does engage with large firms on these risks periodically, including through reviews of country and transfer risk reserves established by the firms. Assessors also took note of recent studies performed by PRA and BoE staff on country and regional developments and other topics related to country or transfer risk that could be relevant across firms. As has been noted elsewhere in this FSAP, limited specialist resources are available for reviewing country and transfer risk in firms that are smaller than those in Category 1. Given the London market’s prominence in global finance, even firms that are smaller than those in Category 1 may still have substantial international exposures. It remained unclear to assessors how significant such risks might be and what, if any, additional supervisory engagement could be necessary to ensure a more proactive approach to the supervision of country and transfer risk. |
| Principle 22 | Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance, and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring, and control of market risk. |
| Description and findings re EC 1 | Art. 83 of CRD requires competent authorities to ensure that policies and processes for the identification, measurement and management of all material sources and effects of market risks are implemented. Art. 368 of the CRR lays down further qualitative governance requirements for banks using internal models for market risk. Art. 105 of the CRR requires valuation adjustments to reflect valuation/exit-price uncertainty due to the risk of deterioration in market liquidity. EBA’s “Guidelines on SREP methodologies and processes” specify elements of market risk-management to be assessed by supervisors in SREP, which covers, among others: market risk strategies and appetites; organizational frameworks; policies and procedures; and, risk identification, measurement, monitoring and reporting; and, internal control framework. Specifically, they recommend supervisors to assess:
The EBA is in the process of drafting delegated acts that specify in greater detail the governance and technical requirements for institutions using internal models to manage market risk (“model assessment RTS,” CRR, draft RTS as per Art. 363[4]). They are expected to be in force from 2016 onwards. In addition to European legislation, banks in the U.K. are subject to the PRA’s rules and standards on market risk set out in the PRA Rulebook. Banks are periodically reviewed by the PRA to assess that their risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. Nine among the banks with the largest trading books are assessed on a continuous basis (CA), with the frequency of assessment reducing for remaining banks. The PRA statement of policy “The PRA’s methodologies for setting Pillar 2 capital” (July 2015),119 outlines the methodologies used by the PRA to inform the setting of Pillar 2 capital for firms to which CRD applies. S3 provides details of the methodology used by the PRA to assess market exposures against the capital resources of the firm. As a part of this review, institutions are required to:
Firms that are not part of the CA cycle can nonetheless receive reviews of the effectiveness of their overall risk-management frameworks (including market risk) undertaken as part of their supervisory cycle. This may be a more in-depth review undertaken to address specific concerns arising due to a supervisory request. For less material firms, risk specialists may advise supervision on Pillar 2A assessments. The PRA may also visit the institutions on ad-hoc basis to undertake assessments, for drill-down on specific market events (e.g., Swiss Franc de-peg in January 2015) or thematic reviews (e.g., specific interest rate risk VaR models under IMA, cross-firm comparison of credit valuation adjustments). The assessors got access to some of the periodic reviews performed by the SRS division: these are detailed documents with half-yearly frequency that summarize the analysis conducted offsite on the material received by the banks and discussed with the risk-management functions during onsite visits (generally half-a-day visits); provide an overall assessment of the relevant points of strength and weakness in the banks’ risk-management framework, with more intense focus on specific issues identified during the preparatory work; propose recommendations for the firm and next steps for supervisory action. There was evidence that the specific situations were followed up appropriately. The assessors also found evidence of a detailed cross-firm analysis of a market event, containing recommendations for further action on selected banks. |
| EC 2 | The supervisor determines that banks’ strategies, policies, and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
| Description and findings re EC 2 | EBA SREP guidelines require that supervisors assess whether banks have a sound, clearly formulated and documented market risk strategy, approved by their management body (para. 219). This includes whether the management body clearly expresses the market risk strategy and appetite and the process for their review (para. 219 a). Regarding the Boards’ oversight of policies and processes, the guidelines provides that supervisors assess whether the management body approves the policies for managing, measuring and controlling market risk and discusses and reviews them regularly, in line with risk strategies (para. 221 a). The EBA Guidelines on Internal Governance require that the management body of an institution sets and oversees the institution’s overall risk strategy, risk appetite, and the risk-management framework (para. 8, responsibilities of the management body). PRA receives documents from banks on a regular basis to help it assess that the risk-management process is effectively implemented and full integrated into the business-asusual activities of the bank. The documents received include: (1) internal and external audit reports; (2) risk-management & control reports; (3) agendas for Board audit; risk and ExCos, and (4) specific risk reports. The assessors found evidence of a review conducted by the supervisors at a bank verifying the approval by the Board of the bank’s strategy, policy, and processes, including a critical evaluation of the risk appetite framework, also approved by the Board. |
| EC 3 | The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:
|
| Description and findings re EC 3 | The EBA SREP Guidelines recommend that supervisors assess whether the bank’s market policies and procedures are sound and consistent with the market risk strategy and cover all the main businesses and processes relevant for managing, measuring and controlling market risks. (para 221). In particular, they recommend that supervisors assess following elements:
The PRA Rulebook also covers the aspects of a bank’s risk-management policies and processes addressed by the essential criteria. The SRS division of the PRA assesses the bank’s compliance with these requirements. For firms with material risk, the operational risk, traded risk management and the traded risk measurement teams of the SRS division conduct a CA of the bank’s information systems, risk appetite and limit framework, permissions to use (and alter) internal models, and the allocation of risk exposures to the trading book. As part of the CA process, institutions submit market risk related information to SRS on a quarterly basis (alternating between market risk and counterparty credit risk). SRS, along with the bank supervision team, visit the firm on a semiannual basis to conduct a full review and clarify all outstanding issues from the latest quarterly submission. The assessors found evidence of supervisory review of the items listed in this EC in the analysis of the risk-management reviews mentioned in EC 1, except for the assessment of policies and processes for the inclusion/exclusion of positions from the trading book (e), which however is reviewed throughout the supervisory cycle. |
| EC 4 | The supervisor determines that there are systems and controls to ensure that bank’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. |
| Description and findings re EC 4 | CRR Art. 105 provides a number of requirements for banks regarding prudent valuation of trading book positions, including:
The EBA SREP Guidelines recommend supervisors to assess whether:
In addition, the guidelines require supervisors to assess whether stress testing used by banks to complement their risk measurement system identifies relevant risk drivers, where illiquidity/gapping of prices, concentrated positions, and one-way markets are provided as examples (para. 224 b). Based on the above mentioned CRR article, EBA has published draft RTS on prudent valuation of fair-valued positions, which provides details of calculating additional valuation adjustments. Individual bank supervision teams coordinate with expert teams within the PRA to assess the requirements listed for this EC. In particular, the valuation and product control team of the SRS division assesses valuation processes and ensures prudent valuation adjustments are made at banks. The PRA requires banks with significant fair valued positions to report valuation adjustments on a quarterly basis in accordance with the PRA GENPRU S1.3, through a standardized process. The assessors got access to a cross-firm analysis performed on the banks with the most significant trading business. The analysis focused specifically on a number of relevant findings in, among other, the areas of data and IT systems, prudent valuation policies and processes, model risk. There were no specific examples of reviews addressing the timeliness of transaction capture and the reliability of market data; however; the specialists review prudent valuation methodologies to verify that weaknesses in market data are reflected in the valuation uncertainty metrics. The assessors also found evidence of adequate follow-up. |
| EC 5 | The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. |
| Description and findings re EC 5 | The PRA has an established Pillar 2 framework for market risk, to meet the requirements of this EC. This requires a firm to hold Pillar 2 capital for illiquid or concentrated positions, that the PRA considers not necessarily adequately capitalized based on VaR models. The Pillar 2 capital assessment follows a predefined process: firms submit their annual ICAAP report to their supervisor. Depending on the information provided in the ICAAP, the systemic importance of the institution, and other factors, the supervisor may then request the SRS division to conduct a review and incorporate it in the SREP. If as a result of the SREP, the supervisor finds that risks are under-estimated under Pillar 1, then a Pillar 2 capital charge is applied. The methodology to calculate the capital requires the bank to stress test exposures for a holding period of one year with a 99.9 percent confidence interval. The offsetting impact of any capital mitigants—such as accounting reserves or additional Pillar 1 capital held—is then deducted to arrive at the Pillar 2 capital charge. For valuation adjustments, the PRA GENPRU in Section 1.3120 provides full guidance on the U.K.’s valuation adjustment approach. The Valuation and Control Team of the SRS division supervises the valuation adjustments of banks and collects and analyzes data via standardized reporting in accordance with GENPRU Section 1.3 (see also EC 4). The assessors review a cross-firm analysis of IMA back-testing, following the introduction, under CRR, of the requirement to consider (for the purpose of the VaR multiplication factor) the largest number of VaR breaches between the hypothetical and actual P&L. It includes a proposal of feedback letters to the banks. |
| EC 6 | The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. |
| Description and findings re EC 6 | Art. 100 of the CRD requires supervisors to conduct annual stress tests under the SREP for all institutions they supervise. The SREP covers the market risk exposures of banks. For banks using internal models for market risk, Art. 368(1)(g) of the CRR mandates frequent stress tests to identify and address any shortcomings of the internal model vis-à-vis gap risks, concentration risks, market illiquidity, event risks, etc. The EBA SREP Guidelines recommend supervisors to assess whether an institution has implemented adequate stress tests regarding market risk that complement its risk measurement system. In particular, they require supervisors to cover:
The U.K. banking sector is also subject to the periodic stress tests conducted by the EBA. The FPC recommended in October 2013, regular stress tests to assess the health of U.K. banks and building societies in a discussion paper.121 The aim of the stress tests is to assess the impact of stressed financial periods on the individual banks and the system as a whole. The largest U.K. banks and the U.K. subsidiaries of non-U.K. banks are subject to these tests. Market risk exposures are included in this stress testing framework. The SRS, with the help of the bank supervision teams, conduct bank stress tests. The aforementioned BoE and EBA stress tests focus on capital. However, the quarterly risk submission (see EC 1 and EC 3) requires institutions to provide details on risk-management stress tests as well. For instance, SRS frequently asks institutions to stress test the impact of higher order risk sensitivities, currency de-pegs, and other events. These stress tests are used by the PRA to impose capital add-ons or require higher VaR multipliers to ensure the safety and soundness of the U.K.’s banking system. Starting in 2016 the PRA will also conduct a dark corners stress test scenario, which will be done every other year (opposite years of EBA stress testing) and will look to identify noncyclical risks. |
| Assessment of Principle 22 | Compliant |
| Comments | The PRA periodically reviews banks to assess that their market risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. Nine banks with the largest trading books are subject to CA; the remaining banks receive reviews of the effectiveness of their overall risk-management frameworks (including market risk) within the supervisory cycle. The assessors observed supervisory practice and verified observance of this principle. |
| Principle 23 | Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk122 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. |
| Description and findings re EC 1 | Art. 98 of the CRD requires that the review and evaluation performed by competent authorities shall include the exposure of institutions to the interest rate risk arising from nontrading activities. Mitigating measures, such as holding extra capital are required, as a minimum, where a bank’s economic value would decline by more than 20 percent of their own funds as a result of a sudden and unexpected change in interest rates of 200 basis points or such change as defined in the EBA guidelines. The requirements of the CRD are implemented in the U.K. via the PRA Rulebook. The ICAAP rules in the PRA Handbook require firms to:
Under Art. 13.1, firms are required to make a written record of their assessments made under those rules and its approach to evaluating and managing interest rate risk as it affects the firm’s nontrading activities. The PRA Statement of Policy “The PRA’s methodologies for setting Pillar 2 capital” (July 2015)123 outlines the methodologies used by the PRA to inform the setting of Pillar 2 capital for firms to which CRD applies. S7 provides details of the methodology used by the PRA to assess IRRBB exposures against the capital resources of the firm. As part of the PRA assessment, large U.K. firms are required to provide IRRBB data via the FDSF. All banks, including building societies, also provide data through the FSA017 regulatory returns. These data show the outcome of a standard shock of +/-200bp on both a simple basis and (optionally) under the firm’s own calculation. They also show separately what behavioral assumptions for assets, liabilities, and capital has been made by the firms, and what yield curve has been used for the calculation of the returns. Additional data on basis risk are collected from smaller banks and evaluated to identify outliers that need to be assessed in more detail for risks to future earnings. The PRA intends to further update its Pillar 2 methodology following Basel’s review of interest rate risk. For building societies, interest rate risk should be managed with reference to the PRA’s SS 20/15 on supervising building societies’ treasury and lending activities. Only societies whose banking book assets or liabilities reference an interest rate that is not administered by the society, or reference different interest rates, should incur any significant interest rate risk. Compliance with the above rules is tested during the course of the supervisory cycle. Frequency of meetings depends on the scale of the business. All meetings involve in depth reviews, as well as meetings with senior management and risk-management officers at banks. If necessary, the PRA will require a bank to take appropriate actions or steps at an early stage to address any future potential failure to meet its prudential regulatory requirements. For Category 2–4 banks, PRA specialists support supervisors in their assessments of banks’ ICAAPs to undertake more detailed reviews on a risk-assessed basis. The EBA recently published “guidelines on interest rate risk arising from nontrading activities” (May 2015).124 The guidelines will enter into force in January 2016. The guidelines for the management of IRRBB cover the following topics: scenario and stress testing, measurement assumption; methods for measuring interest rate risk; the governance of interest rate risk and the identification, calculation, and allocation of capital to interest rate risk. |
| EC 2 | The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. |
| Description and findings re EC 2 | The standards set out in PRA SS31/15)125 include a general requirement for the ICAAP (including the IRRBB assessment) to be the responsibility of a firm’s management body, that it is approved by the management body, and that it is used as an integral part of the firm’s management process and decision-making (S2.2–2.6). See EC 1 for the PRA’s supervisory approach to monitoring IRRBB. |
| EC 3 | The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:
|
| Description and findings re EC 3 | See EC 1. Specifically on points listed in the EC:
PRA
These requirements are tested as part of the PRA’s supervisory cycle. On the basis of the SREP, if necessary, the PRA will require a bank to take appropriate actions or steps at an early stage to address any future potential failure to meet its prudential regulatory requirements. In addition, for building societies, the SS 20/15 sets expectations for the level of IRRBB taken depending upon the strength of risk management, measurement systems and other elements of the controls framework.
Further as discussed in the ICAAP and the SREP, the PRA may need to request further information and meet with the governing body and other representatives of a firm in order to fully evaluate the capital adequacy for all risks undertaken. For building societies, the PRA’s standards are explained in “supervising building societies’ treasury and lending activities” (SS 20/15).126 Under Art. 2.3, societies are expected to adopt a risk-averse approach to maturity mismatch and to structural risk management. A degree of maturity mismatch and structural risk is inherent in normal society operations, but Boards of societies should set risk limits that either: (i) ensure that, as far as possible, exposures to changes in interest rates are minimized; or (ii) where interest rate positions are to be taken, restrict potential reductions in income or economic value, estimated under robust stress-testing scenarios, to levels that would not compromise the current or future viability of their societies.
