Overall
Pre-pandemic the Prudential Regulation Authority (PRA) initiated a series of reviews looking at the accuracy of regulatory returns. Following this exercise, the regulator issued a Dear CEO letter to summarise the results. Their findings highlighted a systemic issue with banks regulatory returns, which needs to be addressed by the industry. The letter stated that “Overall, we were disappointed to find significant deficiencies….multiple firms did not treat the preparation of their regulatory returns with the same care….they apply to financial reporting…there is an increased risk of material misstatements”
Whilst institutions who have been subject to review will be considering their way forward in addressing these concerns, there are actions and lessons that all reporters can take to improve processes and reporting.
Actions
Governance
1. Appoint one very senior person with responsibility for the entire front-to-back and cross-functional processes. The PRA noted that responsibilities were sometimes dispersed too broadly and delegated too far down the organisation to allow for effective oversight.
2. Document the entire processes (e.g. from trade capture to regulatory reporting). This should include clear responsibilities for the entire end-to-end regulatory return production process. This documentation should be kept up to date and accessible and be mapped to relevant senior management functions.
3. Do regular independent testing and validation of processes using your internal audit function where appropriate.
4. Ensure all regulatory interpretations are clearly documented and reviewed regularly, as well as signed-off at the appropriate level. This may require examining interpretations which were previously hard coded into IT systems but not otherwise documented, so these should be checked too.
5. Talk to your supervisor and resubmit returns if material errors are found.
Controls
6. Get your record keeping for your models up to scratch. This should include documenting the original model application, its approval and any model changes that need regulatory sign-off. The PRA specifically called out poor record keeping of original documentation as an issue.
7. Review any spreadsheets you use to make sure they are still logical and well controlled. ICAEW’s Excel Community issued guidance in October 2021 on effective spreadsheet review.
8. Reconcile your regulatory returns to the general ledger or other appropriate records at every submission.
Data & investment
9. Build a plan to cease reliance on outdated reporting systems and manual data entry. The PRA noted a lack of investment which makes returns more prone to error. Banks must start to prioritise investment in data systems for a simpler and more efficient infrastructure, which has not been considered possible in recent years.
10. Where there is incomplete data, check that loan assets have been allocated to the right exposure class.
Next Steps
The PRA’s letter conveys the seriousness of the issues found in subtle yet certain terms. The regulator is clear that they will look at how best to continue their focus on regulatory reporting, but it is likely that there will be further skilled person reports in this area. Whilst these reports are not necessarily used regularly, the PRA has the power to use them again to further their objectives where failings have been found.
Depending upon the need, an appetite for a more systematic independent assurance of regulatory reporting, the continuing use of skilled persons would need to be considered carefully so as to avoid the perception of a new rule without consultation. Given the context, it is unlikely that the scope of any subsequent skilled person reports will be identical, nor will the process necessarily continue for the next five years. It therefore seems unlikely that we are seeing a return to the days of Section 39 reviews (Banking Act 1987) and a regular annual review of regulatory returns. However, banks should expect a follow-up on the issues raised, as well as a wider set of firms potentially being subject to review. The skills to deal with reporting, reviews and remediation are in high demand as the industry prepares.
A role for statutory auditors?
Based on the evidence of the PRA’s recent S.166 reviews, it is very clear that more focus, scrutiny and independent challenge is required around regulatory returns.
However, it is not yet clear what form that independent challenge will take. Whilst now we are seeing increased use of the s166 tool and extensive "voluntary" assurance activities being performed by banks, in due course we may see further mandated assurance, possibly by means of independent, external audit (or similar).
For example, capital ratios and risk-weighted assets are prominent in annual reports and investor presentations. The question has therefore arisen as to whether bank capital or regulatory returns will be considered as part of the reform of the scope of statutory audit. The importance of these metrics was acknowledged in the Brydon review, where it was suggested that, rather than auditors doing work on risk-weighted assets that ”… it would be appropriate for consideration to be given by the PRA to the possibility of sending the auditor a letter of comfort (as an input to the auditor’s assessments) regarding the work it has undertaken in relation to validating the models from which the risk weighted assets are derived.” 1
However, the recent BEIS consultation which followed the Kingman and Brydon reviews instead suggested that the Audit & Assurance Policy is the best way to tackle the need for and nature of assurance around metrics like bank capital.
“While the Government is not mandating an extension of statutory audit, it recognises that an Audit and Assurance Policy can be expected to lead to more companies considering whether independent assurance is desirable on elements of company reporting that require specialist knowledge and skills which financial auditors may not be able to provide.” (Paragraph 3.2.8)
This approach would mean that banks would individually consider their assurance needs and the best ways to gain assurance, ensuring proportionality and the ability to take a risk-based approach. It would also mean however that there could be a variety of approaches adopted, meaning effort needed from investors and other users of reporting and assurance to understand exactly what assurance was being gained, in an environment where there are already high volumes of information to digest, and confusion over the audited/unaudited status of that information in some areas.
At the time of publication, it is expected that the crucial date for the audit and corporate governance reform legislation will be the Queen’s speech in spring 2022.