At our Q1 2024 Banking Regulatory Outlook event, we heard from fscom experts, Rick Seehra, Alison Donnelly and David Norton along with guest speaker, Aris Asimakis, CRO of CashPlus.
Key focus areas discussed during the lunch included:
- Building effective relationships between financial institutions and the regulators;
- Operational resilience – challenges and approaches in meeting the PRA’s expectations; and
- Consumer Duty – the progress so far and lessons learned.
Introduction
In the world of risk and compliance, it’s always helpful to understand how your peers feel about the challenges that you’re facing as a financial institution. Nobody likes being an outlier and there is comfort in knowing that the approach that you’re planning has been tried by someone elsewhere. Our recent roundtable provided exactly that and our guests, mainly comprising of risk professionals from UK banks generously shared their time and their observations on some very topical subject matters.
Subject 1: Building effective relationships between financial institutions and the regulators
Most compliance officers would agree that any interaction with the regulators must be handled with care. If handled well, a meeting with the supervision team can lead to a continued building of trust, but if fumbled, could see a significant increase in scrutiny and in the regulatory compliance burden for next 12 months. If such meetings consistently go very badly, the reputation of the board and the senior managers could be tarnished amongst regulators.
Supervision teams are under similar pressure, as they are expected to build rapport with a firm that is facing its fourth supervisor in as many years, use their limited time to discover the pertinent facts, and ensure their messages are understood and accepted. All without any fist pounding from either side of the table – it happens.
Observations on the PRA and the FCA
The participants had good relationships with both the PRA and the FCA but noted the difference in style between the two regulators. The PRA tends to be more collaborative, making it easier to build a relationship with supervisors, while the FCA takes a more arm’s length approach, resulting in a very different feel to the relationship and outcomes. It was therefore not surprising that most of the observations were focused on the more understood regulator – the PRA:
- The PRA have been clear that they are not consultants, but they do try to give a steer where possible and tend to be a little more flexible in that position than the FCA who prefers firms to seek advice elsewhere.
- The tone from the regulators in a meeting is often very different from the tone of a letter following the meeting. Participants found that the regulator is usually more conservative on paper.
- Participants agreed that the Dear CEO letters were a great opportunity for the regulators to provide valuable insight into what matters to them, and they would welcome more regular guidance on important themes.
- It was felt that the PRA have more time for larger firms than smaller ones, which was not always helpful, and would welcome more meetings.
- Supervisors seem to change quite regularly making it difficult to maintain a relationship.
- The PRA’s ethos seems to be “do the right things well” which generally aligned with participants’ own values.
- Value was seen in the PRA staff having spent time in industry before joining the PRA and would welcome more senior or specialist staffing, although they acknowledged that they would be difficult to attract from higher paying industry jobs.
- The PRA like to see a balanced use of capital between regulation and revenue growth.
What does having a good relationship with the regulator mean in practice?
First, it is important to remember that regulatory relationships and outcomes are very separate things. Having a good relationship with the regulator does not necessarily result in a good regulatory outcome. Ultimately, supervisors must make a case to their internal moderating panel to demonstrate that their proposed outcomes are fair and appropriate ensuring all firms are treated equally in their peer groups.
General approach
Aim for regular and frank discussions with supervisors to give them confidence that you are engaged with the issues and to ensure you are both on the same page.
Video calls are fine for quick catch-ups but if there are any material issues, it is important to have a face-to-face conversation as a personal touch is effective in escalating issues and in calming the waters.
In any meeting, it is important to know which area within the regulator you are interacting with. The various areas of supervision, policy, industry champions all have different approaches and objectives and can offer different levels of insight so tailor your preparation to their focus areas.
Preparation
Training staff to have direct conversations with the regulators is an important step in preparing for engagements and setting the right tone. This ensures that there is consistency across the firm in understanding the regulators’ approach, objectives and messaging and in providing the right information or asking the right questions.
A well-trained team can be highly effective in achieving the right outcomes for the firm and for the regulators. An unprepared team can inadvertently cause the regulators’ concern through a misspoken word or a misunderstanding of the board’s view on a given issue.
Second- and third-line strength is critical. They must be able to clearly explain the business, its activities and their role and responsibilities. They must be fully aware of the issues facing the firm, the regulators’ objectives and the position of the senior management. They should be confident without being brash or deflective.
Getting MI and regulatory reporting right makes a significant difference to the tone of the meeting before it starts as they will have reviewed it. Having a history of providing inaccurate data means the regulators will be obliged to probe for detailed confirmation of the facts and makes it harder to build trust from the outset.
During the meeting
Be ready to discuss pertinent issues, particularly any that have potential to cause harm to the firm, its customers or the market, and clearly describe actions, results and outcomes. The supervisor should walk away confident that the firm is in safe hands.
It is important to set the discussion at the right level by focusing on what is important. Avoid too much detail, but also don’t skim over difficult or contentious areas. Be open and transparent and be able to fully evidence any assertions without providing all the minutiae. If they want all the details, they will ask for it.
Where necessary, get clarity on any decisions the regulator has made and on how they are making their assessments.
Assign a dedicated note taker to ensure all relevant points are captured.
After the meeting
Have an internal debrief and compare notes to ensure everyone understands the outcomes – it’s easy to miss a key point while making a quick note in a meeting.
Be sure to assign owners to each action and ensure there is mechanism to track progress.
Follow each action through to completion and ensure they can be evidenced.
Regularly report progress to the regulators on progress to ensure confidence continues.
To build trust, it is important to do what you say you will do. But things don’t always go to plan and if you need to change plans, engage early, explain the rationale, propose a new timeline, then make it happen.