Escalation procedures to Board and senior management and other risk-management arrangements are reviewed as part of the PRA’s supervisory processes. Smaller banks are subject to risk-based review, depending upon the complexity of their risk profile and their relative level of IRRBB exposure. Specialist supervisors assist with assessment and review of these banks over a more extended supervisory cycle. The PRA does not have a formal requirement for internal or external validation of models used for IRRBB, but its ICAAP and SREP processes require that, where a firm uses a model to aid its assessment of the level of adequate capital, it should be appropriately conservative and should contribute to prudent risk-management and measurement. |
| EC 4 | The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. |
| Description and findings re EC 4 | The guidelines recommend supervisors to assess whether the institution has implemented adequate stress test scenarios that complement its risk measurement system, based on EBA guidelines issued in accordance with Art. 98(5) of Directive 2013/36/EU (para. 313). In addition to the points mentioned above, the EBA guidelines on internal governance (GL 44, para. 22, risk management framework) require banks to conduct periodic stress tests to ensure effective risk management. In accordance with ICAAP, in the PRA handbook, Art. 9.2, a firm should apply a 200 basis point shock in both directions to each major currency exposure. The PRA will periodically review whether the level of the shock is appropriate in light of changing circumstances, in particular the general level of interest rates (for instance, during periods of very low interest rates) and their volatility. The level of shock required may also be changed in accordance with guidelines issued by the EBA. The PRA’s methodologies for setting Pillar 2 capital,” state that the PRA will test a range of currency-specific yield curve volatility parameters and a set of different interest rate shocks beyond the standard 200bps shock in either direction (S7.10). Further, the PRA requires firms to monitor the potential impact of changes in interest rates on earnings volatility. The assessment should consider an appropriate timeframe of three to five years, and factor in the firm’s forward-looking view of product volumes and pricing, based on its proposed business model during the scenario, and the projected path of interest rates. This information will be used in the PRA’s methodology outlined in the statement of policy “The PRA’s methodologies for setting Pillar 2 capital” (January 2015). Exposures to IRRBB are also tested as part of the stress tests conducted by the FPC that aim to assess the impact of stressed financial periods on the individual banks and the system as a whole. U.K. banks and the U.K. subsidiaries of non-U.K. banks are subject to these tests. |
| Additional criteria | |
| AC1 | The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book. |
| Description and findings re AC1 |
In the ICAA section of the Handbook, the PRA requires firms to:
Further as outlined in the statement of policy “The PRA’s methodologies for setting Pillar 2 capital,” the PRA will test a range of currency-specific yield curve volatility parameters and a set of different interest rate shocks beyond the standard 200bps shock in either direction (see S7.10). Through regulatory return FSA017 and the FDSF, the PRA collects data on the outcome of a standard shock of +/-200bp on both a simple basis and (optionally) under the firm’s own calculation. The data also show separately what assumptions about the behavior of assets, liabilities and capital has been made by the firms, and what yield curve has been used for the calculation of the returns. Additional data on basis risk are collected from smaller banks and evaluated to identify outliers that need to be assessed in more detail for risks to future earnings. |
| AC2 | The supervisor assesses whether the internal capital measurement systems of banks adequately capture IRRBB. |
| Description and findings re AC2 | CRD IV Art. 97, which sets out general requirements for the SREP, provides that supervisors shall determine whether the own funds held by them ensure a sound management and coverage of their risks, although it does not refer specifically to market risk. Then, as described above, Art. 98 (5) provides a specific requirement on IRRBB. The technical guidelines “technical aspects of the management of interest rate risk arising from non-trading activities under the supervisory review process” provide that institutions should be able to demonstrate that their internal capital is commensurate with the level of the interest rate risk in their banking book, and, in this respect, they should be able to calculate the potential changes in their economic value resulting from changes in the levels of interest rates and the overall IRRBB1. In the U.K., the supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control, or mitigate interest risk in the banking book on a timely basis. In addition to the requirements implemented through the EU’s legislation (CRD), the U.K. sets out expectations in the PRA statement of policy, “the PRA’s methodologies for setting Pillar 2 capital” (July 2015); SS 20/15 supervising building societies treasury and lending activities, SS 5/13 “the ICAAP and the SREP,” and the PRA’s guidance on “assessing capital adequacy under Pillar 2” (CP 1/35). |
| Assessment of Principle 23 | Compliant |
| Comments | Through the implementation of existing EBA guidelines as well as additional requirements set by U.K. supervisors, firms are subject to a range of requirements to ensure that they are measuring and managing their exposure to IRRBB appropriately. Supervisors, likewise, have appropriate responsibilities to evaluate exposures to this risk. The treatment of IRRBB is nonetheless facing two important changes that may also help the authorities to respond to the prior FSAP’s recommendation that they conduct better outlier analysis especially for mid-sized and smaller firms. First, the EBA has promulgated new guidelines that are coming into force in January 2016. U.K. supervisors believe that their existing methodology largely complies already with the incoming EBA guidelines; supervisors acknowledge that they may need to augment current data collection efforts from firms in preparation for the new outlier test contained in the EBA guidelines. At the time of the assessment, the PRA was updating its periodic IRRBB data collection framework. In particular, the PRA was modifying existing returns to consolidate the data collection and to collect any information, not already collected, to implement the EBA guidelines. Changes being made include modifying the FSA017 interest rate gap report for large deposit-takers to also capture data that is currently captured via other returns such as the FDSF documents PRA60.13 (ALM & Liquidity Risk) and PRA60.01 (capital and other projections). For the smaller deposit-takers, the FSA017 is being modified to capture information currently captured via X033—basis risk return. Second, the PRA’s Pillar 2 framework for treating IRRBB may change further in light of the Basel committee’s review. The Basel committee has not yet completed its review as of the time of this writing. A substantial part of the Basel committee’s reform is expected to introduce a more standardized methodology that may allow for greater comparability between banks in the same jurisdiction as well as across jurisdiction. If agreed by the Basel Committee and adopted in the U.K., the introduction of this methodology under Basel guidelines, plus the adoption of additional data collection set out in the incoming EBA guidelines, may help to address the prior FSAP’s recommendation that the authorities revise regular reporting forms for smaller and mid-sized firms such that U.K. supervisors can conduct better outlier analysis of this fundamental risk. |
| Principle 24 | Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. |
| Description and findings re EC 1 | In the EU, a modified-LCR (set out in the Art. 412 CRR and delegated Act 2015/61 by the EC) became effective for all banks from October 2015. The requirement follows the LCR set by the BCBS broadly, but with a number of divergences, which mostly are less conservative than the BCBS and as a result improve the ratios. These include, most notably:
Treatments more conservative than the Basel rule includes application of 15–20 percent run off rates for certain retail deposits (DA Art. 25 (2) (3)). Also, the 3 percent outflow rate for stable retail deposits cannot be applied during the phase-in period. According to the calculation by the EBA (EBA 2014 LCR Internal Auditing Report, December 2014), these changes lead to increase in LCR of 13.9 percentage points for all the sample banks (322) and decline in the number of banks failing to meet the 100 percent LCR from 74 to 17 (although one bank that is compliant under the Basel III LCR fails under the DA). This analysis showed the impact from the increase in the HQLA 2B instruments is by far the biggest. Covered bonds were not eligible for recognition in the previous regime (BIPRU) and, as a consequence, U.K. banks typically do not hold significant quantities of them. At the time of the assessment they did not represent a significant portion of either Level 1 HQLA or total HQLA. The implementation schedule in the EU is as follows:
The schedule is consistent with the Basel timetable, except for the latest start and for the fact that full implementation will be achieved one year earlier. MSs are allowed to speed up the pace of phase-in. The PRA has set a path to transition that will require firms to meet 100 percent LCR by January 1, 2018, but has set the initial LCR requirement as of October 1, 2015 at 80 percent, which is greater than the DA mandated 60 percent. Regarding liquidity monitoring tools, a final draft ITS on additional liquidity monitoring metrics, which covers tools prescribed in the BCBS LCR text, was adopted by the EBA and submitted to the EC (EBA ITS on AMM) and will form the basis of the PRA’s liquidity monitoring when in force. Currently the PRA relies on the pre-existent reporting framework, which includes basically the same information, but with a different structure: for example the maturity ladder used by the PRA has a shorter time horizon (5 years vs. > 10 years) and a finer detail (daily schedule vs. coarser and unevenly spaced maturity buckets). At the time of the assessment the PRA was maintaining its ‘old’ maturity ladder in parallel with the ‘new’ one, so as to ensure that no relevant information detail went lost in the regime switch (see below). Until the entry into force of the LCR (October 2015), regulation and supervisory expectations on liquidity risk in the U.K. were set in the BIPRU 12 liquidity regime. As a consequence of the regime switch, the PRA decided to revoke BIPRU 12 and to carry forward the broad principles established in BIPRU 12 into the new regime. The new regime is set out by the section ‘internal liquidity adequacy assessment’ of the PRA Rulebook. The PRA’s overall liquidity adequacy rule (OLAR) requires a firm to maintain adequate liquidity resources in amount and quality to ensure there is no significant risk that its liabilities cannot be met as they fall due. The PRA will normally give ILG to firms on the amount and quality of liquidity resources which it considers appropriate for a firm to hold to meet OLAR and what it considers to be a prudent funding profile for a firm. OLAR is supplementary to the liquidity requirements, set in the form of ILG. Where the firm’s liquidity resources fall, or are expected to fall, below the level advised in the ILG or its funding profile ceases to conform, or is expected to cease to conform, with the expectation set out in the ILG the firm must notify the PRA and submit a remediation plan. Supervisors set ILG for U.K. incorporated subsidiaries and, in limited circumstances, U.K. branches of overseas firms across all categories of firms. ILG can cover the amount, quality and profile of funding the firm should maintain. Supervisors monitor compliance with ILG through review of regulatory returns on a periodic basis and, at a minimum, quarterly for Category 1–3 firms and six-monthly for Category 4 firms. Supervisors of larger firms review liquidity returns (FSA047 and FSA048) at a frequency of biweekly or monthly, depending on the size of the institution. Should a bank fail to meet, or expect to fail to meet, the expectations set out in the ILG, this will often lead to an increased level of supervisory monitoring and action. At a frequency in line with the submission profile, supervisors review the metrics for unexpected changes or emerging trends, including where requirements or guidance may be breached. Should a breach occur, or be likely to occur firms are required to submit plans explaining the cause of the breach, or expected breach, and outline plans for restoring the liquidity profile to required levels. Such an event would prompt an increased level of supervisory scrutiny in line with CRR Art. 414. With regard to monitoring of qualitative aspects of ILG, supervisors review progress against qualitative guidance as part of their ongoing interaction with the firm, either as part of the CA approach or by agreeing delivery dates and check points with the firm at the time ILG is communicated upon completion of the supervisory review. With the transition from the previous to the current (i.e., LCR) liquidity risk regime, the PRA has decided and announced to banks that, until an L-SREP is undertaken under the new regime, the PRA carries forward the existing ILG add-on in the form of an interim Pillar2 liquidity buffer, aimed—like the ILG—at reflecting risks not captured by the LCR (such as intraday risk or concentration of funding sources). |
| EC 2 | The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. |
| Description and findings re EC 2 | The EU modified-LCR includes on- and off-balance sheet risks. Specifically, the DA contains treatments for both on- as well as off-balance sheet items and in different areas reflecting market risk. In particular there is an additional outflow for collateral outflows for derivatives under market stress, for which the EBA has delivered a final draft RTS (on additional liquidity outflows corresponding to collateral needs resulting from the impact of an adverse market scenario on the institution’s derivatives transactions, financing transactions and other contracts for liquidity reporting under Art. 423(3) of Regulation (EU) No. 575/2013). Also, there is an additional outflow for all contracts entered into the contractual conditions of which lead within 30 calendar days and following a material deterioration of the credit quality of the credit institution to additional liquidity outflows or collateral needs. (DA Art. 30(2)). The final draft ITS by the EBA (to be adopted by the EC) “EBA final draft ITS on additional liquidity monitoring metrics under Art. 415(3)(b) of Regulation (EU) No. 575/2013” includes reporting on rollover of funding and pricing of funding. This will allow supervisors to monitor the ability of institutions to refinance in the markets. Guidelines on common procedures and methodologies for the SREP recommend competent authorities to make a detailed assessment of the liquidity risk profile of institutions. This includes the evaluation of actual market access and also recommends NCAs to take into account warnings and recommendations issued by macroprudential authorities, including the ESRB. The OLAR requires firms to maintain liquidity resources which are adequate, both as to the amount and quality, and to maintain adequate qualitative arrangements to ensure there is no significant risk that it cannot meet its liabilities when they fall due. Firms are required to document their compliance with this rule as part of their individual liquidity adequacy assessment (ILAA). Using the ILAA as a preliminary source, the PRA assesses the adequacy of a firm’s liquidity resources through the supervisory liquidity review process (L-SREP) at a frequency of between one and three years defined by the systemic importance of the firm. The objective of the L-SREP is to define an appropriate liquidity profile and level of liquidity resources for that firm, as well as to identify any improvements necessary to the qualitative arrangements for managing liquidity. The output of the L-SREP informs the ILG. Quantitative ILG is a dynamic metric, reflecting the changing shape of a firm’s balance sheet. The regular review of ILG ensures that it is a set at a level consistent with the PRA’s view of changing macroeconomic conditions and markets. The quality and results of a firm’s stress testing are key inputs to demonstrate a firm’s compliance with the OLAR and influence ILG. Firms are required to document the results of their stress testing in their ILAA. When conducting these stresses, a firm must separately analyze the effect of the 14 sources of liquidity risk and the net level of outflows that would occur before management actions (PRA Rulebook’s ILAA S11.5). The broad approaches to liquidity stress testing outlined in BIPRU continue in the new liquidity regime (Rule 11.3). Firms must consider institution-specific, market-wide, and combined alternative scenarios across different time periods (Rule 11.4) making appropriate assumptions around the major sources of liquidity risk including, where appropriate, at least the sources of risk outlined in the revised PRA Rulebook rule 11.5. Para. 2.18 of SS 24/15 clearly states the PRA’s expectation that firms will consider a macroeconomic stress when conducting their internal stress testing, as do the EBA SREP guidelines (para. 411). As per the EBA SREP guidelines (para. 403) and SS 24/15 (para. 2.20(iii)), firms are required to consider market access when assessing their liquidity risk profile. ILG is reviewed annually for the most systemically important firms and every two to four years for the less systemically important firms. For the most systemically important firms, the supervisor can choose whether to conduct a focused or full-scope L-SREP but must conduct a full-scope L-SREP at least every three years. Where firms have liquidity risk that is not captured under the LCR, the PRA can exercise its discretion to apply Pillar 2 add-ons under ILG to ensure the liquidity risk profile is appropriately captured. In September 2012, the PRA responded to the FPC’s recommendation of June 2012, by announcing that firms could use collateral prepositioned for use in the BoE’s discount window facility to meet up to 10 percentage points of their ILG requirements. In June 2013, the FPC recommended that the minimum requirement should be set at an LCR of 80 percent until January 1, 2015, rising thereafter to reach an LCR of 100 percent on January 1, 2018. In August 2013, the PRA responded to the FPC’s recommendation by announcing that it would adjust liquidity requirements such that firms should hold highly liquid assets broadly equivalent to 80 percent of the LCR, in line with the FPC’s recommendation. It did this by allowing firms to use collateral pre-positioned for use in the BoE’s Discount Window Facility to meet up to 40 percent of their ILG requirements (subject to holding enough capital). When the LCR was eventually implemented in October 2015, the PRA set the minimum level at 80 percent, in line with the FPC’s recommendation. The supervisor retains the ability to set higher liquidity levels for individual firms where appropriate. |
| EC 3 | The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance |
| Description and findings re EC 3 | CRD Art. 86 provides a general requirement for liquidity risk management, including that competent authorities shall ensure that institutions have robust strategies, policies, processes and systems for the identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons, including intraday, so as to ensure that institutions maintain adequate levels of liquidity buffers. EBA’s “Guidelines on SREP methodologies and processes” (December 2014) specifies elements of management of liquidity risk to be assessed by supervisors in the context of SREP. Regarding policies and processes, the Guidelines recommend supervisors to assess whether:
The PRA’s approach to liquidity risk is in line with the EBA SREP guidelines (which will apply from January 1, 2016). The PRA Rulebook Chapters 3 and 4 transpose the requirements of CRD Art. 86 paras. 1–3 that a firm must have: a robust liquidity risk-management framework; sufficient liquidity buffers for stress scenarios; and, policies and processes, for managing liquidity risk that have been approved by the firm’s management body that are consistent with the risk profile and systemic importance of the firm. The PRA provided a suggested structure and content of an ILAAP document in SS24/15, Annex 1. This template includes sections, which detail the firm’s liquidity risk-management framework, policies, processes, and stress testing. The PRA Rulebook Chapter 13 requires firms to update their ILAAP annually for approval from its management body. The firm must regularly carry out an internal assessment of the adequacy of its liquidity and funding in accordance with its ILAAP. The PRA will use the firm’s ILAAP to form the basis of their liquidity assessment. The PRA will use the evidence contained in the ILAAP in line with SS24/15 paras. 3.5–3.8, to assess whether the strategies, policies, processes, and systems that enable it to identify, measure, manage, and monitor liquidity risk are comprehensive and bank-wide. This will inform the PRA’s judgment of the qualitative aspect of “ILG.” In the previous regime, BIPRU 12.4 (in particular BIPRU 12.4.-2R) already stipulated the requirement on firms to be able to withstand a range of different stress events while conforming with the liquidity risk appetite approved by the firm’s governing body. The requirements of BIPRU 12.3.4R were supplemented by BIPRU 12.3.5R which required the firm to ensure it has a comprehensive bank-wide view of liquidity risk consistent with its risk profile and systemic importance. The assessors found evidence of actual implementation of this EC in the ILAAP documentation and supervisory documents they had access to. These included: the ILAAs and related PRA’s focused reviews—conducted either by specialists or by line supervisors, depending on the bank category and focus of the assessment—for a major U.K. bank, a building society, the U.K. branch and subsidiary of an international bank, spanning a range of different business models and liquidity risk-management approaches. The reviews appeared thorough and detailed, with well articulated findings and related recommendations; they are tailored to the specific characteristics of the banks, including their systemic importance, and address a variety of liquidity risk-management aspects. The assessor also examined examples of the supervisory follow-up stemming from such reviews. |
| EC 4 | The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:
|
| Description and findings re EC 4 | The EBA SREP guidelines (which will apply from January 1, 2016) recommend supervisors to assess the following elements of this EC:
In the U.K. context the same elements as covered as follows:
Banks are recommended to refer to the EBA SREP Guidelines as outlined in SS 24/15, Annex 1. The PRA will assess the firm’s ILAA or ILAAP submission which must contain an assessment of the firm’s compliance with the PRA rules as outlined above. The supervisor will, through assessment of the firm’s ILAA or ILAAP and the CA engagement, determine whether a firm’s liquidity risk appetite is approved by the management body of the firm, is clearly articulated and appropriate for the firm’s business and role in the financial system.
The PRA determines whether a firm’s day-to-day and intraday liquidity management practices are sound through assessment of the firm’s ILAA or ILAAP and the CA engagement.
The PRA will assess the firm’s ILAA or ILAAP submission which must contain an assessment of the firm’s compliance with the PRA rules as outlined above. The supervisor will, through assessment of the firm’s ILAA or ILAAP and CA and engagement, determine whether a firm’s bank-wide information systems are effective in enabling the active identification, aggregation, monitoring and control of liquidity and funding risks.
The supervisor determines whether a firm’s management body has adequate oversight to ensure the effective implementation of policies and processes for the management of liquidity risk through assessment of the firm’s ILAA or ILAAP and the CA engagement.
The supervisor determines whether a firm’s management body regularly reviews and appropriately adjusts the firm’s strategy, policies and processes for the management of liquidity risk, through assessment of the firm’s ILAA or ILAAP and the CA engagement. The supervisor will expect the firm to update the ILAA or ILAAP document accordingly should there be a change in the firm’s risk profile or the external markets and macroeconomic conditions in which they operate. |
| EC 5 | The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:
|
| Description and findings re EC 5 | Art. 413 CRR requires firms to ensure their long term obligations are adequately met with a diversity of stable funding instruments under both normal and stressed conditions. Art. 86(1) CRD mandates competent authorities to ensure that firms have robust strategies, policies, processes and systems for the identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons, including intraday, so as to ensure that institutions maintain adequate levels of liquidity buffers. Art. 86(4) CRD mandates competent authorities to ensure firms develop methodologies for the identification, measurement, management and monitoring of funding positions. Those methodologies shall include the current and projected material cash-flows in and arising from assets, liabilities, off-balance- sheet items, including contingent liabilities and the possible impact of reputational risk. The EBA SREP guidelines (which will apply from January 1, 2016) recommend supervisors to assess whether the funding plan is feasible and appropriate in relation to the nature, scale and complexity of the institution, its current and projected activities and its liquidity and funding profile (para. 420). Regarding interaction between funding risk and other risks, the guidelines recommend supervisors to take into account whether the institution recognizes interactions between different risks arising from both on- and off- balance sheet items, when assessing whether the institution has an appropriate framework for identifying and measuring liquidity and funding risk (para. 404 b). On specific issues listed in this EC, the guidelines recommend supervisors to assess:
On (b) the guidelines require supervisors to assess the adequacy of the institution’s liquidity buffer and counterbalancing capacity to meet its liquidity needs (para. 388). The PRA expects firms to detail in their ILAA or ILAAP submission their compliance with the rules and expectations detailed above. The supervisor will ensure through review of the ILAA or ILAAP document and their CA engagement, consistent with the PRA’s approach to conducting a liquidity-supervisory review and evaluation process (L-SREP) as detailed in SS 24/15 section 3, that the firm complies with the above and below mentioned rules, requirements and guidelines in EC 4. Once the EBA ITS on AMM under CRR Art. 415(3)(b) have been adopted by the EC the supervisor will be able to monitor diversification of funding in part through the C.76.00 AMM return.
The alternative scenario and stress testing rules are supplemented by SS 24/15. Para. 2.20 (particularly (i) to (iii) and (v)) sets expectations on the firm’s analysis of the ten key risk drivers mentioned in EC 2.
The PRA Rulebook, s ILAA section, Rule 2.2 requires firms to hold liquidity resources containing an adequate buffer of high quality, unencumbered assets and to maintain a prudent funding profile. Rules 7, 8, and 10 requires firms to manage funding needs, collateral and asset encumbrance to ensure the firm can use the assets as set out in Rule 2.2 in a timely manner, without impediment, to obtain funding in times of stress. The PRA is consistent with EBA SREP guidelines para. 416, outlined above in the EBA text.
The PRA expect banks to have due regard to their own business model when determining the appropriate level of diversification in their buffer. In accordance with DA Art. 8(1) the PRA may set requirements on a firm to enforce increased diversification of the HQLA buffer, or conversely to restrict holdings of particular asset classes. This may include requirements on a firm’s liquidity management practices or investment policies. Under CRD Art. 103, the PRA may also restrict holdings of particular asset classes if it observes that this exposes several firms to a common set of risk factors. The PRA will review firms’ own policies (e.g., limits) on composition of the liquid asset buffer. The PRA will consider as part of its work on liquidity Pillar 2 how best to ensure that firms observe prudent principles of buffer composition. The EBA’s ITS on AMM C76.00 return will allow the supervisor to monitor diversification of funding.
