The message from the FCA was clear at fscom’s Payments Regulatory Outlook, as it has been for the previous number of years: keep the money safe. In this blog, we consider the FCA’s expectations of how payment and e-money institutions should handle prudential risk. In other blogs, we cover safeguarding and wind-down planning.
Financial resilience and prudential risk management were highlighted in the FCA’s most recent Dear CEO Letter as key priorities. Those from a banking background will have recognised the language as being similar to the ICAAP process; although the FCA hasn’t yet named the payments firms’ prudential regime. Perhaps PFPR?
The FCA is cognisant of the fact that many payments firms are unprofitable and reliant on external funding. The sector, which still attracts around 500 new applications a year, faces increasing competition from more established financial institutions seeking to make their own payments services more profitable.
Getting a new business to a point that it is financially viable in the short term and sustainable in the long term is a real challenge and given the events faced over the last two years, the regulator is actively monitoring the financial resilience survey data, which is now formalised in the regulatory reporting return FIN073 this year.
The direction of travel for payments regulations?
The regulator has the unenviable task of ensuring: the safety of customers’ money, financial system integrity and the best outcome for customers, all without discouraging innovation and growth in the payments sector! But as with all rapidly expanding sectors, controls will often lag behind growth. The FCA’s “PFRP” highlights their prudential expectations and should not be taken as just another compliance exercise. If done correctly, it will provide real benefit to payments firms.
The Value Add: why invest time in prudential risk management?
Holding the bare minimum capital and liquid assets can leave firms unable to cope with even a minor stress event; holding too much is a waste of resources that could be better deployed in innovation or new products, which could in turn provide sustainable profits and strengthen the capital base. The right amount of resources to be financially resilient lies between these two extremes and requires a robust risk assessment and scenario testing.
What you should have done by now
Risk assessment
The starting point for assessing financial risks is a review of the business model to understand:
- how money is made;
- how growth will be achieved; and
- the risks that could have the greatest impact on its ability to do so.
For payments firms, these are most commonly the loss of revenue and the cost of regulatory interventions arising from fraud, cyber attacks, system outages (third party providers in particular), safeguarding, and money laundering. Payments firms also need to have identified the much faster moving liquidity risks such as cashflow mismatches, and intraday liquidity shortfalls.
Firms should have quantified the gross impact of these risks, and the residual impact after any risk mitigation measures are applied. The understanding of risk mitigation is an important and often overlooked step that enables firms to reduce the amount of financial resources they need to hold against these risks and gives a steer on where to direct efforts to improve risk mitigation such as better systems, controls or insurance. For example, reputational damage arising from fraud can be estimated by assuming a certain percentage of clients leaving the business so firms can then extrapolate the impact on financial forecasts. The impact of mitigation is a judgment call based on the view of relationship managers.
Firms should have set their risk appetite for each of their key risks in quantitative terms, as well as qualitative, in order to reflect the view of the board. It must answer the question of how much the board is willing to lose on each of these risks.
By now, key risk indicators should have been set up to monitor against risk appetite and to enable control of risks throughout the firm. It is important to consider the frequency of monitoring as some indicators will move much faster than others. Where possible, firms should include forward-looking indicators that provide some warning and not just rely on backward looking indicators that show where a risk has already crystallised.
Stress testing
Firms are expected to have forecasted financial performance on a business-as-usual basis. Stress testing applies a range of scenarios to this forecast over a time horizon of at least three years. The scenarios should be severe enough to make a material impact to the forecasts, should be relevant to the firm’s business model, and should cover a scenario specific to the firm, a market-wide scenario, and a liquidity scenario.
A good place to start in coming up with scenarios can be recent events that have impacted similar firms and frank discussions among senior management regarding vulnerabilities in the business model which when triggered could result in a significant loss in revenue.
Stress testing inevitably relies on a series of assumptions which should be documented and challenged by senior management to ensure that they are realistic and appropriate. This may include for example, the actions of competitors in a market wide stress, or the expected haircut on the disposal of assets to generate liquidity.
Financial resources requirement
Having completed a risk assessment and stress testing, firms should be in a much more confident position to explain how much capital and liquidity they need to hold above their minimum regulatory requirement in order to address crystallised risks and an unforeseen stress event. Firms must then stay above this ‘buffer’ with frequent monitoring so it can be utilised in a stress event.
Management actions
Firms should not rely on capital and liquidity alone to get them through a stress scenario. It is also important to have a range of options or “Management Actions” that can be executed to provide additional financial resources as necessary. Having such options means that the firm would have to hold less capital or liquidity to address a stress scenario.
But they must be credible in order to be effective. For example, they must be able to deliver a material financial benefit within a short timescale appropriate to the speed of the stress, and the firm should be able to demonstrate that they can actually be executed in a stress. The most common management actions we tend to see include financial support from the group and cost cutting. Group support can be a rapid option but may not be available if the group itself was under stress, and cost cutting can take time to realise the full benefit. Therefore, it is important for firms to have a diverse range of management actions that they can deploy in a variety of stress scenarios.
Governance
Underpinning all of the above is robust governance and oversight. Many of the failures of financial firms can be traced back to poor governance. It is therefore imperative to have the right people with the right skillsets in place to manage risks, and to have senior management that has the expertise and experience to provide oversight and challenge on prudential risk management.
Good oversight relies on the high-quality management information which should be driven by senior management in terms of content and quality; they know what they want to see and must be able to rely on its accuracy. Management information should be reviewed regularly to ensure it remains appropriate to business and its market environment.
Conclusions
There are strong reasons for firms to develop their prudential risk management other than meeting the regulator’s expectations:
- Understanding the risks within the firm and having the right controls in place can help ensure the firm is still standing after the next stress event.
- Optimising deployment of capital to address risks can free up funds for innovation allowing firms to remain competitive.
fscom has helped payment and e-money institutions to manage their prudential risk and our team can help you do the same. If you would like to speak to Rick Seehra or any of our prudential experts, please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.