Banking - Q2 2022
SS3/18
Principle 1 – Banks have an established definition of a model and maintain a model inventory.
What management should consider:
- Is there clarity on the difference between a model and a key spreadsheet?
- Is there an inventory for models?
- Are there any criteria to distinguish between complex and non-complex models?
Principle 2 – Banks have implemented an effective governance framework, policies, procedures and controls to manage their model risk.
What management should consider:
- Is there a complete view of constituents of the Bank’s Model Risk Management (MRM) “ecosystem”? This should include risks, controls, residual risk, risk appetite; coupled with governance and assurance.
- Are there policies, procedures and enterprise-wide guidance for the maintenance and operation of each model?
Principle 3 – Banks have implemented a robust model development and implementation process and ensure appropriate use of models.
What management should consider:
- What is the Bank’s approach to model development and deployment? The approach should cover “when”, “why”, “who” and “how” in the context of development, and separately, deployment of models.
Principle 4 – Banks undertake appropriate model validation and independent review activities to ensure sound model performance and greater understanding of model uncertainties.
What management should consider:
- What is the nature, extent and frequency of 2nd/3rd line oversight of the MRM ecosystem? How are action points monitored and reported?
- What are the review triggers? How are they monitored and reported?
- Are the reviewers appropriately skilled?
CP6/22
The key points from the CP are as follows:
1. The PRA is aiming for a proportionate implementation within firms and across firms, especially those who might qualify as a ‘simpler-regime’ firm (see further below for the PRA’s proposed definition of a “simpler-regime firm”).
What management should consider: Firms should review the PRA’s proposed definition of simpler-regime firms (further below) and consider whether they might fall within that perimeter. Separate to that, firms should consider the complexity of their business, and the number and nature of their models, and reach a judgement on the overall quantum of risk that their MRM ecosystem carries. The burden of regulatory requirements can be expected to resonate with this assessment.
However, where firms have reasonably upheld the 4 principles laid out by SS3/18 in the context of managing their MRM ecosystem, they should find themselves in a strong position to demonstrate compliance with any future legislation on model risk.
2. The PRA proposes that firms should ensure that the responsibility for the overall MRM ecosystem rests with the most appropriate Senior Management Function (SMF) holder; and that there is adequate SMF involvement across all constituents of the said ecosystem. This is in the same vein as Principle 2 of SS3/18.
What management should consider: It is typical for the CRO to be the nominated SMF for Model Risk, but there are instances where the responsibility is either borne or shared by the CFO.
SMF responsibilities should ensure that key stakeholders in the context of model risk are identified, and they are aware what is expected from them. It is often the case that critical responsibilities are delegated to further down the hierarchy, and historically, the PRA hasn’t taken kindly to this (e.g. in the context of regulatory reporting). The SMF holder should therefore ensure that adequate monitoring and reporting mechanisms are in place, and that they personally review and follow-up on matters of heightened significance.
3. The PRA is proposing that firms report on the effectiveness of their MRM for the purposes of financial reporting, to the audit committee. This is an unusual proposition from the PRA as financial reporting is beyond their regulatory remit. But by taking this stance, it is perhaps a recognition on their part that whilst financial reporting matters are generally overseen by an independent (audit) committee, there is no equivalent committee oversight for regulatory reporting. It would therefore be unsurprising if future policy initiatives head towards that way. But for the moment, by recommending audit committee oversight, the PRA would expect to draw more comfort on model outputs as a result of the additional scrutiny that this move would bring. This is not unexpected given the PRA’s vociferous misgivings about post-model adjustments.
The CP outlines five MRM principles:
- Principle 1 – Model identification and model risk classification
- Principle 2 – Governance
- Principle 3 – Model development, implementation and use
- Principle 4 – Independent model validation
- Principle 5 – Model risk mitigants
What management should consider: Firms should reasonably define a set of indicators or metrics that can be measured and monitored to support each of the above 5 principles. Best practice could be to obtain audit committee approval on these metrics, together with a plan for 2nd and/or 3rd line assurance activities (per Principle 4 of SS3/18). Along with regulatory reporting, MRM is likely to be at the top of the PRA’s agenda; and firms should take steps now.