The PRA expects larger firms to take into account the absolute size of their HQLA holdings and to be able to monetize these without compromising on either speed of disposal or price. They should also consider the impact of their actions on the wider market and on financial stability. In the previous regime, the above listed elements were covered by the BIPRU handbook. The supervisor will monitor the diversification of funding in part through the C76.00 CM return, in addition to ILAAP documents. |
| EC 6 | The supervisor determines that banks have robust liquidity contingency funding plans (CFPs) to handle liquidity problems. The supervisor determines that the bank’s CFP is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s CFP establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s CFP is feasible and requires the bank to address any deficiencies. |
| Description and findings re EC 6 | Art. 86(10) and (11) CRD mandate competent authorities to ensure firms develop CFPs to address possible liquidity shortfalls which are tested at least annually and approved by senior management. The EBA SREP Guidelines (which will apply from January 1, 2016) recommend supervisors to assess whether the institution’s liquidity contingency plan (LCP) adequately specifies the policies, procedures and action plans for responding to severe potential disruptions to the institution’s ability to fund itself (para. 417) Regarding the LCP the guidelines recommend supervisors to assess:
Chapter 12 of the revised PRA Rulebook’s ILAA Section requires firms to develop an effective LCP taking account the outcome of the stress tests. Firms are required to test their LCP at least annually. Further guidance for firms is provided in SS 18/13 with SS 24/15, Annex 1 recommending that firms cross reference the relevant section of the recovery and resolution plan in the ILAAP document. The supervisor will comply with paras. 417 to 419 of the EBA SREP Guidelines and will ensure that compliance with the requirements of the revised PRA Rulebook Chapter 12 are addressed in the ILAAP document and through the CA engagement. This will cover, but not be limited to, the firm’s CFP being formally articulated, adequately documented and that it sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments reflecting the liquidity risk profile of the firm. The actions outlined in the LCP should be in line with the firm’s overall risk strategy and liquidity risk tolerance. The supervisor will also assess whether the LCP establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. For the purposes of reviewing the recovery plans, the supervisors and the supporting recovery and resolution team undertake a joint assessment of issues arising from the CFP/LCP set out in the firm’s recovery plan. The supervisors and recovery and resolution experts review the stress scenarios in the recovery plan to identify whether or not liquidity recovery options generate sufficient benefit to the firm in the event a liquidity stress causes the firm to invoke their recovery plan. For the LCP and CFP review for the L-SREP, supervisors, along with liquidity experts in the SRS’ teams will assess the CFP/LCP in order to review the firms’ arrangements and how these are informed by the results of firms’ liquidity stress testing. The previous PRA liquidity regime (BIPRU 12.4.10 to 12.4.16) already stipulated the requirements, guidelines, and expectations on firms to create CFPs, setting out adequate strategies and proper implementation measures to address possible liquidity shortfalls. These plans had to be regularly tested, updated on the basis of the outcome of the mandatory stress tests required by the PRA rules, and reported to and approved by the firm’s governing body, so that internal policies and processes could be adjusted accordingly. |
| EC 7 | The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective CFPs. |
| Description and findings re EC 7 | Arts. 86(8), (9) and (10) CRD mandate competent authorities to ensure firms consider alternative scenarios on liquidity positions and risk mitigations at least annually. These considerations should cover the potential impact of institution-specific, market-wide, and combined alternative scenarios across different time periods and varying degrees of stress. The outcomes of these considerations should inform the development of effective LCPs. The EBA SREP guidelines recommend supervisors to assess whether an institution has implemented adequate liquidity-specific testing as part of its overall stress testing program (para. 408). Supervisors are recommended to analyze whether short-term and prolonged, and institution-specific and market-wide scenarios are considered by the institution (para. 410). On assumptions, supervisors are required to assess whether the institution takes a conservative approach to setting them (para. 412). The Guidelines also recommend supervisors to assess whether assumptions and scenarios are reviewed and updated sufficiently frequently (para. 413 d). In terms of use of the stress tests result, the guidelines recommend supervisors to assess whether the outcomes of stress testing are integrated into the institutions’ strategic planning process for liquidity and funding and used to increase the effectiveness of liquidity management in the event of a crisis, including in the institution’s liquidity recovery plan (para. 413 b). Chapter 11 of the PRA Rulebook’s ILAA Section outlines the PRA rules a firm must follow with regards to stress testing in line with the relevant requirements of CRD Art. 86. The rules require firms to conduct stress tests on a regular basis (11.3), across institution-specific, market-wide, and combined alternative scenarios across different time periods (11.4). Assumptions must be appropriate (11.5), reviewed by its management body (11.6), and the results used for risk-management purposes and the development of LCPs (11.7). The SS24/15, para. 2.18 to 2.22 sets the PRA expectation of the minimum considerations firms should undertake for a set of liquidity risk drivers in their stress testing program. SS24/15, para. 2.23 to 2.24 set PRA expectations that firms will consider intraday risk within their stress testing program. The PRA expects firms to detail in their ILAAP submission to document their compliance with the rules and expectations detailed above. The supervisor will ensure through review of the ILAAP document and their CA engagement, consistent with the PRA’s approach to conducting an L-SREP as detailed in SS24/15 S3, that the firm uses the results of the stress tests to adjust accordingly their risk-management strategies, policies and positions, and to develop effective LCPs. The previous PRA liquidity regime (BIPRU 12.4 and 12.5) requirements and guidelines already stipulated that firms include a variety of time horizons within both bank-specific and market-wide liquidity stress scenarios (individually and in combination) into their stress testing programs for risk-management purposes. These assumptions had to be reviewed at least annually (BIPRU 12.4.3). The results of the stress tests had to be used to adjust the firm’s strategies, internal policies and limits on liquidity risk and to develop effective CFPs (BIPRU 12.4.10). |
| EC 8 | The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. |
| Description and findings re EC 8 | CRR Art. 415 (2) requires an institution to report LCR separately in the currencies in which it has more than 5 percent of the total liability or it has a significant branch in a MS using a different currency. DA Art. 4 (5) requires institutions to also observe the LCR requirement in these currencies. Art. 8(6) requires firms to ensure that the currency denomination of their liquid assets is consistent with the distribution by currency of their net liquidity outflows and grants competent authorities the power to restrict currency mismatches. The EBA SREP guidelines recommend supervisors to assess, in relation to liquidity in different currencies:
The PRA Rulebook’ ILAA section, Rules 3.1, 3.2, 5.2(3), 81 11(5), 11(7) and 12.4 cover aspects of foreign currency liquidity transformation and significant currency exposures. Rule 3.1 requires firms to have robust strategies, policies, processes, and systems that enable it to identify, measure, manage, and monitor liquidity and funding risks, including tailoring these to currencies and legal entities. Rule 8 requires firms to actively manage its liquidity risk exposures and related funding needs taking account of currencies and limitations to potential transfers of liquidity among entities, both within and outside the EEA. Rule 5.2(3) requires firms to measure, monitor, and deal with intraday liquidity risk for the currencies in which it has significant positions. Rules 11(5) and 11(5)(2) require firms to stress test their cross currency funding risk and report to its management body any vulnerabilities identified and proposed mitigating actions. The stress testing rules are supplemented by SS24/15, para. 2.20 sets expectations on the firm’s analysis of key risk drivers outlined the revised PRA Rulebook Chapter 11; particularly 2.20(iii), 2.20(vii), and 2.20(viii). The PRA is consistent with the EBA’s SREP guidelines that recommend competent authorities assess an institution’s liquidity needs taking into account the currency of the liquidity needs and, where an institution operates in different material currencies, the separate impacts of shocks in the different currencies to reflect currency convertibility risk. The PRA can currently set ILG by currency where a firm has significant (greater than 20 percent) liabilities in a particular currency. The interim LCR reporting requirement will be on an all currency basis though as mentioned above, DA Art. 8 (6) grants competent authorities the power to restrict currency mismatches. When the EBA’s ITS on AMM under CRR Art. 415(3)(b) will be adopted by the EC, the PRA will monitor currency mismatches in part through the C.67.00 and C71.00 AMM returns. For the transitional period between the BIPRU 12 regime and the EU LCR, it was decided to maintain the submission of legacy PRA returns (FSA047 and FSA048). This allows the PRA to continue monitoring the liquidity position in each significant currency of bank subsidiaries. In the previous regime, the requirements of this EC were covered by the BIPRU handbook. The PRA does not set an explicit rule requiring firms to regularly review the limits on the size of its cash flow mismatches for foreign currency. |
| Additional criteria | |
| AC1 | The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. |
| Description and findings re AC1 | The EBA SREP Guidelines recommend that supervisors, in assessing risks to sustainability of the funding profile from concentrations in funding sources, take into account the risk that asset encumbrance may have an adverse effect on the market’s appetite for the unsecured debt of the institution (para. 396 b). Regarding disclosure, following CRR Art. 443, the EBA published guidelines on disclosure of encumbered and unencumbered assets. The disclosure guidelines provide the set of principles and templates that enable the disclosure of information on encumbered and unencumbered assets by products on a consolidated basis. The disclosure guidelines, which were published in June 2014, will be reviewed and form the basis for binding technical standards to be developed by 2016. On setting limits, the guidelines recommend supervisors to assess whether the limit and control framework helps institution to ensure the availability of sufficient and accessible liquid assets (para. 414 f). Rule 3.4 of the PRA Rulebook’s ILAA section requires firms to have risk-management policies to define their approach to asset encumbrance, as well as procedures and controls that ensure that the risks associated with collateral management and asset encumbrance are adequately identified, monitored, and managed. Chapter 10 details PRA rules on the management of asset encumbrance. Firms are required to actively manage their asset encumbrance position including the amount of unencumbered assets available in stress periods and any impediments to encumbering these assets in stress. A firm must actively manage its encumbrance position in a manner proportionate to its business model, specificities of the funding markets and the macroeconomic situation with the management body informed in a timely manner of an appropriate level of detail within its encumbrance levels and credit quality. The PRA expects firms to detail their compliance with the rules and expectations detailed above in their ILAAP submission. The supervisor will ensure that the firms level of unencumbered assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance through review of the ILAAP document and their CA engagement. The PRA’s thinking is still evolving with regard to asset encumbrance. The items supervision will be asked to investigate will be more specifically outlined within the L-SREP guidelines which take effect from October 1, 2015. These include, for example, the quality of the metrics, whether encumbrance will be high enough to deter potential investors and whether the limits are set with appropriate granularity and at a level to ensure sufficient free assets are available to fund previously unsecured funding in stress. The PRA will monitor the levels of asset encumbrance in firms through the submission of data in line with the EBA published guidelines on reporting of asset encumbrance. The previous PRA liquidity regime (BIPRU 12.3.33 and 12.3.34) already required firms to actively manage their asset encumbrance position. The management of asset encumbrance had to be conducted in a manner proportionate to a firm’s business model, funding sources and the macroeconomic situation and the governing body had to be informed of an appropriate level of detail on its encumbrance such as level, evolution, types, credit quality, ineligible amounts and contingent encumbrance. BIPRU 12.3.22 required that firms distinguish the amounts of unencumbered assets at all times, including in stress, and 12.3.23 required that the firm understands any impediments to encumbering these assets in stress. |
| Assessment of Principle 24 | Largely Compliant |
| Comments | At the time of the previous FSAP, the mission observed that “the new comprehensive liquidity regimen and supervisory program that the FSA has put in place recently, over time, will be a strong base for U.K. supervisors to assess banks’ liquidity management strategies adequately, including prudent policies and processes to identify, measure, monitor, and control liquidity risk.” Post-crisis evolution in the U.K. supervisory framework for liquidity risk put the U.K. authorities at the front edge in the area. As a result of this legacy and of a persistent heightened attention to liquidity and funding management in the banks, the PRA is equipped with a liquidity risk framework that is overall robust, structured, consistently implemented. At the time of this assessment the PRA was transitioning from the previous national regime (regulated by the BIPRU12 section of the FSA—then PRA—Handbook) to the EU version of the LCR standard (October 2014). BIPRU12 was ‘switched off,’ though part of the preexistent reporting framework is provisionally maintained, so as to allow the PRA to have adequate sight of liquidity and funding positions during the transition to the EU LCR regime. The assessors agree and appreciate the PRA commitment to ensure that it keeps on being equipped, where permissible, with the monitoring tools that it created to back its supervisory action. The assessors were not in the position to verify the implementation of the new regime, but got comfort from the comprehensiveness of the rules in place (which sometimes go beyond the EBA guidelines) and the observation of the consistent implementation of this principle before and after the regime through the analysis of ILAAP documentation and supervisory documents. There are no substantial deviations from the requirements of this principle in the PRA framework for liquidity risk. The main notable exception to this overall positive picture is the LCR requirement: the LCR adopted in EU has a number of elements which are less stringent than the Basel agreed rule, most notably a wider definition of HQLA. Given EC 1 clearly states that for internationally active banks the prescribed liquidity requirement should not be lower than the applicable Basel standard, the EU regulatory framework’s compliance with the EC is problematic. In 2014 the EBA performed a comparison between the Basel and EU versions of the LCR: it found that the EU implementation of LCR determined an average increase of banks’ LCR by 13.9 percent, with a significant dispersion of results. It also stated that “large, internationally active banks show only a moderate increase in the LCR.” The PRA maintains that most of the increase in LCR ratios was driven by the assumption made regarding level 2B assets. It must be said that the PRA has set the initial LCR requirement as of October 1, 2015 at 80 percent, which is greater than the 60 percent mandated by the EU regulatory standard and will ensure a higher LCR floor for the U.K. banks until January 2017. Also, as part of the LCR Pillar 2 framework the PRA will consider how best to ensure that firms observe prudent principles around buffer composition. As a consequence, of the EU LCR being less stringent in important respects than the applicable Basel standard, the assessors deem the overall U.K. supervisory framework for liquidity risk largely compliant. |
| Principle 25 | Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk127 on a timely basis. |
| Essential criteria | |
| EC 1 | Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). |
| Description and findings re EC 1 | All banks are required to comply with the provisions of CRD IV/CRR that set out general risk-management standards specific to firms that have adopted the standardized approach and AMA for operational risk measurement and management. In addition, under Section 10.1 of the ICAAP rules in the PRA Rulebook, banks are required to implement policies and processes to evaluate and manage their exposures to operational risk. In accordance with Section 10.1 of the ICAAP set out in the PRA Handbook, banks are required to implement policies and processes to evaluate and manage their exposures to operational risk, including model risk, and to cover low-frequency, high severity events (Art. 85(1) of the CRD). The PRA requires all Category 1 firms to have operational risk-management frameworks that are commensurate with their scale, nature and complexity and that meet the qualitative standards applicable to the AMA the Basel capital framework. Supervisors conduct firm-specific reviews to verify these arrangements. |
| EC 2 | The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. |
| Description and findings re EC 2 | The PRA Rulebook provides guidance that a firm should provide its governance body with the information it needs to perform its role in identifying, measuring, managing, and controlling risks of regulatory concern. The PRA Handbook also specifies that the CRO should report to the firm’s governing body on the firm’s risk exposures relative to its risk appetite and tolerance and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the governing body’s risk appetite and tolerance (SYS21.1.2). U.K. supervisors expect that the Board approves risk appetite, though this is not a formal requirement. U.K. supervisors have found that, in some cases, governance responsibilities are handled by committees of the Board, such as the risk committee, the operational risk committee, etc. The PRA reviews operational risk appetite and governance arrangement on a proportionate basis as part of operational risk reviews. Supervisors have the ability to require changes to a firm’s methodology or practices if necessary. |
| EC 3 | The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk-management process. |
| Description and findings re EC 3 | In addition to the points raised in EC 1 and EC 2 above, supervisors assess the effectiveness of implementation and integration of operational risk policies and procedures in a firm through review of management reporting and governance committee minutes; reviews of procedures for, and outputs from, the operational risk-management framework; discussions with the CRO and Internal Audit. Especially for Category 1 firms and some Category 2 firms, U.K. supervisors evaluate the effective implementation of risk-management policies and procedures through “deep-dives.” Staff shared in discussions that the PRA aims to complete about 10-12 deep-dives in aggregate related to operational risk across all Category 1 firms each year; in addition, often supervisors will undertake two deep dives in aggregate per year across all Category 2 firms each year. Typically few or no specialist resources are available for firms in categories 3–5. For Category 1 firms, usually about two to four aspects of operational risk are evaluated through deep-dives, and staff noted that this implied that operational risk is assessed on a comprehensive basis over a period of about three years for each firm. The pace of this work reflects the PRA’s sense that while operational risk can crystallize abruptly, the underlying exposures typically build up slowly, and therefore U.K. supervisors see typically limited supervisory value in more frequent assessments. Internal documents made available to assessors suggest as well that the PRA’s approach to supervising operational risk evolved over the course of late 2013–2014, moving from reviewing “high-level operational risk frameworks” under the former approach to adopting reviews that are more “targeted, looking at individual types of operational risk that we think are particularly relevant for each firm.”128 Supervisors realized that the former approach failed to consider the longer-term implications that some operational risk events can have. In addition, supervisors learned through experience that their approach to operational risk reviews were too standardized and did not consider the key operational risk exposures that individual firms might face.129 |
| EC 4 | The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. |
| Description and findings re EC 4 | Firms must comply with EBA guidance on SREP (paras. 279–280) on this expectation, which includes having contingency and business contingency plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruptions (CRD Art. 85). In 2014 the PRA reviewed one aspect of these arrangements (business continuity arrangement sin off-shore processing centers) across major 12 firms. In the U.K., this expectation appears in requirements specified in the PRA Rulebook (SYSC 4.1.6 and SYSC 4.1.7), under which firms must take reasonable steps to ensure continuity and regularity in the performance of their regulated activities. They must establish, implement, and maintain adequate business continuity policies and employ appropriate and proportionate business continuity systems, resources, and procedures. In addition, firms in the U.K. must comply with the PRA’s Fundamental Rule 8, which requires firms to be prepared for an orderly resolution with minimum disruption to CEFs. This expectation is complemented by the PRA Rulebook’s requirement that firms take reasonable steps to ensure continuity and regularity in the performance of their regulated activities (SYSC 4.1.6 and SYSC 4.1.7). Supervisors review all Category 1–4 recovery and resolution plan documents on an annual basis. |
| EC 5 | The supervisor determines that banks have established appropriate information technology (IT) policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound IT infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. |
| Description and findings re EC 5 | The PRA’s Fundamental Rule 5 requires a firm to have effective risk-management systems; the FCA Rulebook (SYSC 3.1.1) requires that a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. SYSC 3.2.21 requires firms moreover to have appropriate systems and controls in place to fulfill its regulatory and statutory obligations with respect to adequacy, access, periods of retention, and security of records. GENPRU 1.2.89G states that firms should satisfy themselves that their systems are sufficiently sound to support the effective management and, where applicable, the quantification of risks. The notes above outlining how the supervisors address the ECs summarize some of the key ways through which supervisors evaluate the management of operational risk. |
| EC 6 | The supervisor determines that banks have appropriate and effective information systems to:
|
| Description and findings re EC 6 | The criteria for information systems for banks using the standardized and AMAs to operational risk under Basel II/III are detailed in CRR Art. 320 and 321. SRS assess periodically the effectiveness of operational risk reporting to banks’ Boards, senior management, and business lines, and these assessments include discussions with internal audit. |
| EC 7 | The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. |
| Description and findings re EC 7 | The PRA’s Fundamental Rule 7 requires a firm to deal with its regulator in an open and cooperative way and to disclose to the PRA “anything related to the firm of which the PRA would reasonably expect notice.” Since the start of 2015, the PRA has required Category 1 firms to provide quarterly data on their operational risk exposures through the FDSF; the data required includes operational risk loss events, top risks, scenarios, and emerging risks. SRS staff collate this data and present overviews to supervisory teams for Category 1 firms every six months. For firms presenting less systemic risk to the U.K. financial system, the work may be carried about by groups of supervisors with oversight responsibilities for the firms in question. |
| EC 8 | The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:
Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. |
| Description and findings re EC 8 | The PRA Rulebook (SYSC 4.1.1R) requires a bank to have effective processes to identify, manage, monitor, and report risks and internal control mechanisms. A firm must not outsource important material, operational functions in such a way as to impair materially the quality of its internal controls or the ability of the PRA to manage the bank’s compliance with all of its obligations under the regulatory system and, if different, of a competent authority to monitor the firm’s compliance with all obligations under Directive on Markets in Financial Instruments (MiFID). The PRA Rulebook also requires banks, their auditors, the PRA, and any other relevant competent authority to have effective access to data related to outsourced activities, as well as to the business premises of the service provider (SYSC 8.1.8(9)R). The Rulebook requires that the PRA and any competent authority be able to exercise those rights of access. Supervisors offered assessors examples of specific cases in which the PRA evaluated outsourcing arrangements and required changes in the arrangements to address their concerns. Supervisors noted that large-scale outsourcing is not yet prevalent among U.K. banks but that the rise of “challenger banks” may increase the demand for outsourcing. As that demand increases, supervisors expect to conduct more onsite reviews of those arrangements as they have already done for the insurance sector. |
| Additional criteria | |
| AC1 | The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). |
| Description and findings re AC1 | The BoE, the PRA, and other U.K. authorities including the home office have run market-wide exercises to investigate common points of exposure to operational risk or other potential vulnerabilities. As examples, supervisors summarized a 2013 financial sector cybersecurity exercise that had been undertaken across twenty firms (including six financial market infrastructure providers), the PRA and BoE, plus other U.K. public sector authorities. The exercise focused on disruption and dislocation in wholesale markets and in the financial market infrastructure supporting those markets that could arise from an attack. In addition, supervisors shared insight into an initiative that the BoE launched in June 2014 to conduct penetration tests for financial services organizations using intelligence from government and accredited commercial providers. The BoE expects to report on this initiative, called “CBEST,” in the summer of 2016. |
