Credit Suisse faces record £87 million fine for Archegos-related failures
Credit Suisse International (CSI) and Credit Suisse Securities (Europe) Ltd (CSSEL) have been fined £87 million by the Prudential Regulation Authority (PRA) for significant failures in risk management and governance during the period of 1st January 2020 to 31st March 2021. The failures are linked to the firms’ exposures to Archegos Capital Management, resulting in the largest-ever fine imposed by the PRA.
The PRA’s enforcement investigation revealed breaches of four PRA Fundamental Rules, a rare occurrence in such cases. As part of a coordinated global resolution, the Swiss Financial Market Supervisory Authority (FINMA) and the Federal Reserve Board also imposed penalties, bringing the combined fines to more than $387.5 million.
The root cause of the fine stems from Credit Suisse’s provision of prime brokerage services and the use of equity total return swaps (TRS) with Archegos, with all TRS positions booked into the UK firms through other entities within the Credit Suisse group. When Archegos defaulted in March 2021, the firms suffered around US$5.1 billion in losses, inflicting significant financial and reputational damage. As a consequence, Credit Suisse was eventually acquired by UBS Group AG in 2023.
The investigation found that the firm’s risk management practices fell significantly below regulatory standards, indicating an unsound risk culture within the business line. The failure to appropriately balance risk considerations against commercial rewards led to the inability to address the risks stemming from Archegos’ portfolio. Additionally, a lack of clarity in responsibilities and inadequate responses to limit breaches exacerbated the situation. Notably, the firms failed to learn from past similar experiences and neglected concerns previously raised by the PRA.
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, emphasized the severity of the situation, stating that Credit Suisse’s risk management failures posed a major threat to the safety and soundness of the firm.
The breaches involved violations of Fundamental Rules 2, 3, 5, and 6 of the PRA Rulebook. Fundamental Rule 2 necessitates firms to conduct their business with due skill, care, and diligence, while Fundamental Rule 3 demands prudent conduct. Fundamental Rule 5 requires effective risk strategies and management systems, and Fundamental Rule 6 mandates responsible and effective organization and control of affairs.
In response to the situation, Credit Suisse agreed to resolve the matter, qualifying for a 30% reduction in the PRA-imposed fine. Without this discount, the fine would have reached £124.4 million.
The case has significant compliance implications, underlining the critical importance of robust risk management frameworks and governance for financial institutions. It highlights the need for firms to align their risk management with their risk appetite and cultivate a sound risk culture. Regular review of risk management frameworks to identify and mitigate risks, as well as learning from past mistakes, is also crucial in maintaining compliance with regulatory standards.
OCC publishes cybersecurity report
The Office of the Comptroller of the Currency (OCC) has published its Cybersecurity and Financial System Resilience Report which outlines the OCC’s actions to address operational resilience and cybersecurity risks, including the development of regulations, guidance, and examination manuals to communicate supervisory expectations. It also discusses how banks are implementing risk management practices to safeguard against emerging threats and highlights the OCC’s internal cybersecurity policies to protect sensitive information and assets.
The executive summary of the report emphasizes the OCC’s commitment to effective oversight and supervision of the federal banking system through collaboration with domestic and international regulatory partners, as well as industry stakeholders.
ECB consultation on risk data aggregation
The European Central Bank (ECB) has launched a public consultation on its Guide on effective risk data aggregation and risk reporting. The Guide aims to help banks strengthen their risk data capabilities by outlining prerequisites for effective risk data aggregation and reporting. It is designed to specify and reinforce supervisory expectations in this area, building on good practices observed in the industry and considering the Basel Committee on Banking Supervision’s principles.
Banks are expected to improve their risk data aggregation frameworks, as adequate capabilities in this area are still rare. The Guide highlights seven key areas for robust governance and effective processes, including the responsibility of a bank’s management body, data governance framework scope, key roles and responsibilities, group-wide integrated data architecture, data quality controls, timeliness of internal risk reporting, and implementation programs.
Effective risk data aggregation and reporting are crucial for banks’ sound decision-making and risk governance. The capabilities and practices identified in the Guide will help banks better manage risk concentrations, whether they are credit, market, or third-party related, based on quality data. This is vital for effective risk management during crisis situations, as demonstrated during the 2008 financial crisis and more recently during the COVID-19 pandemic.
The consultation period for the Guide ends on 6th October 2023.
A selected summary of key developments for regulated financial institutions
Access all of our daily regulatory content by using the login button below.
To find out more about how CUBE can help your business click here.