Missing deadlines, failing to update the regulators or missing important aspects or key deliverables are easy ways to erode the trust you have earned with the regulators and your capacity to ask for more time. Repeated delays are red flags, and your supervisor will be pressured to take action.
Subject 2: Operational resilience
The UK rules and guidance on Operational Resilience came into force in March 2022 and firms have until 31 March 2025 to be compliant. By this time, they must have performed comprehensive mapping and testing to understand their important business services (IBS), set impact tolerances, and made the necessary investment to ensure they stay within their impact tolerances.
Firms captured by DORA, which is more prescriptive around ICT and cyber resilience than the PRA and FCA requirements, will need to perform a gap analysis and comply with both regimes.
Observations
The participants’ firms were in varying stages of readiness but nearly all had identified their important business services and considered scenarios. Some firms have Operational Resilience firmly embedded led by the CEO as the executive champion and they undertake extensive testing and scenario-based considerations.
By now, firms are expected to have dedicated Operational Resilience responsibility assigned proportionate to their size. Many of the participants felt that this function was adequately resourced and that responsibilities had been assigned.
Also by now, firms should have devised ‘severe but plausible’ scenarios and be testing their ability to remain within their impact tolerances. They should be recording the results of the testing carried out, any lessons learned and setting in place a remediation plan to address any vulnerabilities.
Lastly, firms should be incorporating Operational Resilience into their overall risk management frameworks and ensuring it forms part of their resilience strategy going forward.
Issues and difficulties
Some firms noted their reliance on third parties such as SWIFT, AWS and other cloud services which are critical to their infrastructure but large enough to not be manageable. This is a risk across the industry as firms cannot influence these monopolies to change to the required standards as they do not directly fall under the requirements. This is recognised by the regulators and their consultation on Critical Third Parties will designate those suppliers of critical services as having particular impacts to the UK market as a whole in the event of disruption. It will not remove the need, however, for firms to gain assurance on the resilience of each third party used to deliver important business services to clients.
Priorities for implementing Operational Resilience
The participants recommended the following points in implementing operational resilience.
Whilst it is critical to apply the operational risk lens onto a firm’s important business services, firms must also delve into the vulnerabilities in the marketplace.
Important and critical business services should be mapped now and with the forthcoming DORA impacting many UK firms directly, it is important to evidence:
- Identification
- Mapping & rationale
- Tolerance linked to serious harm and show assessment
There should be a keen focus on testing from this point in time up to the March 2025 deadline.
From the discussion on the number of IBS and granularity of approach, it was concluded that it must be relevant to the firm and there is no one size fits all approach. Hundreds of IBS will likely lead the regulators to conclude that the concept has not been thought through correctly. Be comprehensive but focussed to ensure it is a manageable exercise.
IBS should always focus on the client deliverable and risk of harm. There must be an assessment of timelines that can be withstood and any practical workarounds to mitigate the impact.
IBS should be tested to the limit to breach or just below.
Operational Resilience has to be part of the DNA of a firm and subject to constant review and refresh.
There is an overwhelming need to adopt a ‘whole firm’ approach to avoid unilateral thinking or removal of critical areas. For example, operations and finance are key to understanding the IBS impacts and must have the right representation.
The regulator expects to see all critical functions across the whole firm having input and consideration.
Mapping – have evidence, now in the transition phase – test scenarios and revisit – the focus on severe but plausible must be evident – think Covid to remind yourself things are possible.
Subject 3: Consumer Duty
One year on from the FCA’s Dear CEO letter on implementing the Consumer Duty, we found that firms are still on a journey to practically embedding the Duty.
Observations
Generally, the participants felt implementation of the Duty was progressing well with their organisations including:
- clear internal focus with stretching but realistic action plans in place;
- engaged Champions and leadership from the Board;
- policies and procedures drafted and updated, as appropriate;
- training and controls embedded; and
- management information collated and analysed.
However, uncertainty persists as to how implementation efforts compare to industry peers and the regulator’s expectations. It is difficult for firms to see if these are set at the right level without feedback from the regulator in the form of a thematic review or even enforcement action.
Participants agreed that as the Duty evolves in practice over the next year it will be interesting to see which best of breed approaches emerge. Audits will also help to set a framework approach and outline focus areas for firms. They were looking forward to further clarity over the coming period.
Issues and difficulties
The participants highlighted some of the challenges they had faced in implementing Consumer Duty over the last year.
- Getting the message across a firm has proven to be difficult due to the varying take-up between risk and non-risk focused employees.
- Firms are not sure if they’re implementing the Duty at the right level.
- Pulling together the relevant data remains a struggle as many firms still run on Excel and much of the data is incomplete or incompatible for analysis.
Lessons learned
Fortunately, the list of tips for implementing Consumer Duty was longer than the list of challenges.
- Each firm should have a strong consumer champion, ideally an INED though normally a NED with accountability and expertise in the area. It is expected that the champion’s focus will limit the risk of complacency as time goes on.
- As a risk area, Consumer Duty should be adequately resourced.
- Training is clearly very important but some firms are experimenting with financial incentives for good behaviour, hoping to ensure good outcomes.
- Some firms are publishing their Consumer Duty performance MI on their websites as a marketing tool promoting their business.
- One test used by a firm is “Would you give it to your grandmother?”
- Time must be invested in embedding the Duty in the business otherwise it is just a tick box exercise.
In summary, the Banking Regulatory Outlook event provided valuable insights into the key trends and priorities shaping the banking sector. Moving forward, continued collaboration between industry stakeholders and regulators will be crucial in navigating the ever-evolving regulatory landscapes and fostering a resilient and customer centric banking sector.
This blog contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.