| Assessment of Principle 25 | Compliant |
| Comments | As reported by supervisors, the PRA’s approach to the supervision of operational risk in the largest firms has undergone important changes over the past two years. Supervisors report that they now customize their reviews more closely to the key risk exposures that the largest firms face. The more strategic use of several deep-dives spread out over three years for each of the largest firms may provide supervisors with some confidence that firms are making progress in their development of operational risk frameworks. It is though uncertain whether this pace of review is sufficient to ensure that large firms are keeping pace with the state of the article in operational risk management. Since the treatment of operational risk as an explicit risk discipline is a recent development, it is possible that important innovations could emerge at a more rapid pace than might be true for more established and traditional risk-management stripes. Supervisors may wish to consider ways to monitor and evaluate with potentially greater frequency the most important advances in operational risk-management and look horizontally across major firms to ensure they are keeping pace. As supplements to the “deep-dives,” supervisors at the PRA seek to monitor firms’ own sense of their exposure to key operational risks and how those views may differ from supervisors’ assessments. PRA supervisor risk specialists developed an operational risk dashboard that gathers firms’ views on their exposures to process risks, infrastructure risks, business practice risks, and other risks, and compares those results against the views of PRA supervisors. The dashboard is intended to provide supervisors with comparative data on firms to develop peer group comparisons and identify outliers. Currently three dashboards are developed for (i) Category 1 U.K. international firms; (ii) Category 1 international Banks; and (3) Category 1 U.K. domestic firms. Lastly, risk specialists support supervisors with their ongoing contacts with firms’ operational risk function to monitor changes in their frameworks as well as to maintain their knowledge of the industry practices in this field afresh. The authorities noted that operational risk specialists in particular are expected to allocate around 10 percent of their time to such activities in Category 2 firms.130 The decision to limit the availability of expert operational risk resources in smaller firms is an understandable effort to deploy resources efficiently and effectively. As long as the operational risks in these smaller firms are indeed lower, the decision may be appropriate. However, nearly all firms are exposed to substantial operational risk in IT and cybersecurity. Smaller firms may have fewer resources for addressing those risks. Innovative firms may seek to build their comparative advantages relative to traditional firms by deploying novel technology, innovative processes, or unusual or wider outsourcing arrangements. It may be important for U.K. supervisors to consider these matters as they evaluate their current operating model. The PRA has nonetheless recognized some of these recent changes in the operational risk landscape and in particular the emergence of challenger banks. The authorities report that one aspect of this is the increase of the operational risk and IT risk resources allocated to smaller banks from less than 10 percent of these two specialist pools in 2014 to around 20 percent in the second part of 2015. U.K. supervisors have responded to recent lessons learned from their former approach to supervising operational risk and are encouraged to continue to evaluate the best ways to ensure appropriate mitigation of operational risk broadly in supervised firms. |
| Principle 26 | Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent131 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. |
| Essential criteria | |
| EC 1 | Laws, regulations, or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:
|
| Description and findings re EC 1 | CRD Art. 74.1 is contained in GOR 2.1 of the PRA Rulebook, which also implements Art. 13(5) and the second para. of the Markets in Financial Instruments Directive (MiFID). Under GOR 2.1, “a firm must have robust governance arrangements, which include a clear organizational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.” It also requires firms to have “effective control and safeguard arrangements for information processing systems.” GOR 2.2 requires the arrangements, processes, and mechanisms referred to under 2.1 to be comprehensive and proportionate to the nature, scale and complexity of firms’ activities. They must also take into account specific technical criteria described in other rules—such as in skills, knowledge, and expertise (SKE) 3.2 of the PRA Rulebook, which requires firms to define arrangements concerning segregation of duties and the prevention of conflicts of interest, and the risk control part of the PRA Rulebook, which implements CRD Art. 76. Under GOR 2.3, firms are required to establish, implement, and maintain (i) decision-making procedures and an organizational structure which specifies reporting lines and allocates functions and responsibilities; and (ii) adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm. Under 2.7, “A firm must establish, implement and maintain accounting policies and procedures that enable it, at the request of the PRA, to deliver in a timely manner to the PRA financial reports, which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.” Under 3.2, “a firm must ensure that its management is undertaken by at least two persons meeting the requirements laid down in 3.1.” Where 3.1 states that “the senior personnel of a firm must be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of a firm.” The above requirements in the PRA Rulebook are incorporated into the ‘PRA’s approach to banking supervision (June 2014).’ This approach outlines that firms should have robust frameworks for risk-management and financial and operational control, commensurate with the nature, scale, and complexity of their business, and consistent with their safety and soundness. Competent and where appropriate independent control functions should oversee these frameworks and its risk-management and control functions. In many cases these expectations are directly reflected in PRA rules. More generally they elaborate on the ‘prudent conduct’ and ‘effective supervision’ Threshold Conditions. The PRA supervisory approach to ensuring that firms’ internal control environments are robust is covered in EC 2 to 5. The FCA leads on financial crime, AML, and other conduct related issues, including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading, and computer intrusion. However, the PRA will consider these issues in the context of operational risk and the potential impact the effectiveness of a firm’s internal controls may have on a firm’s prudential safety and soundness. |
| EC 2 | The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions, and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. |
| Description and findings re EC 2 | The SKE part of the PRA Rulebook sets out requirements on firms to ensure that staff have appropriate SKE (SKE 2.1); that employees are not given multiple tasks that might compromise their ability to act properly (SKE 3.1); that a firm monitors, and regularly evaluates, the adequacy of its systems, and controls related to staff. In addition, at Category 1 firms the PRA meets regularly, and more than once per year, with the head of audit; head of compliance; the chair of the audit committee; the chair of the compliance committee; the head of the risk committee; and the external auditor. For firms in lower categories, meetings are held annually with the chairs of the audit and risk committees, and the head of internal audit. As outlined in the PRA approach document, firms should have in place separate risk-management and control functions—notably risk management, finance, compliance, and internal audit—to the extent warranted by the nature, scale and complexity of their business. Senior management and the Board should hear and heed the views of these functions. This means that they require access to the Board and (where a firm has them) the Board’s risk and audit committees, which should oversee these functions to ensure their independence and effectiveness. These functions support and challenge the management of risks across the firm, by expressing views within the firm on the appropriateness of the level of risk being run and the adequacy and integrity of the associated governance, risk-management, and financial and other control arrangements. The PRA expects these functions to be independent of a firm’s revenue-generating functions, and to possess sufficient authority to offer robust challenge to the business. This requires these functions to be adequately resourced, to have a good understanding of the business, and to be headed by individuals at senior level who are willing and able to voice concerns effectively. |
| EC 3 | The supervisor determines that banks have an adequately staffed, permanent, and independent compliance function132 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. |
| Description and findings re EC 3 | Compliance and Internal Audit 2 of the PRA Rulebook requires a firm to establish a permanent, effective and independent compliance function (2.3) and to appoint a compliance officer responsible for coordinating the various tasks associated with the firm’s compliance policies and procedures, and reporting to senior management (2.4). In order to enable the compliance function to discharge its responsibilities properly, the function “must have the necessary authority, resources, expertise and access to information”; compliance staff “must not be involved in the services or activities they monitor” and the firm’s remuneration policy should not undermine the compliance function’s objectivity (2.4). |
| EC 4 | The supervisor determines that banks have an independent, permanent and effective internal audit function133 charged with:
|
| Description and findings re EC 4 | Under Compliance and Internal Audit 3.1 of the PRA Rulebook, the PRA requires firms to establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm, where, given the nature, scale and complexity of its business, it is an appropriate and proportionate way of ensuring the firm maintains adequate and effective internal control mechanisms and arrangements. The internal audit function should be responsible for issuing recommendations and verifying compliance with those recommendations. In practice, all significant U.K. firms have an internal audit function, either fully sourced by the firm’s personnel or, if not, by a combination of internal and outsourced personnel. Under 3.1, the internal audit function has to establish, implement, and maintain an audit plan which examines the adequacy and effectiveness of the firm’s systems and controls, makes recommendations based on its work and verify compliance with those recommendations. Internal audit should provide independent assurance over firms’ internal controls, risk-management, and governance. |
| EC 5 | The supervisor determines that the internal audit function:
|
| Description and findings re EC 5 | Under GOR 2.1 of the PRA Rulebook134 the PRA expects a firm to ensure an internal audit function meets all the elements identified in (a) to (f) in this EC. Further requirements are also placed on firms in regards to the internal audit function through the compliance and internal audit part of the PRA Rulebook. Under Part 3.1135 “a firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm.” Under GOR Part 4.2 (1) of the PRA Rulebook “a firm must ensure that its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by Compliance and Internal Audit…indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies.” Under compliance and internal audit part 3.1 (1), where appropriate and proportionate in view of the nature, scale and complexity of its business and the range of its financial services and activities, a firm is required to “establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm’s systems, internal control mechanisms and arrangements.” Internal audit is currently part of the systems and control controlled function (CF 28) in the table of PRA controlled functions.136 The head of internal audit is also a SIF and all individuals applying for this role need to be approved by the PRA in consultation with the FCA. In assessing whether to approve the individual for the role, the PRA performs an assessment of an individual’s competence and capability to carry out the role (The PRA’s approach to banking supervision, June 2014, paras. 89–90). The PRA also places requirements on firms with regard to the outsourcing of functions in general, which addresses part (g) of EC 5. Under outsourcing part 2.6 (3)137 of the PRA Rulebook a firm “must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing, and must supervise those functions and manage those risks.” It is expected this rule would be applied where a firm outsourced functions relevant to internal audit. The supervisor assesses whether the firm’s internal audit function is operating effectively as part of its ongoing supervision of the firm. For example, some business model analysis work will assess the strength of the internal audit function as part of the review. This can include the capability and scale of resources in the internal audit function. The PRA requests copies of, and reviews, internal audit reports and can request the minutes and papers of audit committee meetings as part of its CA of the firm and when conducting onsite and desktop based reviews. In practice, for larger firms which the PRA supervises, audit committee papers, and minutes form part of the normal MI received from the firm. The PRA also meets, at least annually, with the head of internal audit, chair of the firm’s audit committee and external auditors of Category 1 and 2 firms, and periodically, on a proportionate basis, for Category 3, 4, and 5 firms. These meetings form part of the wider continuous program and provide supervisors the opportunity to test their findings and observations of the internal audit function. The PRA also meets with other Board and Board committee members, which allows the PRA to assess how internal audit reports/recommendations are escalated upwards and the extent to which findings are given adequate consideration by the Board and Board committees. In the event of internal audit duties being outsourced to an external body, such as a firm of accountants, the PRA seek similar comfort on the quality of work undertaken and its effectiveness in influencing the standard of internal control and risk management. In addition to its regular supervision, the PRA has powers to require the provision of a report on a firm, which could cover the effectiveness of the internal audit function, by a skilled person (FSMA S166). |
| Assessment of Principle 26 | Compliant |
| Comments | The PRA’s approach to supervision sets out an expectation that “firms should have in place separate risk-management and control functions—notably risk management, finance, compliance, and internal audit—to the extent warranted by the nature, scale, and complexity of their business.” For the largest and most systemically important firms, the PRA has set out expectations for its supervisors regarding their engagement with these various risk-management and control functions within the firm and with chairs of relevant committees at the Board level. In addition, the use of the APR may have helped supervisors to ensure that individuals being placed in key roles within firms were “fit and proper,” though as outlined earlier in this FSAP, problems have emerged with this approach that led to the proposal to replace the regime with a new SMR. As this came into force in March 2016, assessors at the next FSAP will have the opportunity to evaluate the SMR’s success in ensuring that the individuals in key roles in firms are indeed fit and proper and can be held appropriately accountable for their responsibilities. For smaller and less systemically important firms, the PRA may have fewer touch points beyond the PSM and subsequent midyear review to ensure that internal controls and internal audit are functioning as expected. U.K. supervisors rely on these firms’ compliance with the fundament rules and the threshold conditions and to report to supervisors when problems emerge with meeting these expectations. |
| Principle 27 | Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. |
| Essential criteria | |
| EC 1 | The supervisor138 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. |
| Description and findings re EC 1 | Regulation 2002/1606 (Arts. 4 and 5) requires the application of IFRS to the consolidated financial statements of EU companies whose securities are traded on a regulated EU market. EU countries may extend the application of IFRS to annual financial statements and nonlisted companies. Transparency Directive 2004/109/EC (Art. 4) stipulates that all issuers (including non-EU ones) whose securities are listed on a regulated market located or operating in an EU country must use IFRS and publish their financial statements annually. The audited financial statements shall comprise such consolidated accounts under IFRS as endorsed in EU and the annual accounts of the parent company drawn up in accordance with the national law of the MS in which the parent company is incorporated. Where the issuer is not required to prepare consolidated accounts, the audited financial statements shall comprise the accounts prepared in accordance with the national law of the MS in which the company is incorporated. Arts. 74 and 88 of the CRD require that institutions have in place appropriate robust governance arrangements including sound accounting practices in order to ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards. U.K. banks, building societies, and credit unions (‘U.K. credit institutions’) are required by the relevant law (the Companies Act 2006, the BSA 1986, and the Friendly and Industrial and Provident Societies Act 1968) to prepare financial statements and to maintain books and records that inter alia produce adequate and reliable data for the preparation of those financial statements. U.K. credit institutions are required to prepare their annual financial statements in accordance with IFRS as endorsed for use in the EU, U.K. FRS 101 reduced disclosure framework, or FRS 102 the FRS applicable in the U.K. and Republic of Ireland. Though not international standards, both FRS 101 and 102 describe accounting policies and practices that are widely accepted internationally. U.K. credit institutions are required by the aforementioned Acts of parliament to maintain books and records that inter alia produce adequate and reliable data for the preparation of those financial statements. The PRA, through its implementation of Arts. 74 and 88 of the CRD (GOR 2.1 and 5.1)139 has similar requirements. The FCA, through the U.K. listing authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed credit institutions, and the department of business, innovation, and skills (BIS), and the FRC enforce them on other firms. The PRA also reviews firms’ ability to produce adequate and reliable data. Although the focus of these reviews is often on internal MI and regulatory data, there is a natural overlap with accounting and other financial data. The PRA also reviews the external auditors’ management letter, as well as key audit committee and internal audit material and other material which helps the PRA in assessing the quality of a firm’s recordkeeping systems. |
| EC 2 | The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. |
| Description and findings re EC 2 | Under Art. 26 of the Audit Directive (2006/43/EU), MSs shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the commission. MSs may apply national auditing standards, procedures or requirements as long as the commission has not adopted an international auditing standard covering the same subject-matter. Under Art. 41 of the Audit Directive (2006/43/EU), public interest entities (credit institutions as defined in point 1 of Art. 3(1) of Directive 2013/36/EU) should establish an audit committee responsible to: (i) monitor the financial reporting process; (ii) monitor the effectiveness of the company’s internal control, internal audit where applicable, and risk-management systems; (iii) monitor the statutory audit of the annual and consolidated accounts; and (iv) review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audit entity shall monitor. However, this is without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of the shareholders of the audited entity, as also required under Art. 33 of the Accounting Directive (2013/34/EU). U.K. credit institutions are required by the relevant law (the Companies Act 2006, The BSA1986 and The Friendly and Industrial and Provident Societies Act 1968) to obtain an independent auditor’s opinion on their annual financial statements. Those audits are required to be conducted in accordance with auditing standards issued by the FRC. These auditing standards are referred to as ‘International Standards on Auditing (ISAs) (U.K. and Ireland).’ but are issued by the International Auditing & Assurance Standards Board (IAASB), with additional guidance or legal requirements to fit with local circumstances (for example, covering the duty of external auditors to report to the PRA in certain circumstances). The FRC has also issued guidance on the application of ISAs (U.K. and Ireland) to U.K. credit institutions: Practice Note (PN) 19 the audit of banks and building societies in the United Kingdom140 and PN 27 the audit of credit unions in the United Kingdom.141 PNs are persuasive rather than prescriptive and are considered indicative of good auditing practice. ISAs (U.K. and Ireland) require the auditor to include a statement as to whether the audit has been conducted in accordance with ISAs (U.K. and Ireland) as part of the auditor’s report. The PRA meets on a regular basis with external auditors of Category 1 firms and liaises with the external auditors of other credit institutions. The existence of an external auditor that carries out a high-quality audit is important to the way the PRA supervises firms and, through the discussions held with client specific audit teams, audit firms as a whole, and the auditing profession in general, the PRA seeks to ensure that those high standards are upheld. |
| EC 3 | The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. |
| Description and findings re EC 3 | Regulation 2002/1606 (Arts. 4 and 5) requires the application of IFRS to the consolidated financial statements of EU companies whose securities are traded on a regulated EU market. EU countries may extend the application to annual financial statements and to nonlisted companies. Must be assessed on a national basis. Art. 24 of the CRR requires that the valuation of assets and off-balance sheet items shall be effected in accordance with the applicable accounting framework. For prudential purposes, Art. 105 of the CRR requires that credit institutions establish and maintain systems and controls sufficient to provide prudent and reliable valuation estimates. In addition, Art. 105 of the CRR requires institutions to perform an independent verification and validation and to establish and maintain procedures for considering valuation adjustments to the position required for financial reporting and regulatory purposes. Art. 34 of the CRR requires institutions to apply the requirements of Art. 105 to all their assets measured at fair value when calculating the amount of their own funds and shall deduct from CET1 the amount of any additional value adjustments necessary. U.K. credit institutions are required either to prepare their financial statements in accordance with IFRS as adopted for use in the EU, FRS 101, or FRS 102. Those standards prescribe the measurement basis to be used for accounting purposes and, although there are some differences in detail, all those standards describe accounting practices that are widely accepted internationally. For prudential capital purposes, valuations are required (by Art. 24 of the CRR) to be effected in accordance with the applicable accounting framework and, in addition, trading book positions are to be subject to the standards for prudent valuation set out in Art. 105. What this means in practice is that accounting valuations are used for regulatory purposes except that accounting fair values are subject to so-called prudent valuation adjustments. The EBA is developing a RTS setting out how these prudent valuation adjustments are to be made.142 Although that RTS has not yet been formally adopted, it has existed in draft form now for two years and the PRA’s expectation is that firms will be applying it already. Supervisors assess the governance arrangements and systems and controls that firms are required by Art. 105 of the CRR to have in place to independently verify and validate their valuations. This work tends to focus on the major trading firms and on the prudent valuation adjustments made for regulatory purposes, where practice is benchmarked against EBA’s draft RTS on the subject; the underlying fair values being subject to external audit. This is achieved through regular CA meetings with the independent valuation control functions of those firms as well as more targeted reviews on specific product or process areas. The resources and system capabilities of these departments are assessed, along with the quality of their processes, documentation, and MI and their ability to challenge the judgments of the revenue generating functions. See also the responses to BCP 10, EC 3, and BCP 15. The PRA also draws comfort from the work of external auditors. U.K. firms are required by law to obtain an independent auditor’s opinion on their annual financial statements and, in forming that opinion, the auditor will consider the valuation practices used. That will involve considering the “framework, structure, and processes for fair value estimation” to the extent they consider necessary to form their opinion on the financial statements as a whole. The PRA meets with external auditors of the bigger U.K. credit institutions as part of the CA process to discuss issues of common interest, including valuation. |
| EC 4 | Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. |
| Description and findings re EC 4 | The Acts of Parliament mentioned in the response to EC 1 prescribe at a high-level the scope of the external audit that is required to be performed of U.K. credit institutions. This is supplemented by the requirements in ISAs (U.K. and Ireland) issued by the FRC. There are also U.K. specific PNs issued by the FRC (PN 19, PN 27, and PN 23 special considerations in auditing financial instruments) which provide guidance on audits of some U.K. credit institutions. The ISAs, and the PNs, follow a risk and materiality based approach to planning and performing the external audit. Other relevant FRC literature includes:
Although the scope is determined by law and ISAs (U.K. and Ireland), it is the external auditor that determines, based on its assessments of where the material risks to the financial statements lie, the depth to which specific matters making up that scope are covered. In order to help external auditors in this process, the PRA discusses with them what it regards as the key risks and areas of concern. Some of these are generic risks, but others are firm-specific. For example, a few years ago the PRA’s credit risk specialists gave presentations to each audit firm on the PRA’s concerns about refinancing risk. More recently, the PRA’s accounting experts have been giving presentations to each audit firm on what the PRA regards as the key financial reporting issues for their biggest U.K. credit institutions clients and for U.K. credit institutions in general. The PRA follows up on those key risks and areas of concern in subsequent discussions with external auditors. The PRA also engages with auditing standard-setters in respect of future issues to try to ensure that the appropriate authoritative material is in place on a timely basis as new issues emerge and existing issues change their form. If the PRA believes that work needs to be carried out by an external auditor (or other independent, external expert) on a matter that does not fall within the prescribed scope of an external audit of financial statements, it has powers under S166 and S167 of FSMA to require a firm to engage a skilled person to carry out a piece of work scoped by the PRA and deliver a report of a form specified by the PRA. It can also use S166 or S167 to engage a skilled person itself to carry out such work and prepare such a report. |
