On 31st October, the PRA published a Dear CEO letter to remind banks, building societies and designated investment firms that they are required to submit complete, timely and accurate regulatory returns. The fact that the PRA has seen the need to issue a reminder about such a core regulatory obligation reflects its concern about errors in regulatory reporting (both public and identified by the PRA in the course of its supervision) and what it sees as the need for appropriate investment in both data quality and processes to ensure the accuracy and completeness of reporting.
In this blog we consider how firms have been addressing regulatory reporting challenges to date, identify key areas of focus for Senior Managers, Boards and Audit Committees and provide our view on how firms might respond to the letter and how we can assist.
This is the latest in a series of PRA and FCA Dear CEO/CFO letters highlighting concerns over the quality of reporting, dating back to 2016 when the PRA initiated a cross-firm review. The tone and language of the letter clearly indicate that the PRA believes that firms still have a lot more to do in this area.
The PRA refers both to matters which may have built up over time, such as the hard coding of regulatory interpretations into systems, and also procedures and controls for newly introduced returns such as the PRA110 Cashflow mismatch template.
It reiterates that “the production of a firm’s financial information and its regulatory reporting is a prescribed responsibility [under the Senior Managers and Certification Regime]”, and that, in addition, Executives and Boards should take action as necessary to ensure the integrity of regulatory reporting, including:
- regular, comprehensive reviews of the effectiveness of the governance, controls and other processes around regulatory returns to ensure they are fit for purpose;
- deep dives to look at the accuracy of the regulatory returns; and
- ongoing identification and validation of key interpretations and judgements.
Industry activity in this area
We have seen Boards and Audit Committees renew their focus on regulatory capital and other ratios in the past year, against the backdrop of increased accountability under SMCR, enhanced Pillar 3 disclosure and Risk Data standards for significant firms.
We are also seeing that Senior Managers holding the prescribed responsibility for regulatory reporting are questioning how they can articulate clearly that they take reasonable steps to meet their responsibility, in particular relating to the firm’s upstream processes and systems that provide the data used to generate reports.
This has resulted in increased focus on Regulatory Reporting Assurance (either internally- or externally‑sourced) as the relevant Senior Managers look to ensure that the regulatory information they provide to regulators, and which is also relied on by investors and analysts, is complete and accurate.
Firms are continuing to develop enhanced assurance frameworks for oversight of regulatory reporting and disclosures, including documentation and testing of controls over the end-to-end regulatory reporting framework, and independent review and challenge of regulatory rule interpretations and calculations.
Firms may also decide to use the guidance issued by the ICAEW in May 2017 (Technical Release TECH 03/17/FSF: Banking Regulatory Ratios: ICAEW Assurance Framework) as a set of overarching principles to enhance their existing assurance and control frameworks further.
In the medium term, the Brydon review into the Quality and Effectiveness of Audit is looking into the scope of external audit, and how it can better serve the public interest. This may include consideration of whether the audit scope should be extended to include information which is currently presented in the Financial Statements but not subject to audit, such as bank capital ratios.
How might firms respond to the letter?
In our view the PRA is putting firms and the relevant Senior Managers on notice that they need to satisfy themselves once and for all that their regulatory reporting is accurate. If the PRA has concerns then it will “consider the full range of supervisory responses”. In view of this, we believe that firms should consider four key areas:
First, firms should review or refresh their documentation around regulatory interpretations and judgements, with an eye to whether it would stand up to challenge, and provides a sufficiently clear audit trail around governance and traceability to the calculation and reporting engines. This is an area in which we have already been working with a number of market participants, and is a key focus area in the letter.
Second, firms should review the status of their implementation of the PRA110, and consider what actions could improve the maturity of the processes used to generate this newly introduced return. In particular, it is valuable to review the alignment of various liquidity returns (the PRA110, LCR and FSA047/48 together with internal liquidity MI) to ensure that they all paint a consistent picture of the firm’s liquidity position, as any unexplained differences can point to issues with the returns.
Third, firms – and relevant Senior Managers in particular – should consider how they can evidence that they are taking reasonable steps to discharge their responsibilities in relation to the data used in regulatory reporting. This might include reviewing the model for engagement between regulatory reporting, the firm’s Data Office, and the Front Office on this matter. In our view, the PRA’s reference to the integrity of data indicates they do not believe it is appropriate for the regulatory reporting function to be relying on upstream data without considering its suitability. For example, even though data may be coming from an “audited system”, some of the data attributes used in regulatory reporting may not themselves have been subject to audit.
Fourth, larger firms in particular might consider their readiness for one of the potential skilled person’s reports that the PRA indicates it intends to commission. This comes at a time of major change in the underlying calculation of Risk Weighted Assets for many firms (for example, the introduction of hybrid models for residential mortgages under the IRB approach, preparation for CRR2 and proposed future changes such as the revised Standardised Approach). Therefore, some up-front preparation might help alleviate some of the pressure that a request for a skilled person’s report inevitably entails.
Key areas of focus for relevant Senior Managers, Boards and Audit Committees
In our experience, the questions that relevant Senior Managers, Boards and Audit Committees are considering in designing and embedding an assurance framework for regulatory reporting include:
- How do the Terms of Reference for the Audit Committee, Risk Committee, Board and other relevant senior management forums incorporate the oversight of regulatory reporting?
- How do the relevant governance forums review and challenge key SME judgements and interpretations around regulatory reporting assumptions and outputs?
- Has ownership been documented for each component of regulatory reporting at a sufficiently granular level?
- Has the firm documented processes and key controls over the end-to-end regulatory reporting process, and are all key controls evidenced and tested?
- Is a regular cycle of risk-based independent controls testing in place within first, second and third line of defence as appropriate?
Regulatory rule interpretations
- How does the firm identify and ensure compliance with the complete universe of applicable regulatory rules on a line by line basis?
- What is the governance process for key regulatory rule interpretations, judgments and assumptions and what is the consistency of application across different businesses, divisions and countries?
IT and Data
- Has a detailed analysis been undertaken of the IT systems architecture, and IT/data controls over the quality of the data / inputs / models used in calculation and reporting, as well as the production and sign off processes to ensure that they are fit for purpose?
- Is a regular reconciliation and sign-off process in place for all material regulatory data inputs?
Output and calculations
- Does senior management review and challenge regular MI on summary metrics (including variance analysis) reported in COREP and other regulatory returns, as well as qualitative data on controls and data quality attestations?
- Are robust processes in place around the application of manual adjustments / overrides, with a clear justification for application and remediation plans as applicable?
How can Deloitte help?
Our team has a wealth of experience in supporting clients in the Banking and Capital Markets sector both in strengthening the quality and accuracy of regulatory reporting and also enhancing their internal regulatory reporting control and assurance frameworks.
As a result of work we have been completing, we have developed a methodology for conducting a prioritised readiness assessment (“a regulatory reporting health-check”) that could help you prepare for a potential review, prioritising areas that have the biggest impact on key regulatory measures.
In addition to the specific areas of recent activity mentioned above, our core propositions include:
- design and implementation of target operating model for regulatory reporting frameworks and controls;
- independent review, assurance and benchmarking of capital, liquidity and other regulatory ratio calculations;
- review of regulatory reporting frameworks, processes and controls; and
- co-sourced or outsourced support to Internal Audit functions providing assurance on regulatory calculations, reporting and disclosures.