PRA ‘disappointed’ by deficiencies in firms’ regulatory reporting

The Prudential Regulation Authority (PRA) – part of the Bank of England (BOE) – has issued a Dear CEO letter, outlining its expectations that banks and building societies complete timely and accurate regulatory returns. In messaging that broadly echoes a similar letter issued in October 2019, the PRA has said that it expects “all firms to submit reliable and accurate regulatory returns and for the regulatory reporting process to receive no less rigour than financial reporting.”

s.166 Reviews

Since the PRA issued their initial letter in 2019, it has commissioned a number of skilled persons to undertake reviews under Section 166 of the Financial Services and Markets Act 2000 (FSMA). The reviews provided a clarifying lens on key topics, including:

Governance arrangements
Systems and controls around the production of the returns
The schedule of key interpretations
The accuracy of reporting returns

As well as this, the PRA has asked a number of firms to demonstrate how they deliver regulatory reporting of an appropriate quality, noting that “the integrity of regulatory reporting is essential for us to advance our primary objective to promote the safety and soundness of PRA-authorised firms”.

PRA “disappointed” with results of review

Following these reviews, the PRA notes that it is “disappointed to find significant deficiencies in a number of firms’ processes” used to deliver accurate and reliable regulatory returns. In particular, the PRA was disappointed that financial institutions apparently do not apply the same level of care and diligence in their regulatory returns as they do to other financial reports to be shared with the market and their peers.

While many firms have gone to great lengths to improve or enhance their regulatory reporting processes, it is clear that the PRA expects firms to go further. In particular, it has found failures in:

1. Governance and ownership

In some firms, the responsibility for regulatory reporting had been spread across teams and individuals.
This was made worse in firms that also had fragmented or complex end-end processes, which led to poor understanding of both documentation and processes.
The PRA also found instances of poor governance around key regulatory interpretations, especially around essential elements such as basic documentation, periodic reviews and sign offs.

In response to these findings, the PRA notes that senior accountability and ownership is fundamental to the production and integrity of a firm’s regulatory reporting and financial reporting. With that in mind, the relevant senior manager should have overall oversight of the effectiveness and processes to ensure the delivery of accurate and reliable regulatory returns. Moreover, it expects responsibilities to be clear for all individuals.

2. Controls

The PRA found a number of gaps in end-end processes for regulatory reporting, especially around insufficient controls for models and in lack of reconciliation checks for errors.
This was made worse by a “high degree of manual intervention in the end processes” for regulatory returns.
Many firms used spreadsheets in their regulatory reporting process, which carry an “inherent risk of error because of their vulnerability to over-writing”. Firms that used spreadsheets often failed to have a sufficiently robust control environment in place for the purpose of generating reliable and accurate returns.

The PRA expects that firms’ governance arrangements for regulatory returns are supported and bolstered by an effective and robust control framework. Operating models should be clearly audited and documented, with effective controls at every stage.

3. Data and investment

The PRA’s review found that firms have not generally prioritised investment in regulatory reporting, which means there is a reduced capacity and capability when compared alongside financial reporting.
This lack of investment often leads to “outdated reporting system infrastructure” and the need for “manual intervention to fill data and system gaps”.

It notes that those firms that had effectively invested in systems and data had a far more efficient infrastructure, which required less manual intervention and fewer errors – leading to better outcomes and more effective and efficient use of data in the long term.

CUBE comment

The PRA is rightly “disappointed” with the standard of regulatory reporting produced by many of the reviewed firms. This Dear CEO letter would suggest that, despite issuing a similar letter in 2019, there has been little investment or effort made to improve the state of regulatory reporting across the industry.

The PRA, I would assume, would purport to be tech agnostic. As many financial regulators often suggest, they do not care if a financial institution is using technology or not – as long as they are doing the job well. The interesting point about this recent Dear CEO letter is that there is a distinct sense of disdain for firms that are relying on “manual intervention” or “outdated reporting system infrastructure” in order to complete their regulatory reporting.

I suppose this disdain is warranted, in a number of ways. Can there be anything more frustrating as a financial regulator, than to see firms continually doing a bad job – when the technology and infrastructure exists to enable firms to do a good job. And not only a good job – a job that would also save the firm time, money and potentially funds spent on regulatory fines when things go wrong.

The PRA has said it will “consider the full range of supervisory responses and enforcement powers” at its disposal – i.e. it will not be soft on those who fail to improve the standards they apply to regulatory reporting.

Firms that have been subject to the PRA’s reviews will undoubtedly be scrambling to put in an effective regulatory reporting framework, now they know that their current systems are “outdated” or “fragmented”. For firms that have not yet faced review, it may well be wise to heed the message of the letter and assess their current regulatory reporting processes. Let’s hope the PRA won’t need to publish a third Dear CEO in 2023.

CUBE automates regulatory reporting for audit to give assurance to those who need it, when they need it.

Request a demo