| EC 5 | Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. |
| Description and findings re EC 5 | Acts of Parliament and local auditing standards set out the scope of external audits of U.K. credit institutions. Those standards require the auditor to do such work as the auditor deems necessary to express an opinion on whether the financial statements as a whole show a true and fair view. These audits are conducted in accordance with internationally accepted auditing practices and standards (see the response to EC 2) and are based on a risk and materiality approach (see the response to EC 4). Together these requirements mean that all the areas mentioned in the EC will be covered by the audit as long as those areas are deemed material in the context of the financial statements as a whole, subject only to the following caveats:
As explained in the response to EC 5, the PRA engages with auditors to ensure that they are aware of what the PRA regards as the key risks and areas of concern. The PRA follows up on those key risks and areas of concern in subsequent discussions with external auditors, and earlier this year published proposed Rulebook changes designed to enhance this process further (see the response to AC1). The PRA also engages with auditing standard-setters to try to ensure that new and emerging issues relating to the areas mentioned in the EC and other audit-related issues are identified early and the appropriate authoritative material put in place on a timely basis. |
| EC 6 | The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. |
| Description and findings re EC 6 | The Audit Directive (Art. 3 of Dir 2006/43/EU) requires each MS to designate competent authorities which shall be responsible for approving statutory auditors and audit firms as they satisfy certain criteria under Art. 4 of the Audit Directive, which include among others adequate expertise and adherence to professional standards. The provisions do not explicitly cover the requirements of this EC, although based on an EBA survey across MSs in EU in 2015, in some MSs the supervisors may have powers over the appointment or dismissal of an auditor. The PRA has the power under S55M of FSMA to impose requirements that result in the proposed appointment of a new external auditor being rescinded or in the existing appointment of an external auditor being terminated. The power in respect of new appointments is supported by a requirement that the PRA be notified of an appointment (Part Auditors 2.1(5)).143 U.K. credit institutions are required to take reasonable steps, when appointing an auditor, to ensure that the auditor has the required skill, resources and experience to perform its duties (Part Auditors 3.1(1)) and that the auditor is independent of the firm (Part Auditors 4.1). The PRA also has the power, under S345A of FSMA, to disqualify (or fine or publicly censure) an audit firm if it appears to the PRA that the audit firm ‘has failed to comply with a duty imposed on him under [FSMA].’ U.K. credit institutions are prohibited from using disqualified auditors (Part Auditors 3.2). The PRA works closely with the FRC’s audit inspection teams to ensure that concerns that the PRA might have over the quality of a particular audit informs the audit inspection work that the FRC carries out and that the PRA understands and can respond appropriately to audit quality concerns that the FRC has following its inspections of particular audits. As part of this process, the PRA also can and does refer audits and external auditors that it has concerns about to the FRC’s accountancy scheme and to the auditors’ professional body. |
| EC 7 | The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. |
| Description and findings re EC 7 | The Audit Directive (2006/43/EU) sets out the rotation requirements for the key audit partner or partners on public interest entity engagements within a maximum of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. In summary, audit tendering is required by the U.K. Corporate Governance Code; the rotation of audit engagement partners is required by the FRC’s ethical standards; and U.K. legislation implementing the EU Audit Directive’s audit firm rotation requirements is expected to be in place by summer 2016. The PRA has no specific powers to require U.K. credit institutions to rotate their external auditors although it does have general powers under S55M of FSMA to impose requirements that result in the termination of an external auditors’ appointment. In 2012, the FRC updated its Corporate Governance Code—a document that has a ‘comply or explain’ status—to include a provision that FTSE 350 companies put their external audits out for tender every ten years (see para. C.3.7, p. 19). This has led to a number of U.K. credit institutions putting their external audits out to tender and, in some cases, to changing external auditor. For example, Cooperative BoE and HSBC have recently changed their external auditor, and the RBS and Barclays have announced that changes will be made. If a firm chooses not to comply with the Code, the PRA would consider the need to take action to ensure an appropriate level of governance. The FRC also has requirements regarding rotation of audit engagement partners. For listed companies, under the FRC’s ethical standard 3 (revised) long association with the audit engagement:
For unlisted firms, if an the audit engagement partner has been in place for ten years, the external audit firm must consider “whether a reasonable and informed third-party would consider the audit firm’s objectivity and independence to be impaired” and where the individual concerned is not rotated after ten years, the auditor must:
The U.K. authorities are in the process of implementing the EU Audit Directive and determining how the options in the EU Audit Regulation shall be implemented. The current proposal is that the effect will be that U.K. credit institutions other than credit unions will be required to change their external auditors every ten years unless a competitive tender is held at the ten year point in which case the external auditors’ tenure can be extended to 20 years. The EU timetable envisages that these requirements should come into effect from June 2016. |
| EC 8 | The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. |
| Description and findings re EC 8 | There are requirements in FSMA S339 that there should be at least annual bilateral meetings between external auditors and supervisors of the largest U.K. credit institutions (i.e., those that could have a material impact on the U.K. financial system). The PRA’s SS—the relationship between the external auditor and the supervisor: a code of practice (the PRA Code)—also sets out the principles that guide the PRA’s supervisory relationship with external auditors of individual U.K. credit institutions. The PRA Code mandates that, for the largest and most significant PRA supervised firms, there should be at least annual bilaterals between supervisors and auditors. It is often the case that supervisors meet more frequently with external auditors than FSMA and the Code requires. In addition to these mandated meetings, the PRA meets with audit firms in a number of fora, including twice-yearly bilateral meetings (held with the banking/financial services audit partners of the big six audit firms) to exchange feedback on the auditor-supervisor dialogue and to discuss generic issues of common interest relating to banking (and other) operations. As explained in the response to EC 1, the PRA also reviews the external auditors’ management letter, as well as key audit committee and internal audit material, and uses that material as a basis for its discussions with external auditors. The assessors met a number of auditors and discussed with them the modality of interaction with the regulators, both at bilateral level (supervisor and auditor of a single bank) and multilateral level (either between the supervisor and a specific audit firm or the supervisor and the audit industry): they drew the impression of a modality that is overall well-functioning, collaborative and, ultimately, mutually beneficial for a better understanding not only of the accounting practices, but also of the governance arrangements of the supervised/audited entities (though an auditor considered that still more room could be given to the latter aspect). |
| EC 9 | The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. |
| Description and findings re EC 9 | The requirement of the “duty to report” is established in the CRD (Art. 63(1)). It is, however, limited to material breaches of laws, regulations or administrative provisions; issues which affect the ongoing functioning of the institution; and issues which may lead the auditor to refuse to certify the accounts or to the expression of reservations. Under the FSMA 2000 (communications by auditors) regulations 2001,144 auditors have a legal duty to report to the PRA certain contraventions, or possible contraventions, of rules and legislation and other matters that they reasonably believe are or may be of material significance to the PRA. FSMA (S 342(3) and S343(5)) provides protection for auditors contravening any duty during disclosure under an auditors’ statutory duty to report to the PRA, provided the disclosure is done in good faith and the auditor reasonably believes the information or opinion is relevant to any function of the PRA. |
| Additional criteria | |
| AC1 | The supervisor has the power to access external auditors’ working papers, where necessary. |
| Description and findings re AC1 | The PRA does not have the power to access external auditors’ working papers unless those papers are issued to the client as reports (including the auditor’s report to those charged with governance and the auditor’s findings on internal control weaknesses). Under S165 of FSMA, the PRA has the power of access to the supervised firm’s documents including, for example, any reports from the auditor to the firm. As part of the PRA’s ongoing engagement with external auditors of the larger supervised firms, the PRA may request copies of the auditor’s report to those charged with governance and the auditor’s findings on internal control weaknesses. Both can be very valuable in understanding the issues that have arisen in the external audit, and the audit work that has been undertaken. From time to time, external auditors might be engaged carry out ‘deeper dives’ into areas covered by the audit, and the PRA may request copies of those reports too, as well as copies of reports that do not relate to audit matters. The FRC’s audit quality review team (AQRT)—which is responsible for the review of the audit work carried out on public interest entities (which includes all credit institutions other than credit unions)—has the right of access to the auditors’ working papers, and the PRA works closely with the FRC on general and specific audit quality matters. For example, the PRA suggests to the FRC audits that the PRA has concerns about to help the FRC to direct its audit inspection teams’ work. For other audits, the auditor’s recognized supervisory body is responsible for the review of the audit work and has the right of access to the auditors’ working papers for this purpose. If the PRA has a concern about the quality of one of these audits, it would notify the relevant recognized supervisory body which could then inspect the audit and the audit working papers. Recent changes made by the FRC to the Corporate Governance Code and ISAs (U.K. and Ireland) have resulted in greater transparency for the audit and auditor reporting process. In particular, the audit committee prepares a report that describes the significant issues that it considered in relation to the financial statements and how these issues were addressed and the external auditors include in their reports a description of those assessed risks of material misstatement that were identified by the auditor and which had the greatest effect on the overall strategy. These reports help the PRA to understand the areas of audit focus. In February 2015 the PRA issued proposals (in CP 8/15 engagement between external auditors and supervisors and commencing the PRA’s disciplinary powers over external auditors and actuaries)145 to require external auditors to prepare written reports to the PRA on their audit of specified matters. The intention behind these proposals is to further enhance the quality of the information the PRA has about the audit process and audit judgments and thereby further enhance the quality of the discussions the PRA has with external auditors (see the response to EC 8). The PRA is currently considering the comments received in response to the proposals and a decision is expected to be taken later in 2015 on whether (and if so how) to proceed with them. |
| Assessment of Principle 27 | Compliant |
| Comments | The law requires U.K. banks to prepare financial statements and to maintain books and records that produce adequate and reliable data for the preparation of financial statements. The FCA, through the U.K. Listing Authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed banks. The PRA also reviews firms’ ability to produce adequate and reliable data. While at the moment the supervisor has no formal power to impose a rotation of the auditor, the assessors observed that the U.K. Corporate Governance Code requires auditor rotation on a comply-or-explain basis, that several large U.K. banks have put their external audit out to tender and that the upcoming adoption (summer 2016) of the EU Audit Directive will formally impose audit rotation. The PRA does not have a formal power to access external auditors’ working papers, but the assessors observed a number of other practices and powers that mitigate the lack of a specific formal power: in particular, the close collaboration of the PRA with the FRC (which has right of access to the auditors’ working papers) and the use the PRA makes of this collaboration to address areas of its own concern. This, coupled with the observation that information from external auditors is a generally complementary aspect of bank supervision, on which the UK authorities rely to a much lesser extent than in other jurisdictions, leads to consider this deficiency immaterial. |
| Principle 28 | Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. |
| Essential criteria | |
| EC 1 | Laws, regulations or the supervisor require periodic public disclosures146 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. |
| Description and findings re EC 1 | Three broad sets of disclosures are required regarding information on the financial condition and performance of credit institutions in the U.K.:
Art. 431 of the CRR require firms to publicly disclose the information set out in part eight of the CRR, which corresponds to the 2011 Basel II Pillar III disclosures. Additional required disclosures include the countercyclical buffer, asset encumbrance, GSIB, IRB models, and remuneration, among others. The EBA has issued binding technical standards specifying uniform templates and instructions related to own funds; leverage ratio; CCB; G-SIB indicators; and encumbered and unencumbered assets, among others. Art. 431 of the CRR requires a firm to adopt a formal policy to comply with the Pillar 3 disclosure requirements and to have policies for assessing the appropriateness of its disclosures, including frequency and their verification.
The form and content of financial statements of regulated firms in the U.K. is governed by the Companies Act 2006 (CA2006), among other laws. Reporting requirements differ depending on whether a firm is a company or a building society and whether it has issued listed securities. Listed U.K. banking and building societies (or entities with listed securities) are required to prepare consolidated financial statements in accordance with IFRS and to comply with those parts of CA2006 and BSA1986 applicable to companies or building societies reporting under IFRS. The form and content of a building society’s financial statements are similar to the requirements applicable to U.K. banking companies. Nonlisted U.K. banks and banking groups (companies are permitted to adopt voluntarily either IFRSs or FRS 102 for their solo and consolidated financial statements (CA2006) Sections 395 and 403). As for U.K. banks, nonlisted building societies may apply FRS 102 or may adopt IFRSs for their individual financial statements (BSA S72A). S393 of CA2006 requires that the directors of a company must not approve accounts unless they are satisfied that the accounts give a true and fair views of the assets, liabilities, financial position, and profit or loss of the company or group. All U.K. regulated firms are required to present comparative information in respect of the preceding period for all amounts report in the current period’s financial statements. The concept of materiality underlies the preparation of financial statements under IFRS and U.K. GAAP. If information is material, it is required to be recognized, measured, presented, and disclosed, as appropriate. Both U.K. GAAP and IFR require information provided in financial statements to be reliable. A regulated firm is required to present a complete set of financial statements at least annually. |
| EC 2 | The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. |
| Description and findings re EC 2 | IFRS and FRS 102 (U.K. GAAP) require qualitative and quantitative disclosures on an entity’s financial performance and financial position, the nature and extent of particular risks to which the entity is exposed during the period and at the reporting date, and how the entity manages those risks (risk-management policies and objectives). IFRS 7 and FRS 102 S11 and S34 require disclosure of the significance of financial instruments for an entity’s financial position and performance and the nature and extent of risks arising from financial instruments to which the entity is exposed and how the entity manages those risks. IAS 24, FRS 102.33.5–14, CA 2006 sections 409 and 401, CAR Schedules 2 and 6 and BSA Schedules 6 and 10 B require disclosures in the accounts of the relationships between a parent and its subsidiaries, the name of its parent and, if different, the ultimate controlling party, key management personnel compensation in total and in each category; if the firm had related party transactions in that period, the nature of the relationship and information on those transactions that are necessary for users to understand the potential effect of the relationship on the financial statements. IAS 19, CAR Schedule 8, and FRS 102.28 both require disclosure of additional information on employee benefit expenses. In addition, the PRA supports firms’ voluntary disclosure initiatives to promote transparency. Currently, for example, seven of the largest 21 banks (all within Category 1) voluntarily report under the British Bankers Association’s Code for Financial Reporting Disclosure that sets out principles for high quality, meaningful, and useful disclosures. Similarly, the FPC recommended in 2013 that the PRA should ensure that all major U.K. banks and building societies comply with the recommendations of the enhanced disclosure task force (2012) upon publication of their 2013 annual reports. Compliance has been high enough for the FPC to declare this recommended to have been implemented. |
| EC 3 | Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. |
| Description and findings re EC 3 | Art. 436 of CRR requires the disclosure of an outline of the differences in the basis of consolidation for accounting and prudential purposes, with a brief description of entities therein explaining the degree of their consolidation or deduction. Under IFRAS 12.10-31/U.K. GAAP and CA 2006 S409 and S410 and BSA, an entity is required to disclose information that enables users of its consolidated financial statements to understand the composition of the group and the interest that noncontrolling interests have in the group’s activities and cash flows. |
| EC 4 | The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. |
| Description and findings re EC 4 | Art. 78 of CRD requires the EBA to produce benchmarking studies on both credit and market risk to assist competent authorities in the assessment of internal models, highlighting potential divergences among banks or areas in which internal approaches might have the potential to underestimate an own fund requirement. These reports enable competent authorities to compare the outcomes of firms’ internal models and identify non-risk variability across firms and take appropriate corrective actions to overcome these drawbacks when deemed necessary. Two other examples of reviews undertaken by the EBA include an analysis of the consistency in the outcomes or the calculation or RWA as well as an annual assessment of Pillar 3 disclosures. These processes are meant to help inform regulators’ corrective processes (especially with regard to the study of risk-weighted asset calculations) and to foster greater compliance with regulatory disclosure guidelines as in the case of the Pillar 3 disclosure review. The PRA participates in the EBA-led assessments. The analysis focuses on European banks with cross-border activities and aims to identify reporting requires for which compliance must improve. For public annual reporting, capital or risk disclosure are subject to external audit if it contains information required by accounting standards. In addition, CA 2006 S496, 497, and BSA 72A require other sections of the annual report to be reviewed by the auditor for consistency with financial statements (including Pillar 3 disclosures where these are included in the annual report rather than in a separate document but outside the notes to the financial statements). Where annual accounts do not comply with the requirements of CA 2006 or BSA, every director who (i) knew they did not comply, or was reckless as to whether they complied, and (ii) failed to take reasonable steps to secure compliance, commits an offence. The financial reporting review panel (FRRP), which is part of the FRC, seeks to ensure that the annual accounts of public companies and large private companies and building societies comply with the requirements of the CA 2006 or BAS and applicable accounting standards. The FRC is the U.K.’s independent regulator responsible for corporate reporting and governance; its chairman and deputy chairman are appointed by the secretary of state for Business, Innovation, and Skills.147 The FRRP can ask firms to correct matters in error or may require alternative remedial action (either voluntarily or through a court order). The PRA and the FRC have signed a MoU that sets out arrangements for cooperation and coordination in carrying out their respective regulatory responsibilities. The arrangements include exchanging information to coordinate and cooperate effectively in the necessary areas and discussing concerns to inform the FRC’s exercise of its professional disciplinary function. |
| EC 5 | The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). |
| Description and findings re EC 5 | Under the Financial Services Act, the FPC is required to publish a FSR twice per year. The FSR covers the FPC’s view of the current stability of the U.K. financial system and an assessment of developments that have influenced this view. The content of the report is not fixed and usually covers aggregate capital ratios, balance sheet composition and other data related to short, medium and long-term risks to financial stability. In addition, after completing its first CST, the BoE published its results in December 2014 and included projected firm-level CET1 ratios in the stress scenario as well as aggregate and projected capital ratios, balance sheet composition, profitability, and credit risk profiles. The BoE furthermore publishes a range of monetary and financial statistics in relation to banking; this includes sectoral and industry breakdown of money and credit data; data on unsecured gross lending, loans and advances, deposit, consumer credit, write-offs, effective interest rates, bank funding, capital, and mortgage data. A recommendation had been at the prior FSAP that U.K. supervisors should publish nonconfidential firm-level prudential returns. However, the BoE still does not currently publish a periodic summary of banks’ regulatory returns and regular and comparable data on a bank-by-bank basis, including data from prudential returns. In this regard, firms’ Pillar 3 reports that are published represent a subset of data contained in the COREP regulatory return. Nonetheless, U.K. supervisors believe this form of Pillar 3 reporting has not proven useful to market participants. Thus the PRA has focused over recent years on making what is published more useful, working with the British bankers’ association and U.K. banks to promote greater consistency and comparability in Pillar 3 disclosures. Moreover, beginning in the fourth quarter of 2015, the BoE does intend to publish on a quarterly basis selected aggregate regulatory data from firms’ quarterly COREP submissions. |
| Additional criteria | |
| AC1 | The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period. |
| Description and findings re AC1 | IFRS and U.K. GAAP require qualitative and quantitative disclosures on a bank’s financial performance and financial position, the nature and extent of risks to which the entity is exposed during the period and at the reporting date, and how the entity manages those risks. Where information at a reporting date is unrepresentative of risk exposure, accounting standards such as IFRS 78/FRS 102 require an entity to make appropriate additional exposures. Likewise, information disclosed under Part Eight of the CRR is generally based on period end values. However, some of the disclosures are based on average values over the period or provide relevant data for the period. Examples of circumstances in which a measure other than “end of period” may be used under EU and UK guidelines appear below. Taken together, these examples suggest that the UK’s approach does broadly set adequate requirements for disclosures related to risk exposures over the course of a reporting period and not solely at the end of the period. Relevant EU Guidelines, as reported by the EBA:
Relevant U.K. Guidelines, as specified in IFRSs and U.K. GAAP:
The EBA’s guidelines on the disclosure of unencumbered assets, as required by Art. 433 of the CRR, specifies that firms should disclose asset encumbrance data on the basis of median values of at least quarterly data on a rolling basis over the previous 12 months. Firms are furthermore required to provide users with information on long term structural levels of encumbrance. |
| Assessment of Principle 28 | Compliant |
