On 11 January the UK Prudential Regulation Authority (PRA) published its 2024 supervisory priorities for UK banks and International banks.
Each year, in early January, the PRA publishes its supervisory priorities for the year ahead, for each of its supervision directorates (UK deposit takers, international banks and insurance). These priorities are general for the relevant supervisory directorate and complement the individual firm priorities that will have been communicated following the firm’s Periodic Summary Meeting.
The Single Supervisory Mechanism (SSM) of the European Central Bank (ECB) has also published its supervisory priorities for 2024-2026, and which are summarised in this blog: priorities to help banks withstand headwinds.
While there are some differences of detail, there is, as would be expected, a high degree of overlap between the priorities of the two regulators. Simplistically, the priorities of each regulator cover a range of matters but can be divided into three themes: regulatory expectations i) for managing risks arising from the current environment, ii) for improving banks’ governance, management and controls, and iii) for improving capabilities to manage climate change risk.
In general, banks can expect the PRA’s normal supervisory engagement process to consider how these matters are being dealt with, and to seek assurance that their overall governance, risk management and control frameworks are evolving in line with the changing environment, and the PRA’s priorities.
Current environmental risks
The first priority for both regulators is to ensure banks are financially resilient to economic and geopolitical shocks; and that banks can manage effectively their credit risk, counterparty credit risk, interest rate risk, and liquidity and funding risks.
Central banks have been raising interest rates for over a year in response to the high inflation environment, which taken together increase the debt servicing costs of borrowers and leads to heightened credit risk. As reported by Begbies Traynor, more than 47,000 businesses are now near collapse in the UK. Geopolitical risks (Ukraine, the middle east) continue to pose threats to any potential economic recovery – whether through affecting energy costs, disrupting supplier chains or more generally impacting market confidence – and which may feed into asset prices.
Certain asset classes are higher risk, and both regulators highlight the need to monitor commercial real estate exposures and lending to non-bank financial institutions, and that banks’ credit risk management remains robust. The PRA also highlights the need to monitor buy-to-let, credit cards, unsecured personal loans, small to medium-sized enterprises, leveraged lending, as well as other vulnerable sectors.
While banks have so far benefitted from a rising interest rate environment, funding costs have risen, in part as depositors have shifted into interest bearing accounts. Coupled with the withdrawal of Covid funding schemes, banks may find it harder to maintain margin and obtain new funding. In this environment, the PRA expects banks to ensure their Treasury function is robust, and that treasury risk management includes stress tests to assess risks and maintaining realistic contingency plans.
While banks have so far proved resilient to the heightened risk and greater economic uncertainty, a key message of both regulators is the need for bank management to be extra vigilant and to continue to enhance their credit risk and ALM frameworks.
Bank governance, management and controls
The PRA’s objective is that banks are operationally resilient. It is just over a year (by March 2025), until the PRA’s operational resilience expectations (set out in SS1/21), come into effect. The PRA expects “Boards and senior management … to actively oversee the delivery of their firms’ operational resilience programme”. It also highlights an expectation that firms’ have severe but plausible scenarios to test the resilience of important business services, and that these scenarios should include disruption caused by a cyber related event.
A significant area of operational change affecting important business services is the ongoing transformation of IT infrastructure, including the use of cloud outsourcing. The PRA expects “these transformations to be well managed with any execution risks appropriately mitigated”.
The SSM is more explicit about banks’ IT transformation and outsourcing and their deficiencies: while it notes that most banks are making progress it also indicates, “they also need to strengthen and, where needed, adjust their operational resilience frameworks to mitigate potential risks”, that “some banks are falling behind”, and that banks “need to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers and improve their IT security/cyber risk management”. It indicates further reviews in this area, and that it will look to share examples of best practice.
The accuracy and reliability of bank regulatory reporting (Data) remains a key area of PRA focus, as skilled person reviews continue to highlight “deficiencies in controls over data, governance, systems, and production controls”. Similarly, the SSM highlights “…insufficient attention and oversight of management bodies, weaknesses in data architecture and fragmented and non-harmonised IT landscapes, low capacity for aggregating, and ineffective governance frameworks”. This may be an area where the PRA provides more feedback, with a focus on dealing with the root causes of the deficiencies, and where both regulators will likely undertake more work in 2024, including possibly more PRA skilled person reviews.
Last year, the PRA published its “model risk management principles” (SS1/23) for banks with internal model approval, and which come into effect in May 2024. Banks are expected to have assessed their model risk management framework and have remediation plans in place, if necessary. The PRA indicates it will engage “with the accountable Senior Managers Functions”. While the principles apply to banks with model approval, the Supervisory Statement indicates that other banks may nevertheless find them useful.
For International banks, the PRA raises a concern that banks still consider risk management in silos, and that it expects banks to address the issues highlighted in Dear CEO letters on equity financing (2021) and fixed income financing (2023).
Generally, the SSM continues to highlight that some banks have major shortcomings in governance, despite long-standing engagement with their supervisor. In response, the SSM indicates it is prepared to take more severe measures – for example capital add-ons, enforcement and sanctions.
Climate change risk
Both regulators consider that the financial risks due to climate change are growing, but while banks are developing their approaches considerable work remains to improve their capabilities and reporting, and to integrate effectively into business strategy and decision-making, governance and risk management frameworks.
Banks are also at different stages of development, and the SSM considers a number of banks to be severely deficient when it comes to meeting regulatory expectations. In this regard, the SSM appears to be taking a hard line, as it highlights the potential for penalty payments or capital add-ons for those banks that do not meet its expectations.
In 2024, the PRA indicates it will update its expectations in Supervisory Statement 3/19 for managing financial risks from climate change (including providing examples of effective practice).
Summary
The PRA’s main priorities are largely unchanged from 2023, in part reflecting the ongoing economic uncertainty and that many regulatory policies have multi-year implementation periods (eg, operational resilience, model risk management, responding to climate risk). However, some PRA priorities (such as data) have no such excuse and it is to be wondered if the PRA will take more severe action if banks continue to fail to meet expectations, as the SSM has suggested it might do for climate risk.
As the events at Silicon Valley Bank (SVB) and Credit Suisse revealed in early 2023, risks are never far from crystallising. While SVB highlighted new potential risks around the speed at which events could unfold in a digital age, it was also very much a textbook case of traditional banking risks and failings – a failure to recognise and manage interest rate and funding risks due to poor risk management and governance, leading to over concentrations to certain asset classes and funding sources (eg uninsured corporate deposits). If banks can learn from the past and not repeat the same failings, then the regulators may need fewer priorities, and that are not perennial.
Banks also need to be ready for new issues, as highlighted by the FCA’s recent decision to investigate the motor claims finance market. It is too early to say what the cost of redress might be – we will have to wait for the FCA to complete its initial investigation – but early estimates have ranged between around a £1bn and £14bn.