| Comments | Overall, the combined expectations set by the CRR, plus the requirements set out in U.K. financial reporting guidelines and audit frameworks, help to ensure that supervised firms are reporting on a consolidated and, where appropriate, solo basis that is easily accessible and fairly represent their condition and performance. Some changes in EU rules are, however, reducing requirements for firms to report their financial statements from quarterly to semi-annually. Up until the present, all listed Category 1 firms reported quarterly, but the EU is making this voluntary. U.K. supervisors have spoken with their firms, and most Category 1 firms (especially the seven largest) said that they will voluntarily continue to report quarterly. One recommendation that carries over from the prior FSAP is that U.K. authorities should continue to consider publishing nonconfidential firm-level prudential returns, such as balance sheet and income statements, loan and investments (sectoral information), asset quality (past dues, NPLs, charge offs), funding structure, capital structure, and off-balance sheet exposures. Such disclosures would make more comparable and consistent data available to the marketplace for analysis and monitoring. Supervisors also discussed a range of benchmarking exercises that have been proposed, including a European annual supervisory benchmarking exercise, tentatively to begin in early 2015. At the prior FSAP, assessors noted some concerns about the quality of external audits and the need for more professional skepticism. The PRA has subsequently set more explicit expectations for supervisors to meet with external auditors, including requiring that supervisors for Category 1 and 2 banks meet at least once per year with the external auditor and one additional meeting per year around the annual audit if the supervisor is the home country supervisor for the firm (see BCP 9, EC 11). The PRA has also released a SS explaining how PRA supervisors should work with external auditors called, “The relationship between the external auditor and the supervisor: a code of practice.” |
| Principle 29 | Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.148 |
| Essential criteria | |
| EC 1 | Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. |
| Description and findings re EC 1 | The FCA serves as the primary U.K. supervisor charged with combating the abuse of financial services in regulated financial services organizations including banks. FSMA 2000 sets one of the FCA’s operational objectives as protecting and enhancing the integrity of the U.K. financial system, which includes not allowing it to be used for financial crime (S1B(3)(b) and S1D(2)(b)). Under FSMA, the FCA has the power to make rules related to the conduct of banks; to supervise compliance with its rules and enforce breaches; and to supervise all authorized firms that are subject to the U.K.’s MLR 1007. Regarding this latter responsibility, the FCA estimates that 15,000 firms are subject to the MLR, of which 900 are deposit-taking institutions, primarily credit unions, but also retail and wholesale banks. Similarly, the FCA is responsible for supervising firms’ compliance with other financial crime legislation including the “Transfer of Funds Regulations 2007;” the Terrorism Act 2000; and Schedule 7 of the Counter-Terrorism Act 2008. In this regard, the FCA provides guidance to firms, such as through its “financial crime guide: a guide for firms.” As a supervisor, the FCA operates both integrated and dedicated financial crime supervision strategies, drawing on its dedicated financial crime specialist supervision team, which is part of its broader financial crime department. |
| EC 2 | The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. |
| Description and findings re EC 2 | The FCA divides all firms subject to its supervision of financial abuse-related matters into categories based on the agency’s perceptions of the financial crime risk a particular firm presents. These categories do not necessarily reflect the size of the firm and, in some cases, smaller deposit-takers may be categorized into a higher risk category alongside larger firms based on risk criteria that the FCA has developed. For newly authorized firms, this includes a review of the financial crime policy and procedure of all applicant banks. For firms in especially the two highest risk categories, the FCA examines whether firms have adequate policies and procedures, staff vetting, and reporting processes through its authorizations and risk-based supervisory work to prevent them from being used for purposes connected with financial crime. Firms wishing to become authorized must provide information that is assessed against the FCA’s Threshold Conditions and for risk to its objectives. Applications for authorization, approval, and change in control are likewise subject to review, which includes a review of AML/compliance policies and procedures of a firm. As part of its supervisory work, the FCA assesses not only whether a bank has policies in procedures in place, but also assesses whether those are working effectively in practice. It considers other factors such as the culture of a firm, governance and oversight of risk, risk-management and assurance, and the quality and effectiveness of training. FCA supervisors furthermore evaluate whether firms have considered best practices included in the FCA’s financial crime guide and other relevant guidance: among other factors, supervisors consider whether a firm has set clear criteria for escalating financial crime issues. In practice, firms in the highest risk band are subject to the most extensive and intrusive supervision. Since 2012, the FCA has employed the “systematic anti-money laundering program” (SAMLP) assessments in such firms. The program operates on a four-year, rolling cycle. The onsite portion of the work in a bank lasts about three months and involves detailed testing and interviewing of key staff responsible for the bank’s business and for implementing AML processes and controls both operations of U.K. incorporate banks outside of the EEA. Firms in the next highest risk band are subject to site visits. The FCA conducts such visits on a two-year cycle and spends two to four days at most firms in this category. For firms not in the two highest risk categories (henceforth the “lower risk” categories), the FCA relies on thematic reviews and a more responsive approach to supervising this risk. Given that this approach is relatively new and was first adopted in 2014, not enough data exists to assess the scope of the authorities’ coverage of firms in the lower risk categories over, for example, a three- or five-year period. This leaves open a question about the adequacy of the coverage of firms viewed as lower risk to ensure that “banks have adequate policies and processes that promote high ethical and professional standards” to prevent abuse of financial services, as required by this essential criterion. Both the authorities and assessors should have access to better data to evaluate this coverage of lower risk firms at the next FSAP. Supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement agencies, other domestic and overseas AML authorities, or through “thematic reviews,” proactive work considering how a sample of firms—usually 20 to 30––including those in the lower risk categories––are managing specific financial crime risks (described in more detail in the assessment of the below). The FCA also undertakes “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize |
| EC 3 | In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.149 |
| Description and findings re EC 3 | As noted earlier, the FCA’s principles compel banks to deal with their regulators in an open and cooperative way, and they must disclose to the appropriate regulator anything relating to the bank of which the regulator would reasonably expect notice. While the FCA’s rule do not contain an explicit requirement for firms to report fraud that is material to a firm’s safety and soundness, the rules do require a bank to report an incidence of “significant fraud” to the appropriate regulator immediately. The FCA rules state that a firm should consider the size of any monetary loss or potential monetary loss to itself or its customers when determining what constitutes a significant loss. In this regard, the PRA’s Fundamental Rule 7 states the following:
With regard to self-reporting of potential issues, U.K. authorities noted in discussions that over 350,000 suspicious activity reports were filed with the U.K.’s National Crime Agency from 2013-2014,150 of which about 290,000 were filed by retail banks and 23 thousand filed by building societies. The National Risk Assessment prepared by HMT and the home office identified nonetheless a variety of complaints regarding the suspicious activities report (SAR) filing process,151 which U.K. authorities summarized in discussions as reflecting the need to overhaul the IT supporting the SAR filing process as well as a potentially overly formulaic approach to filling in such forms by firms themselves. At the time of this writing, the authorities had not yet finished a public consultation on measures they would take to address concerns with the SARs filing process. |
| EC 4 | If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. |
| Description and findings re EC 4 | The U.K.’s MLR state that the FCA and all other AML supervisory authorities must promptly inform the National Crime Agency (the U.K.’s Financial Intelligence Unit) if they know or suspect that a person is or has engaged in money laundering or terrorist financing. The BoE’s policy on AML is that it will meet all legal obligations under the Proceeds of Crime Act (POCA) 2002, the MLR, and the Terrorism Act 2000. The BoE has appointed a money laundering reporting officer (MLRO) to whom staff are required to report any suspicion of money laundering. The FCA also appoints and a MLRO, who is responsible for overseeing the organization’s duty to report suspicions of money laundering as required by the MLR. The MLRO is supported by two deputy MLROs. Over the last few years, the FCA has run an awareness program to improve FCA-wide reporting of suspicious activity. FCA staff reporting requirements are covered within compulsory financial crime modules for supervisors and are also included in targeted training sessions and wider briefings provided to specific FCA departments |
| EC 5 | The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:
|
| Description and findings re EC 5 |
The MLR sets requirement for banks to retain copies of the evidence of the customer’s identity for five years after a business relationship ends, among other responsibilities. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially the top risk and, to a lesser degree, firms in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews and a more responsive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through regulatory returns, complaints, whistleblowers, media reports, law enforcement agencies, domestic and overseas AML authorities, or through “thematic reviews.” The FCA also undertakes “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 6 | The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:
|
| Description and findings re EC 6 | The MLR require banks that have, or propose to enter into, a correspondent banking relationship to apply enhanced due diligence measures to mitigate money laundering and terrorist financing risk. Banks are required to gather sufficient information from correspondents to understand the nature of its business and assess the respondent’s AML and terrorist financing controls, among other requirements. The MLR also prohibits banks from entering into, or continuing, a correspondent banking relationship with a shell bank or a bank that is known to permit its accounts to be used by a shell bank and must take appropriate measures to prevent this. As part of its risk based supervisory work, the FCA examines and tests that banks have enhanced due diligence policies and processes regarding correspondent banking. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially those in the top risk category and, to a lesser degree, firms in the second highest risk category. For firms in the lower risk categories, FCA relies on thematic reviews, monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners or through “thematic reviews.” |
| EC 7 | The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. |
| Description and findings re EC 7 | The MLR requires banks to establish and maintain appropriate and risk-sensitive policies and procedures in relation to, amongst other things, internal controls in order to prevent activities related to money laundering and terrorists financing. In response to continued poor findings regarding firms’ AML regimes, the FCA developed a supervisory strategy in 2014 to target its resources more effectively and focus on banks that present the highest risk to its financial crime responsibilities, irrespective of their size. All firms supervised by the FCA that are subject to the MLRs are now broken up into risk bands to reflect the FCA’s consideration of the level of financial crime risk they present. Firms in the highest risk category are subject to the most intrusive and proactive supervision, including the FCA’s systematic AML Program—detailed testing of firms’ AML controls in their U.K. operations and, where relevant, important or high risk overseas operations. Firms in the second highest risk category receive two to four day visits from FCA supervisors every two years. Firms in the lower risk categories are monitored by risk alerts, “event driven” supervision, when there are indicators of increased or crystallized risk, and thematic sector-wide reviews of specific financial crime risks. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement or other partners, or through “thematic reviews.” |
| EC 8 | The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. |
| Description and findings re EC 8 | FSMA gives the FCA the power to compel from banks any information or documentation reasonably required by it in the exercise of its functions (S165). Under the FSMA, the FCA may also vary or cancel the bank’s permissions to carry on regulated activities in various circumstances, including where the bank is failing, or is likely to fail, to satisfy the Threshold Conditions or where such variation is desirable in order to advance one or more of the FCA’s operational objectives. Under FSMA, the FCA can furthermore issue private censures and impose unlimited financial penalties. |
| EC 9 | The supervisor determines that banks have:
|
| Description and findings re EC 9 |
Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is focused on the highest risk firms, especially those in the highest risk category and, to a lesser degree, those in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews, monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing and instead are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners, or through “thematic reviews.” The FCA also undertakes ‘event driven’ supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 10 | The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate MI systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. |
| Description and findings re EC 10 | In addition to practices outlined above, the FCA examines and tests banks’ compliance with relevant laws and regulations through supervisory work, including, where appropriate, satisfying itself of the existence and effectiveness of internal controls. To do so, the FCA may review organizational charts that identify teams and individuals with responsibility for AML and sanctions; assessment of the financial crime risk ownership and the effectiveness of escalation routes within the BoE; details of committees in which AML/financial sanctions have been raised; assessment of relevant MI; the money laundering risk officer’s report; culture, governance, and “tone from the top”; and evidence of senior management acting on MI and instances of crystallized risk. Based on discussions with supervisors, the more intrusive approach to testing compliance with such expectations is limited to the highest risk firms, especially those in the highest risk category and, to a lesser degree, those in the second highest risk category. For firms in the lower risk categories, the FCA relies on thematic reviews, automated monitoring of regulatory returns, and a more reactive approach to supervising this risk. As noted above under EC 2, supervisors acknowledge that banks in the lower risk categories are not subject to regular testing, and, instead, are monitored based on information gathered through complaints, whistleblowers, media reports, law enforcement and other partners, or through “thematic reviews.” The FCA also undertakes ‘event driven’ supervisory exercises when potential AML issues have come to light or when risks crystallize. |
| EC 11 | Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. |
| Description and findings re EC 11 | POCA 2002 allows banks to disclose information that meets defined criteria;153 such disclosure will not breach any legal restriction on the disclosure of information that would normally apply. The Serious Crime Act 2015 amended POCA and introduced a specific exemption from civil liability for money laundering disclosures. The Terrorism Act 2000 and the Data Protection Act 1998 likewise provide similar exemptions regarding relevant disclosures. |
| EC 12 | The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. |
| Description and findings re EC 12 | FSMA 2000 establishes a duty on the FCA to take steps appropriate to cooperate with other persons (in the United Kingdom or elsewhere) who have functions similar to that of the FCA in relation to the prevention or detection of financial crime. FSMA 2000 permits disclosure to equivalent supervisory authorities to enable or assist them to discharge their supervisory functions. The FCA also provides the secretariat for the financial crime information network, which is a forum for intelligence-sharing on financial crime issues, made up of 110 representatives from central government, law enforcement agencies, and regulatory bodies around the world. |
| EC 13 | Unless done by another authority, the supervisor has inhouse resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. |
| Description and findings re EC 13 | The FCA has specialist expertise to tackle financial crime at all stages of the regulatory process, with 23 staff serving on its specialist intelligence services team; they support colleagues who assess the fitness and propriety of applicants for authorization or approval. The financial crime department consists of 42 staff, which includes a financial crime specialist supervision team (27 staff) who provide expert financial crime support and conduct supervisory visits, among other roles. Its financial crime policy and risk team (9 staff) work with other parts of the FCA to ensure the consistent application of financial crime policy, rules, and risk-management practices. In addition to maintaining its technical experts, within the FCA all supervisors are required to complete compulsory financial crime online training. This is supplemented with targeted training sessions and wider briefings provided to specific FCA departments. In terms of outreach to banks, the FCA publishes thematic reviews on AML and financial abuse issues; it participates in industry conferences, where its staff give speeches and presentations on recent findings; and through its relationship managers with the higher risk firms, it communicates directly with firms on financial crime issues, best practices, and supervisory expectations. The FCA publishes a document ‘financial crime: a guide for firms, which sets out examples of good and poor financial crime risk-management and conducts outreach activities such as webinars and speeches to reinforce these messages. |
| Assessment of Principle 29 | Largely Compliant |
| Comments | The U.K. supervisors appear to benefit from an appropriate legal framework and appropriate policies to oversee regulated firms’ compliance with laws and regulations that seek to prevent the abuse of financial services. Questions remain regarding depth and frequency of coverage of supervision of this risk area to evaluate compliance with expectations across supervised firms. In particular, as noted in several essential criteria above, a question remains whether sufficient testing is done to ensure that appropriate policies, procedures, controls, and training are developed and implemented by all deposit-takers, and not solely by those viewed currently as being in the highest risk categories (though, in the FCA opinion, these would capture a very large share of the transactional banking market by volume, e.g., approximately 95 percent of personal current accounts in the U.K., based on a provisional report of the CMA on the retail banking market).154 The lower–risk firms, which represent the majority of firms (in terms of numbers), are not subject to systematic reviews or testing, with the exception of thematic work and event driven work related to suspected or crystallized risk. The authorities recognized this and indicated that they do seek to ensure an appropriate “churning” of firms subject to more intensive supervision that goes beyond thematic reviews and responses to suspected or crystallized risk. Still, the process for doing so remains at a relatively early stage, and more time will be needed for the authorities to gather data on how many firms can be covered. More broadly, this weakness regarding the breadth of coverage across firms represents the key concern cited for this principle at the prior FSAP and led to the “largely compliant” assessment. Since 2014, the FCA has segregated supervised firms into categories as a means of aligning monitoring and oversight more closely with its assessment of the relative degree of risk in each firm. Those 14 investment banks and retail banks identified as being in the highest risk category receive the greatest degree of supervisory scrutiny and monitoring including the FCA’s systematic AML Program––which includes detailed testing of firms’ AML controls in their U.K. operations, and where relevant, important or high risk overseas operations. They are followed by 75 firms of varying size (63 of which are banks) in the second highest risk group. Firms in the second highest risk category are subject to a visit of two to four days every two years, led by three to four specialists, who will review 20–25 customer files representing a mix of high risk customers plus a random sample. For these higher risk firms, assessors gained the sense from conversations with supervisors that the FCA employs a greater degree of sample testing than may have been the case at the time of the prior FSAP. Assessors did not seek to quantify the scale of testing and relied on discussions and reviews of sample preparatory letters sent to firms in advance of supervisory visits; these materials suggest that FCA staff do review a sample of files while onsite at firms in the highest risk categories. The vast majority of banking organizations, however, are found in the lower risk categories. U.K. supervisors rely largely on proactive thematic reviews and information from whistleblowers, media reports, law enforcement agencies, and other domestic and international AML supervisors, as well as “event-driven” supervisory exercises when potential AML issues have come to light or when risks crystallize. This more limited approach to evaluating compliance in firms thought to be lower risk raises a question about whether supervisors are indeed conducting sufficient work to ensure that “banks have adequate policies and processes that promote high ethical and professional standards” to prevent abuse of financial services (EC 2); whether “banks establish CDD policies and processes that are well documented and communicated to all staff” (EC 5); whether banks have “specific policies and processes regarding correspondent banking” (EC 6); whether “banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services” (EC 7); whether banks meet the requirements regarding internal audit, the designation of compliance officers at the appropriate level, adequate screening processes for hiring, and ongoing relevant training programs (EC 9); and whether “banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services” (EC 10). Firms in the lower risk categories are subject to periodic “thematic reviews,” which in recent years have included the FCA’s studies of small banks’ approaches to managing money laundering risk (November 2014) or controls that banks had instituted over financial crime in trade finance (July 2013). Thematic reviews typically involve two to three day visits to a sample of 20-30 firms to evaluate a particular risk-related issue; the results are published. This is supported by reviews into event driven supervisory matters relating to suspected or crystallized AML risks. Such reviews of a small sample of supervised firms appear to be the main “backstop” against failures to comply with supervisory expectations regarding financial services abuse in the majority of lower risk banking organizations. Relying on a risk-based approach to prioritizing the allocation of a supervisor’s time and resources is an understandable management decision; the international FATF has recently reiterated its support for adopting such an approach with regard to money laundering and terrorist financing. Nonetheless, in supporting the use of such an approach, FATF encourages supervisors to ensure that financial institutions are “effectively implementing” their own obligations to assess risk.155 At present, the backstop on which U.K. authorities depend for ensuring that smaller firms are effectively managing their risks regarding financial abuse appears to be limited. Firms in the lowest risk categories––the majority of banking organizations––are subject only rarely to firm-specific evaluations of compliance with rules combating money laundering and terrorist financing. In this regard, the thematic reviews that the FCA has undertaken using even small samples have indeed identified a range of weaknesses in compliance, including some that it characterized as “particularly serious” and requiring supervisory action.156 U.K. supervisors should consider additional means of ensuring more tangibly that even firms thought to be of lower risk are indeed effectively managing their risks against financial abuse; we reiterate the findings of the prior FSAP regarding “concerns about pockets of financial activities that receive less than adequate supervision.” |
Summary Compliance with the Basel Core Principles
| Core Principle | Grade | Comments |
|---|---|---|
| 1. Responsibilities, objectives, and powers | C | The new financial regulatory architecture addresses most of the findings of the previous FSAP, which were unclear and ultimately unbalanced allocation of effort and resources between the prudential and conduct macro-objectives; the reference to principles of ‘good regulation’ potentially weakening the supervisor’s focus on prudential issues; the lack of powers over parent undertakings. The new macroprudential framework, centered on the FPC, has yet to reach its operating speed and it is still unclear, at this stage, whether it could divert resources from effective core supervision. |
| 2. Independence, accountability, resourcing, and legal protection for supervisors | LC | Considering the size, complexity and systemic footprint of the U.K. financial system, supervisory resources, in their current configuration, might be overstretched, potentially weakening the supervisory action. |
| 3. Cooperation and collaboration | C | A number of institutional arrangements promote cooperation among domestic authorities. International cooperation (at both bilateral and multilateral level) appears well established and evolving. |
| 4. Permissible activities | C | Although the name “bank” is not defined in U.K. laws, the use of this name and the related concept of “building society” are strictly controlled through legislation and the PRA’s and FCA’s rules. Accepting deposits is clearly identified as an activity requiring authorization, and only firms authorized to accept deposits may use the name “bank” or “building society.” |
| 5. Licensing criteria | C | Especially through the application of the U.K.’s “Threshold Conditions,” the U.K.’s licensing criteria appears to ensure that a firm once authorized can be supervised effectively. |
| 6. Transfer of significant ownership | C | While neither the European Banking Authority (EBA) nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners, the EBA and U.K. supervisory agencies reference requirements regarding major shareholders of a company (in the EBA’s guidelines) or any entity or individual who is to become a shareholder, which would include ultimate beneficial owners. Consequently, beneficial owners would be subject to scrutiny similar to other shareholders in evaluations regarding the transfer of significant ownership. |
| 7. Major acquisitions | C | While the UK legislation does not define the term ‘major acquisition,’ it sets forth notification requirements that result in an expansive definition, which covers any proposed business expansion with a potentially significant impact on the firm’s risk profile or resources or in its capital adequacy or solvency. These criteria apply to any operation of significant impact, be it the acquisition of a bank or nonbank, EU or non-EU. Once notified, U.K. authorities have the necessary powers to approve or reject requests to undertake major acquisitions that raise concerns about the risk that may result or the authorities’ abilities to supervise the firms. |
| 8. Supervisory approach | LC | Important progress has been achieved in adopting a more rigorous and “hands-on” approach, especially for the most systemically important firms. Opportunities remain to undertake more testing and probing, even in the largest firms. A better balance must be achieved in the supervision of less systemically important firms, as offsite monitoring remains the primary means of supervision. |
| 9. Supervisory techniques and tools | LC | Supervisors apply a range of supervisory tools more actively in the supervision of systemically important firms. While supervisors may need to employ external experts to assist with some reviews, reliance on skilled persons and “deep dives” still does not achieve the benefits of onsite supervision that includes transaction testing and greater probing of issues. |
| 10. Supervisory reporting | C | Thanks also to the EU-harmonized reporting framework, a wide range of data is collected for supervisory reporting. The degree of detail is generally adequate, though opportunities remain to develop better data on credit exposures and performance. |
| 11. Corrective and sanctioning powers of supervisors | C | In the prior FSAP, U.K. authorities received a recommendation to make more proactive use of corrective action and sanctioning tools as part of a more formal early intervention framework. The creation by the PRA of the proactive intervention framework (PIF), with five explicitly defined stages, provides U.K. supervisors with a more formal process and a supervisory tool that describe steps supervisors—and the RD of the BoE—must take as a firm’s condition deteriorates. |
| 12. Consolidated supervision | C | U.K. authorities supervise banking groups on a consolidated basis; prudential standards are imposed at different levels of consolidation; supervisors routinely analyze information collected on both a consolidated and solo basis in order to inform their assessment of the risks posed to the safety and soundness of the banking groups. |
| 13. Home-host relationships | C | The U.K. authorities, in their capacity as both home and host supervisors of cross-border banking groups, regularly share information and cooperate with foreign authorities for effective supervision of groups and group entities. Foreign banks operating in the U.K. are subject to the same standards as those required of domestic banks. |
| 14. Corporate governance | LC | Weaknesses identified in the current APR may be addressed through the new SMR, which seeks to identify the accountability of individuals in significant roles on an ongoing basis. Corporate governance reviews appear to have taken place predominantly in the largest, most systemically important firms (“Category 1”) and not in other firms, although the PRA has released guidance during this assessment outlining an approach to evaluating governance issues across all supervised firms going forward. |
| 15. Risk management process | C | The PRA has set up a comprehensive and articulated framework for the supervision of bank’s risk-management systems, which allows it to perform a range of analyzes and reviews (including of banks’ EWRM, particularly on the largest banks, with more breadth and depth than it was the case for the FSA. The introduction of the CST for major U.K. banks is seen as a factor that raises the standard of banks’ risk-management practices. The smaller institutions receive a lower degree of attention and are rarely examined by risk specialists: which, per se, is quite natural, given their more limited degree of complexity and systemic impact, but raises legitimate questions that have been further elaborated elsewhere (CP 8 and 9). |
| 16. Capital adequacy | LC | The current model change review policy does not ensure that the reliability of internal model banks’ capital requirement calculations is adequately scrutinized. Some of the elements of non-compliance of the EU legislation/regulation on capital with the Basel standard (as revealed by the December 2014 regulatory consistency assessment program (RCAP) are relevant for the U.K. banking system, though the U.K. implementation of the European framework is more conservative for other aspects. |
| 17. Credit risk | LC | Lack of explicit supervisory guidance on credit risk managements for the generality of banks. |
| 18. Problem assets, provisions, and reserves | LC | AQRs at nonsystemic banks are too sporadic to ensure an adequate scrutiny of their asset classification and provisioning. |
| 19. Concentration risk and large exposure limits | C | The EU framework for LE is not aligned with the Basel standard; which, however, will take effect only from January 2019. As regards concentration risk, the assessors found evidence of an overall robust framework, particularly advanced for credit risk concentration under Pillar 2, and less structured, but still effective for other forms of risk concentration (such as market and liquidity risk). |
| 20. Transactions with related parties | C | The PRA Rulebook complies with the BCP definitions of related parties and related party transactions and sets out most of the requirements cited in the principle. Aggregate information on transactions with related parties is obtained from banks though a semi-annual FINREP report. Non-FINREP banks (the majority of U.K. banks) provide information on transactions with related parties in their annual reports; such frequency does not ensure an adequately intense supervision of transactions with related parties at medium and small banks (which falls within the general finding under CP 8). |
| 21. Country and transfer risks | C | At the prior FSAP, assessors recommended that U.K. supervisors adopt a more proactive approach to the supervision of country and transfer risk. The PRA does appear to engage to a greater degree than before on these risks with the largest and most systemically important firms. More work could be done to evaluate and monitor smaller firms’ exposures to country risk, though these firms may have fewer such exposures. |
| 22. Market risk | C | The PRA periodically reviews banks to assess that their market risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. |
| 23. Interest rate risk in the banking book. | C | Continued weaknesses in the measures and comparability of IRRBB measures across firms may be addressed in forthcoming changes in EU’s and BCBS’s approach to this risk. These changes may remediate suggestions raised in the prior assessment to improve outlier analysis of this risk in mid-sized and smaller firms. |
| 24. Liquidity risk | LC | The PRA is equipped with a liquidity risk framework that is overall robust, structured, consistently implemented. The EU Regulation on liquidity is not aligned with the Basel standard. |
| 25. Operational risk | C | Supervisors report that they now customize their operational reviews more closely to the key risk exposures that the largest firms face. The more strategic use of several deep dives spread out over three years for each of the largest firms may raise questions about whether this pace of review is sufficient to ensure that large firms are keeping pace with the state of the article in operational risk management. |
| 26. Internal control and audit | C | Supervisors have strengthened their engagement with control functions as well as internal and external auditors, especially in the largest and most systemically important firms. In smaller firms, supervisors have fewer touch points to ensure that control functions and auditors are functioning as expected. |
| 27. Financial reporting and external audit | C | The law requires U.K. banks to prepare financial statements and to maintain books and records that produce adequate and reliable data for the preparation of financial statements. The FCA, through the U.K. Listing Authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed banks. The PRA reviews firms’ ability to produce adequate and reliable data. The lack of formal powers to access external auditors’ working papers is mitigated by the close collaboration of the PRA with the Financial Reporting Council (FRC) (which has right of access to the auditors’ working papers), the use the PRA makes of this collaboration to address areas of its own concern, and the consideration that information from external auditors is only a complementary aspect of bank supervision in the U.K. |
| 28. Disclosure and transparency | C | The combined expectations set by the CRR, plus the requirements set out in U.K. financial reporting guidelines and audit frameworks, help to ensure that supervised firms are reporting on a consolidated and, where appropriate, solo basis that is easily accessible and fairly represent their condition and performance. |
| 29. Abuse of financial services | LC | Testing of the management and control of exposure to financial crime and the abuse of financial services is limited and raises questions of whether supervisors engage in sufficient testing to ensure that these risks are well managed. The prior assessment’s concerns remain that “pockets of financial activities…receive less than adequate supervision.” |
| Core Principle | Grade | Comments |
|---|---|---|
| 1. Responsibilities, objectives, and powers | C | The new financial regulatory architecture addresses most of the findings of the previous FSAP, which were unclear and ultimately unbalanced allocation of effort and resources between the prudential and conduct macro-objectives; the reference to principles of ‘good regulation’ potentially weakening the supervisor’s focus on prudential issues; the lack of powers over parent undertakings. The new macroprudential framework, centered on the FPC, has yet to reach its operating speed and it is still unclear, at this stage, whether it could divert resources from effective core supervision. |
| 2. Independence, accountability, resourcing, and legal protection for supervisors | LC | Considering the size, complexity and systemic footprint of the U.K. financial system, supervisory resources, in their current configuration, might be overstretched, potentially weakening the supervisory action. |
| 3. Cooperation and collaboration | C | A number of institutional arrangements promote cooperation among domestic authorities. International cooperation (at both bilateral and multilateral level) appears well established and evolving. |
| 4. Permissible activities | C | Although the name “bank” is not defined in U.K. laws, the use of this name and the related concept of “building society” are strictly controlled through legislation and the PRA’s and FCA’s rules. Accepting deposits is clearly identified as an activity requiring authorization, and only firms authorized to accept deposits may use the name “bank” or “building society.” |
| 5. Licensing criteria | C | Especially through the application of the U.K.’s “Threshold Conditions,” the U.K.’s licensing criteria appears to ensure that a firm once authorized can be supervised effectively. |
| 6. Transfer of significant ownership | C | While neither the European Banking Authority (EBA) nor the U.K. supervisors have issued guidance regarding ultimate beneficial owners, the EBA and U.K. supervisory agencies reference requirements regarding major shareholders of a company (in the EBA’s guidelines) or any entity or individual who is to become a shareholder, which would include ultimate beneficial owners. Consequently, beneficial owners would be subject to scrutiny similar to other shareholders in evaluations regarding the transfer of significant ownership. |
| 7. Major acquisitions | C | While the UK legislation does not define the term ‘major acquisition,’ it sets forth notification requirements that result in an expansive definition, which covers any proposed business expansion with a potentially significant impact on the firm’s risk profile or resources or in its capital adequacy or solvency. These criteria apply to any operation of significant impact, be it the acquisition of a bank or nonbank, EU or non-EU. Once notified, U.K. authorities have the necessary powers to approve or reject requests to undertake major acquisitions that raise concerns about the risk that may result or the authorities’ abilities to supervise the firms. |
| 8. Supervisory approach | LC | Important progress has been achieved in adopting a more rigorous and “hands-on” approach, especially for the most systemically important firms. Opportunities remain to undertake more testing and probing, even in the largest firms. A better balance must be achieved in the supervision of less systemically important firms, as offsite monitoring remains the primary means of supervision. |
| 9. Supervisory techniques and tools | LC | Supervisors apply a range of supervisory tools more actively in the supervision of systemically important firms. While supervisors may need to employ external experts to assist with some reviews, reliance on skilled persons and “deep dives” still does not achieve the benefits of onsite supervision that includes transaction testing and greater probing of issues. |
| 10. Supervisory reporting | C | Thanks also to the EU-harmonized reporting framework, a wide range of data is collected for supervisory reporting. The degree of detail is generally adequate, though opportunities remain to develop better data on credit exposures and performance. |
| 11. Corrective and sanctioning powers of supervisors | C | In the prior FSAP, U.K. authorities received a recommendation to make more proactive use of corrective action and sanctioning tools as part of a more formal early intervention framework. The creation by the PRA of the proactive intervention framework (PIF), with five explicitly defined stages, provides U.K. supervisors with a more formal process and a supervisory tool that describe steps supervisors—and the RD of the BoE—must take as a firm’s condition deteriorates. |
| 12. Consolidated supervision | C | U.K. authorities supervise banking groups on a consolidated basis; prudential standards are imposed at different levels of consolidation; supervisors routinely analyze information collected on both a consolidated and solo basis in order to inform their assessment of the risks posed to the safety and soundness of the banking groups. |
| 13. Home-host relationships | C | The U.K. authorities, in their capacity as both home and host supervisors of cross-border banking groups, regularly share information and cooperate with foreign authorities for effective supervision of groups and group entities. Foreign banks operating in the U.K. are subject to the same standards as those required of domestic banks. |
| 14. Corporate governance | LC | Weaknesses identified in the current APR may be addressed through the new SMR, which seeks to identify the accountability of individuals in significant roles on an ongoing basis. Corporate governance reviews appear to have taken place predominantly in the largest, most systemically important firms (“Category 1”) and not in other firms, although the PRA has released guidance during this assessment outlining an approach to evaluating governance issues across all supervised firms going forward. |
| 15. Risk management process | C | The PRA has set up a comprehensive and articulated framework for the supervision of bank’s risk-management systems, which allows it to perform a range of analyzes and reviews (including of banks’ EWRM, particularly on the largest banks, with more breadth and depth than it was the case for the FSA. The introduction of the CST for major U.K. banks is seen as a factor that raises the standard of banks’ risk-management practices. The smaller institutions receive a lower degree of attention and are rarely examined by risk specialists: which, per se, is quite natural, given their more limited degree of complexity and systemic impact, but raises legitimate questions that have been further elaborated elsewhere (CP 8 and 9). |
| 16. Capital adequacy | LC | The current model change review policy does not ensure that the reliability of internal model banks’ capital requirement calculations is adequately scrutinized. Some of the elements of non-compliance of the EU legislation/regulation on capital with the Basel standard (as revealed by the December 2014 regulatory consistency assessment program (RCAP) are relevant for the U.K. banking system, though the U.K. implementation of the European framework is more conservative for other aspects. |
| 17. Credit risk | LC | Lack of explicit supervisory guidance on credit risk managements for the generality of banks. |
| 18. Problem assets, provisions, and reserves | LC | AQRs at nonsystemic banks are too sporadic to ensure an adequate scrutiny of their asset classification and provisioning. |
| 19. Concentration risk and large exposure limits | C | The EU framework for LE is not aligned with the Basel standard; which, however, will take effect only from January 2019. As regards concentration risk, the assessors found evidence of an overall robust framework, particularly advanced for credit risk concentration under Pillar 2, and less structured, but still effective for other forms of risk concentration (such as market and liquidity risk). |
| 20. Transactions with related parties | C | The PRA Rulebook complies with the BCP definitions of related parties and related party transactions and sets out most of the requirements cited in the principle. Aggregate information on transactions with related parties is obtained from banks though a semi-annual FINREP report. Non-FINREP banks (the majority of U.K. banks) provide information on transactions with related parties in their annual reports; such frequency does not ensure an adequately intense supervision of transactions with related parties at medium and small banks (which falls within the general finding under CP 8). |
| 21. Country and transfer risks | C | At the prior FSAP, assessors recommended that U.K. supervisors adopt a more proactive approach to the supervision of country and transfer risk. The PRA does appear to engage to a greater degree than before on these risks with the largest and most systemically important firms. More work could be done to evaluate and monitor smaller firms’ exposures to country risk, though these firms may have fewer such exposures. |
| 22. Market risk | C | The PRA periodically reviews banks to assess that their market risk-management processes are consistent with their risk profile, risk appetite, systemic importance, and capital strength. |
| 23. Interest rate risk in the banking book. | C | Continued weaknesses in the measures and comparability of IRRBB measures across firms may be addressed in forthcoming changes in EU’s and BCBS’s approach to this risk. These changes may remediate suggestions raised in the prior assessment to improve outlier analysis of this risk in mid-sized and smaller firms. |
| 24. Liquidity risk | LC | The PRA is equipped with a liquidity risk framework that is overall robust, structured, consistently implemented. The EU Regulation on liquidity is not aligned with the Basel standard. |
| 25. Operational risk | C | Supervisors report that they now customize their operational reviews more closely to the key risk exposures that the largest firms face. The more strategic use of several deep dives spread out over three years for each of the largest firms may raise questions about whether this pace of review is sufficient to ensure that large firms are keeping pace with the state of the article in operational risk management. |
| 26. Internal control and audit | C | Supervisors have strengthened their engagement with control functions as well as internal and external auditors, especially in the largest and most systemically important firms. In smaller firms, supervisors have fewer touch points to ensure that control functions and auditors are functioning as expected. |
| 27. Financial reporting and external audit | C | The law requires U.K. banks to prepare financial statements and to maintain books and records that produce adequate and reliable data for the preparation of financial statements. The FCA, through the U.K. Listing Authority, has responsibility for enforcing the requirements for the preparation of financial statements on listed banks. The PRA reviews firms’ ability to produce adequate and reliable data. The lack of formal powers to access external auditors’ working papers is mitigated by the close collaboration of the PRA with the Financial Reporting Council (FRC) (which has right of access to the auditors’ working papers), the use the PRA makes of this collaboration to address areas of its own concern, and the consideration that information from external auditors is only a complementary aspect of bank supervision in the U.K. |
| 28. Disclosure and transparency | C | The combined expectations set by the CRR, plus the requirements set out in U.K. financial reporting guidelines and audit frameworks, help to ensure that supervised firms are reporting on a consolidated and, where appropriate, solo basis that is easily accessible and fairly represent their condition and performance. |
| 29. Abuse of financial services | LC | Testing of the management and control of exposure to financial crime and the abuse of financial services is limited and raises questions of whether supervisors engage in sufficient testing to ensure that these risks are well managed. The prior assessment’s concerns remain that “pockets of financial activities…receive less than adequate supervision.” |
Recommended Actions and Authorities Comments
A. Summary of Recommended Actions
Recommended Actions to Improve Compliance with the BCP and the Effectiveness of Regulatory and Supervisory Frameworks
Recommended Actions to Improve Compliance with the BCP and the Effectiveness of Regulatory and Supervisory Frameworks
| Reference Principle | Recommended Action |
|---|---|
| Principle 1 | PRA to incorporate into its approach to risk an explicit consideration of reputational risk, including related to the possible failure of nonsystemic banks. |
| Principle 2 | Reevaluate the adequacy of PRA resources and of its operating model for the overall effectiveness of its supervisory activity. |
| Principle 8 | Evaluate adequacy of supervision, especially of less systemically important firms, and whether current arrangements provide sufficient testing to ensure that all firms are operating safely and soundly and in compliance with laws, regulations, and supervisory expectations. |
| Principle 9 | Seek more ways to validate and probe statements in banks. Evaluate whether “deep-dives” provide sufficient, ongoing insight into major firms, and whether key skills need to be developed within staff. |
| Principle 14 | Promote efforts to make managers in financial institutions more accountable for actions or inactions. Ensure that corporate governance is appropriately supervised in firms beyond the largest and most systemically important, including through the implementation of recently released supervisory guidance. |
| Principle 16 | Revise the model change review policy to ensure that the reliability of large banks’ capital requirement calculations is adequately scrutinized. |
| Principle 17 | Provide more explicit guidance on supervisor’s expectations to the generality of banks. Consider establishing regular access to (and elaborations from) broad databases with loan level information. |
| Principle 18 | Devise operational enhancements to secure a minimum level of direct scrutiny of banks’ asset classification and provisioning also for the generality of nonsystemic banks. Require banks to set and periodically review an appropriate threshold for the identification of significant exposures. |
| Principle 19 | Require banks to set thresholds for acceptable concentrations of risk. |
| Principle 20 | Introduce regular infra-annual reporting of transactions with related parties for non-FINREP banks. Ensure regular monitoring of compliance with the rules on transactions with related parties for all banks. |
| Principle 21 | Consider how to mitigate risks of missing issues in mid and small banks. |
| Principle 24 | Continue to promote a closer alignment of the EU regulatory framework with international standards. |
| Principle 25 | Evaluate assumptions underlying the deployment of SRS with regard to operational risk to ensure that all firms, and not solely systemically important ones, are managing this risk appropriately. |
| Principle 29 | Propose stronger and more proactive backstops for evaluating banks in the lowest risk categories more frequently to assess the quality of their controls and risk-management to avoid exposures to financial crime. |
Recommended Actions to Improve Compliance with the BCP and the Effectiveness of Regulatory and Supervisory Frameworks
| Reference Principle | Recommended Action |
|---|---|
| Principle 1 | PRA to incorporate into its approach to risk an explicit consideration of reputational risk, including related to the possible failure of nonsystemic banks. |
| Principle 2 | Reevaluate the adequacy of PRA resources and of its operating model for the overall effectiveness of its supervisory activity. |
| Principle 8 | Evaluate adequacy of supervision, especially of less systemically important firms, and whether current arrangements provide sufficient testing to ensure that all firms are operating safely and soundly and in compliance with laws, regulations, and supervisory expectations. |
| Principle 9 | Seek more ways to validate and probe statements in banks. Evaluate whether “deep-dives” provide sufficient, ongoing insight into major firms, and whether key skills need to be developed within staff. |
| Principle 14 | Promote efforts to make managers in financial institutions more accountable for actions or inactions. Ensure that corporate governance is appropriately supervised in firms beyond the largest and most systemically important, including through the implementation of recently released supervisory guidance. |
| Principle 16 | Revise the model change review policy to ensure that the reliability of large banks’ capital requirement calculations is adequately scrutinized. |
| Principle 17 | Provide more explicit guidance on supervisor’s expectations to the generality of banks. Consider establishing regular access to (and elaborations from) broad databases with loan level information. |
| Principle 18 | Devise operational enhancements to secure a minimum level of direct scrutiny of banks’ asset classification and provisioning also for the generality of nonsystemic banks. Require banks to set and periodically review an appropriate threshold for the identification of significant exposures. |
| Principle 19 | Require banks to set thresholds for acceptable concentrations of risk. |
| Principle 20 | Introduce regular infra-annual reporting of transactions with related parties for non-FINREP banks. Ensure regular monitoring of compliance with the rules on transactions with related parties for all banks. |
| Principle 21 | Consider how to mitigate risks of missing issues in mid and small banks. |
| Principle 24 | Continue to promote a closer alignment of the EU regulatory framework with international standards. |
| Principle 25 | Evaluate assumptions underlying the deployment of SRS with regard to operational risk to ensure that all firms, and not solely systemically important ones, are managing this risk appropriately. |
| Principle 29 | Propose stronger and more proactive backstops for evaluating banks in the lowest risk categories more frequently to assess the quality of their controls and risk-management to avoid exposures to financial crime. |
B. Authorities’ Response to the Assessments
78. The U.K. authorities welcome and support the IMF’s comprehensive review of the U.K.’s supervisory and regulatory framework and its acknowledgement of the significant progress made since the last FSAP in 2011 through the adoption of a more rigorous, hands-on and systemically focused approach to banking supervision. The assessment has come at an important time for the U.K. authorities as they continue to develop and transition to the new regulatory structure and supervisory approach.
79. The ambition of the U.K. authorities is for the U.K. financial services sector to be the best regulated in the world, aligning competitive and innovative markets of unquestioned integrity with the highest standards of conduct.
To this effect the U.K. has taken a number of steps, including the following:
continuing to be a leading advocate for tough capital and leverage requirements and liquidity standards;
introducing a robust resolution regime and adopting total loss absorbency standards, a bail in tool and structural reform of the banking system;
putting in place the Senior Managers and Certification Regime to ensure strong governance, better accountability of senior executives and higher standards of conduct in the banking sector;
ensuring better alignment of financial incentives of senior risk takers with the longer term financial soundness of their firms; and
prioritizing a high degree of protection for consumers of financial services, improving standards across the industry and taking tough enforcement action against those who do not meet them.
80. The United Kingdom’s approach is centered on forward looking, judgment based prudential and conduct regulation. A key element of the U.K. approach is that it does not seek to operate a ‘zero failure’ regime. Rather it seeks to ensure that a financial firm which fails does so without significant disruption to the supply of critical financial services or a material negative impact on consumers. Therefore, the U.K. approach continues to be risk based, with resources devoted to those areas where the risk to financial stability is the greatest. The U.K. authorities believe that the current level of scrutiny given to the supervision of smaller firms is appropriate, proportionate and is in line with their statutory objectives, including ensuring the safety and soundness of the U.K. financial system.
81. The U.K. authorities welcome the IMF’s findings regarding the effectiveness of AML/CFT supervision, and its recognition of the positive and significant progress that has been made since the last FSAP in 2011 in expanding and strengthening supervisory activities in this area.
82. The FCA’s approach to AML supervision is risk-based and outcome focused to encourage good industry AML/CFT standards. In line with the U.K. authorities’ risk-based supervision, resources are targeted at those banks and their activities which give rise to high money laundering risk. The U.K. authorities consider the approach to supervising lower risk banks—through thematic reviews, event-driven supervision and alerts from other domestic and overseas law enforcement/supervisory authorities—to be proportionate, effective and in line with the wider risk-based approach adopted.
83. Once again, the U.K. authorities wish to express their support for the role of the FSAP in contributing to improvements in supervisory practices and promoting the soundness of the financial systems in member countries. The U.K. authorities look forward to continuing the dialogue with the IMF and other global counterparts to work to improve the stability and effective supervision of the global financial system.
1
Bank of England, Financial Stability Report, July 2015.
2
At the end of 2012, banking assets in the U.K. were more than four times the size of the country’s gross domestic product. The current Governor of the Bank of England has shared a view that banking assets could constitute more than nine times the country’s GDP by 2050. Mark Carney, “The U.K. at the Heart of a Renewed Globalization,” a speech as part of the Financial Times 125th anniversary celebrations, London, October 24, 2013, available at http://www.bankofengland.co.uk/publications/Documents/speeches/2013/speech690.pdf.
3
Minimum requirements that firms must meet in order to be permitted to carry on the regulated activities in which they engage. The Threshold Conditions are codified in FSMA. In broad terms, they require firms to have an appropriate amount and quality of capital and liquidity, to have appropriate resources to measure, monitor, and manage risk, to be fit and proper, and to conduct their business prudently.
4
This Detailed Assessment Report has been prepared by Pierpaolo Grippa (IMF) and F. Christopher Calabia (Federal Reserve Bank of New York). Mr. Calabia was “seconded” to the IMF for the purposes of this review, and as such the views expressed in this report do not necessarily reflect those of the Federal Reserve Bank of New York or of the Federal Reserve System.
5
This part of the document draws from the self-assessment presented by the authorities, as well as from Art. IV reports and other documents produced by the FSAP, some of which were not yet finalized at the time of this assessment. Unless otherwise stated, figures used in this section refer to December 2014.
6
Banks, building societies and credit unions are the only U.K. financial institutions authorized to collect deposits from the general public (deposit-takers). In the rest of this report, deposit-takers are collectively and more simply referred to as ‘banks,’ in line with the terminology adopted by the CP.
7
Banks, building societies, and credit unions are the only U.K. financial institutions authorized to collect deposits from the general public (deposit-takers). In this report they are collectively referred to as ‘banks,’ in line with the terminology adopted by the CP.
8
Previously, in February 2011, the Bank’s Court of Directors created an interim FPC to undertake, as far as possible, the future statutory role of FPC. The interim FPC held its first policy meeting in June 2011, and met on a quarterly basis thereafter.
9
A detailed explanation of the code-based approach, and how it fits into the U.K.’s overall regulatory framework, can be found in The U.K. Approach to Corporate Governance: https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/The-UK-Approach-to-Corporate-Governance.pdf.
10
The Kay Review of Equity Markets and Long-Term Decision Making, Final Report, Department for Business, Innovation and Skills, July 2012.
11
For the purpose of grading, references to the term “essential criteria” in this para. would include additional criteria in the case of a country that has volunteered to be assessed and graded against the additional criteria.
12
In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example nonbank (including nonfinancial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation.
13
The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles.
14
Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification.
15
See page 15 of the PRA’s 2015 Annual Report.
16
For it supervision on insurers, the PRA also has the objective of contributing to the securing of an appropriate degree of protection for those who are or may become policyholders.
17
See also par. 12 of ‘The PRA’s Approach to Banking Supervision’ (2014): “The PRA is [..] tasked with promoting the safety and soundness of all the firms it regulates and is entitled to prioritize its resources on those firms with the greatest potential to affect financial stability adversely, whether through failing or through the way they carry on their business.”
18
By contrast, EU regulations have direct effect, and do not need to be transposed into national law or regulations.
19
The FPC can also make Recommendations to other bodies, for instance the FRC or financial institutions directly, representative bodies such as the British Bankers’ Association, HMT, and the BoE itself.
20
In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank.
21
In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011.
23
The CST framework, introduced in 2014, entails annual stress test exercises carried out concurrently across major U.K. banks with the aim to assess the resilience of the system as a whole (macroprudential perspective) and deliver greater consistency in the PRA’s approach to (microprudential) supervision, through a benchmarking of banks’ capital management and stress-testing processes.
24
The FCA Handbook contains both rules (marked with an ‘R’) and guidance (marked with a ‘G’). The old PRA Handbook was structured the same way; it is now in the process of being replaced by the PRA Rulebook, which includes only enforceable rules. The PRA now communicates its expectations to firms separately through SSs that can be found on the PRA website.
25
However it must be observed that, in the Chancellor’s ‘remit and recommendations’ letter of July 2015 to the FPC, the competitive position of the London marketplace is recalled: “I would like the Committee to consider how, subject to its primary objective to protect and enhance the stability of the U.K.’s financial system, its actions might affect competition and innovation, and their impact on the international competitiveness of the U.K. financial system.” In its reply, the Governor of the BoE (and Chairman of the FPC) states that “[t]he FPC will, where practicable in the context of its financial stability objective, consider how its policy actions (or decisions not to act) might affect competition, innovation and the international competitiveness of the U.K. financial system.” While this does not affect the U.K. authorities mandate formally, it could—through FPC recommendations or directions—increase the weight assigned by the PRA to non-prudential considerations in the discharge of its functions. At the time of assessment, there were no signs that this potential had materialized.
26
Please refer to Principle 1, Essential Criterion 1.
27
A skilled person review is one of the regulatory tools the PRA can employ under FSMA as amended by the 2012 Act. There are two types of skilled person reviews under FSMA that gives the PRA the power to commission reviews by Skilled Persons. The PRA use these powers to obtain an independent view of aspects of a firm’s activities that for example, cause concern or where further analysis is required. The Use of Skilled Persons Part of the PRA Rulebook sets out the PRA’s requirements for a Skilled Person Review. The Reports by Skilled Persons Supervisory Statement 7/14 sets out the PRA’s policy on, and expectations for, the use of these powers. http://www.bankofengland.co.uk/pra/Pages/supervision/activities/reportsskilledpersons.aspx.
28
The Human Rights Act 1998 (also known as the Act or the HRA) came into force in the United Kingdom in October 2000. It is composed of a series of sections that have the effect of codifying the protections in the European Convention on Human Rights into U.K. law. All public bodies and other bodies carrying out public functions have to comply with the Convention rights.
29
See the March 19, 2015 letter from Andrew Bailey, PRA CEO, to the Chairman of the Treasury Committee of the House of Commons (http://www.parliament.uk/documents/commons-committees/treasury/150319_Andrew_Bailey.pdf).
30
Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29).
31
See http://www.fca.org.uk/search?collection=FCA-Meta&query=memorandum+of+understanding and http://www.bankofengland.co.uk/about/Pages/mous/default.aspx.
33
See the Bank of England’s Approach to Resolution: http://www.bankofengland.co.uk/financialstability/Documents/resolution/apr231014.pdf.
34
See the PRA’s Supervisory tools: Recovery and resolution: http://www.bankofengland.co.uk/pra/Pages/publications/ps/2015/recoveryresolutionupdate.aspx.
35
The Committee recognizes the presence in some countries of nonbanking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system.
36
This document refers to a governance structure composed of a Board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-Tier Board structure, where the supervisory function of the Board is performed by a separate entity known as a supervisory Board, which has no executive functions. Other countries, in contrast, use a one-Tier Board structure in which the Board has a broader role. Owing to these differences, this document does not advocate a specific Board structure. Consequently, in this document, the terms “Board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction.
37
Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003).
38
CRR Art. 4(38) defines “close links” as “a situation in which two or more natural or legal persons are linked in any of the following ways: (i) participation in the form of ownership, direct or by way of control, of 20 percent or more of the voting rights or capital of an undertaking; (ii) control; and (iii) a permanent link of both or all of them to the same third person by a control relationship.”
39
FSMA 2000, Order 2013, para. 5E (http://www.legislation.gov.uk./ukdsi/2013/9780111533802).
40
Please refer to Principle 14, Essential Criterion 8.
41
Individuals seeking to take on certain roles defined by the PRA as “controlled functions” must receive approval from the PRA to do so at dual-regulated firms. Examples of such roles include serving as a director, a non-executive director, or chief executive at a supervised firm. A complete list of controlled functions can be found at the following website: http://www.bankofengland.co.uk/pra/Documents/authorisations/approvedpersons/pracfs.pdf.
42
Please refer to Principle 29.
43
While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority.
44
CRR Art. 4(38) defines “close links” as “a situation in which two or more natural or legal persons are linked in any of the following ways: (i) participation in the form of ownership, direct or by way of control, of 20 percent or more of the voting rights or capital of an undertaking; (ii) control; and (iii) a permanent link of both or all of them to the same third person by a control relationship.”
45
In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank.
46
Please refer to Footnote 33 under Principle 7, Essential Criterion 3.
47
http://www.legislation.gov.uk/ukdsi/2013/9780111533802/pdfs/ukdsi_9780111533802_en.pdf Section 5D(5f).
48
http://www.legislation.gov.uk/ukdsi/2013/9780111533802/pdfs/ukdsi_9780111533802_en.pdf Section 5F(2d).
49
The EBA verifies NCA’s compliance through peer reviews, some time (usually 1–2 years) after implementation started.
50
In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27.
51
Please refer to Principle 2.
52
Please refer to Principle 1, Essential Criterion 5.
53
Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.
54
May be external auditors or other qualified external parties, commissioned with an appropriate mandate and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts.
55
Please refer to Principle 1.
56
Described further at http://www.bankofengland.co.uk/pra/Pages/supervision/approach/proactiveintervention.aspx.
57
Please refer to footnote 19 under Principle 1.
58
CRR defines “parent institution” as an institution in a MS which has an institution or a financial institution as a subsidiary or which holds a participation in such an institution or financial institution, and which is not itself a subsidiary of another institution authorized in the same MS, or of a FHC or MFHC set up in the same MS.
59
Please refer to Principle 16, Additional Criterion 2.
60
See Illustrative example of information exchange in colleges of the October 2010 BCBS “Good practice principles on supervisory colleges,” for further information on the extent of information sharing expected.
61
Published June 2014: http://www.bankofengland.co.uk/publications/Documents/praapproach/bankingappr1406.pdf—see pages 34–35.
62
Chapter 3 of the Information Gathering Part of the PRA Rulebook.
63
Please refer to footnote 27 under Principle 5.
64
The Organization for Economic Cooperation and Development (OECD) glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables,” 2003, www.oecd.org/dataoecd/19/26/23742340.pdf, defines “duty of care” as “the duty of a Board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the Board member to approach the affairs of the company in the same way that a ‘prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “the duty of the Board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual Board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.”
65
“Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously.
66
Andrew Bailey in a speech at the City Banquet, London, October 16, 2014. See http://www.bankofengland.co.uk/publications/Documents/speeches/2014/speech763.pdf.
67
For the purposes of assessing risk-management by banks in the context of Principles 15–25, a bank’s risk-management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk-management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group.
68
To some extent the precise requirements may vary from risk type to risk type (Principles 15–25) as reflected by the underlying reference documents.
69
It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk-management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management.
70
The Prudential Regulation Authority’s “approach to banking supervision document,” 2014: http://www.bankofengland.co.uk/publications/Documents/praapproach/bankingappr1406.pdf.
71
As part of the PSM, the systemic importance of the bank is discussed (e.g., confirming the firm’s status as a Category 2–4 firm) and the impact of a failure of the firm on the wider U.K. financial system will be considered (e.g., “PIF” score).
72
Supervisory Statement (SS)20/15 “Supervising building societies’ treasury and lending activities” http://www.bankofengland.co.uk/pra/Pages/publications/ss/2015/ss2015.aspx.
73
Supervisory Statement 20/15 “SS20/15,” “Supervising building societies’ treasury and lending activities” http://www.bankofengland.co.uk/pra/Pages/publications/ss/2015/ss2015.aspx.
74
BIPRU 12.2 “Adequacy of liquidity resources” http://fshandbook.info/FS/html/PRA/BIPRU/12/2.
75
The PRA’s approach to banking supervision document, page 10, http://www.bankofengland.co.uk/publications/Documents/praapproach/bankingappr1406.pdf.
76
These expectations are set out in Section 2 of SS5/13 “The Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process.” http://www.bankofengland.co.uk/pra/Pages/publications/icaap.aspx.
77
New products include those developed by the bank or by a third party and purchased or distributed by the bank.
78
Supervisory Statement (SS)20/15 “Supervising building societies’ treasury and lending activities” http://www.bankofengland.co.uk/pra/Pages/publications/ss/2015/ss2015.aspx.
79
The PRA consulted in CP 17/15: “The PRA Rulebook: Part 3” to replace the rules and guidance in Chapter 21 of SYSC with a new Chapter in the PRA Rulebook. The draft rules are replacing the same as the rules in SYSC 21. This consultation closes on June 30, 2015. http://www.bankofengland.co.uk/pra/Pages/publications/cp/2015/cp1715.aspx.
80
Assets of more than GBP 250 million.
81
Supervisory Statement (SS)18/13 “Supervisory tools: Recovery and resolution plan—PS8/13, SS18/13 and SS19/13 UPDATED” http://www.bankofengland.co.uk/pra/Pages/publications/recoveryresolution.aspx.
82
The PRA consulted in CP 17/15: “The PRA Rulebook: Part 3” to replace the rules and guidance in Chapter 20 of SYSC with a new Chapter 15 in the ICAA part. The draft rules will apply to banks, building societies, and PRA-designated investment firms. The draft rules are replacing the same as the rules in SYSC 20. This consultation closes on June 30, 2015. http://www.bankofengland.co.uk/pra/Pages/publications/cp/2015/cp1715.aspx.
83
I.e.,: (i) credit risk; (ii) market risk; (iii) liquidity risk; (iv) operational risk; (v) insurance risk; (vi) concentration risk; (vii) residual risk; (viii) securitization risk; (ix) business risk; (x) interest rate risk (including in the nontrading book); (xi) pension obligation risk; and (xii) group risk.
84
SS6/13 “Stress testing, scenario analysis and capital planning” http://www.bankofengland.co.uk/pra/Pages/publications/stresstesting.aspx.
85
Supervisory Statement (SS) 20/15 “Supervising building societies’ treasury and lending activities” http://www.bankofengland.co.UK/pra/Pages/publications/ss/2015/ss2015.aspx.
86
The CP do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II, and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the CP, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it.
89
Barclays, Cooperative Bank, HSBC, Lloyds Banking Group, Nationwide Building Society, Royal Bank of Scotland, Santander U.K. and Standard Chartered.
91
The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a standalone basis.
92
Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006.
94
In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (i) the potential loss absorbency of the instruments included in the bank’s capital base, (ii) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (iii) the adequacy of provisions and reserves to cover loss expected on its exposures, and (iv) the quality of its risk-management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses.
97
http://www.bankofengland.co.uk/pra/Documents/publications/policy/2013/strengtheningcapitalps713.pdf p.388–423.
98
“Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyzes and reverses stress testing.
99
Please refer to Principle 12, Essential Criterion 7.
100
A recent document on the review of the Target Operating Model reported a staff of 48 FTE specialists on credit risk, 43 on market and counterparty credit risk, 41 on risk infrastructure and liquidity.
101
Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.
102
Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions, and trading activities.
103
Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments.
105
“Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments.
106
Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.
107
Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit).
108
It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled.
109
Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof.
110
This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies.
112
The measure of credit exposure, in the context of LE to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991).
113
Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on LE is still under consideration.
114
Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management, and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies.
115
Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party.
116
An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates).
117
Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporates, banks, or governments are covered.
118
Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistic–Guide for Compilers and Users, 2003).
121
Discussion Paper—Stress Testing: http://www.bankofengland.co.uk/financialstability/fsc/Documents/discussionpaper1013.pdf.
122
Wherever “interest rate risk” is used in this Principle the term refers to IRRBB. Interest rate risk in the trading book is covered under Principle 22.
127
The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.
128
Internal staff memorandum to PRA Board, December 17, 2014.
129
Internal staff memorandum presented to the PRA Supervision, Risk and Policy Committee, “PRA Approach to Operational Risk Supervision for Banks,” March 19, 2014, p. 1.
130
Internal staff memorandum presented to the PRA Supervision, Risk and Policy Committee, “PRA Approach to Operational Risk Supervision for Banks,” March 19, 2014.
131
In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control, and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee.
132
The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines.
133
The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative.
138
In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors.
146
For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor.
148
The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering, and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8, and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle.
149
Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU.
150
According to the National Risk Assessment, this is the largest number received by a financial intelligence unit in the EU. See National Risk Assessment, p. 35.
151
National Risk Assessment, p. 6.
152
These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.
153
Sections 337 of the Proceeds of Crime Act 2002 define three criteria that permit a bank to disclose information, namely (1) that the information that is disclosed “came to the person making the disclosure (the discloser) in the course of his trade, profession, business or employment;” that the information (i) causes the discloser to know or suspect, or (ii) gives him reasonable grounds for knowing or suspecting, that another person is engaged in money laundering; and (iii) “that the disclosure is made to a constable, a customs officer or a nominated officer as soon as is practicable after the information or other matter comes to the discloser.”
155
Financial Action Task Force, “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: the FATF recommendations,” February 2012, p. 33.
156
Financial Conduct Authority, “How small banks manage money laundering and sanctions risk: Update,” TR14/16, November 2014, p. 6.