The PRA would require firms to have undertaken a self-assessment, and produce remediation plan for gaps in their MRM ecosystem in line with the final supervisory statement onmodel risk which will most likely be published in Q1 2022, within 12 months of its publication.
Model Risk - PRA Business Plan for 2022/23
On 20 April, the Prudential Regulation Authority (PRA) published their Business Plan for 2022/23. It details their strategic priorities, identifies areas that the PRA will aim to develop to reflect the changing regulatory landscape, and develops a workplan for the coming year.
What management should consider: The table below sets out pointers to help regulated firms consolidate their horizon scanning activities in light of the regulator’s Business Plan. It is crucial that they are aware of and understand how these strategic priorities and the proposed actions will impact their business. They need to consider steps that ought to be taken.
Financial resilience of banks
Basel 3.1 | Banks should be aware that during 2022, the PRA will consult on the implementation of Basel 3.1 which will make significant changes to the way banks calculate their risk weighted assets (RWAs). Although this is speculative at this stage, Sam Woods may have hinted on some reforms in his latest speech, which we have summarised here. Banks should maintain appropriate regulatory horizon scanning capabilities, and have sufficient capacity in their regulatory compliance and risk teams to implement forthcoming changes. |
Leverage ratio | Banks need to be aware of how/if proposed changes to the leverage ratio requirements will impact their business. From 1 January 2023, the scope of the minimum leverage ratio requirement will extend to:
Banks outside of the current and proposed change to the minimum leverage ratio requirement should be aware that as of 1 January 2022, the PRA have introduced a supervisory expectation that firms falling outside of the scope of the leverage ratio requirement should manage risk in a way that prevents their leverage ratios from falling below 3.25%. This generally means that an appropriate risk appetite statement on leverage ratio should be set, together with supporting controls on the matter. |
Internal models | Banks should remain aware of the PRA’s plans to publish a supervisory statement (SS) in 2022 that will tie together all PRA expectations, rules, and requirements on model governance, model validation and general model risk management. Banks should ensure they have adequate capacity to update the governance and controls of internal models, as necessary. |
Governance and Risk management
Governance and Risk management | Banks and insurers should maintain awareness of potential changes regarding risk management, governance and culture. In particular, banks and insurers should ensure their regulatory horizon scanning focuses on plans made by the PRA to use senior accountability and prudent incentive setting to improve regulatory outcomes. Our advice is for firms to review their governance arrangements using a three-pronged approach pivoted on: 1) Senior management influence 2) Embeddedness of governance arrangements in BAU 3) Effectiveness of such arrangements There are a number of PSM letters from last year where the PRA has identified governance and risk management as either a key risk or a significant risk, which highlights the importance of this subject in the regulatory context. |
Regulatory reporting | The PRA will continue to focus on accurate, complete, and timely regulatory reporting as a key priority during 2022/23. Banks and insurers should ensure that their regulatory reporting policies are robust and comprehensive and are aligned to the ‘Dear CEO Letter, 10 September 2021’ and the ‘Dear CEO letter, 31 October 2019’. |
Diversity and Inclusion | Banks and insurers should be considering and including diversity and inclusion as an important part of corporate culture, and the way they manage their risk in line with the PRA. Banks and insurers should maintain awareness of proposals by the PRA designed to support diversity and inclusion. We recently shared out thoughts on this matter in our most recent quarterly newsletter, |
Smaller, non-systemic banks and building societies
Smaller, non-systemic banks and building societies that are not internationally active and provide standard lending or deposit banking products to UK customers should maintain awareness of the development of a ‘simpler regime’ and simpler prudential framework by the PRA.
The PRA has begun working on policy options for the ‘Strong and Simple’ regime, and the PRA has published a Consultation Paper in Q2 2022 (more on that below), which such banks and building societies should maintain awareness of.
We have also published a number of speculative articles on what this might entail, see below:
- PRA’s strong and simple regime: What might the future hold?
- Regulated firms: a matter of life and death
- Unpicking the Basel Bufferati
Ease of entry and exit
Banks and insurers should remain aware of potential changes as the PRA is reviewing approaches to wind-down and run-off planning and building this into the core supervisory activities and tools.
They should also be mindful of the fact that the PRA is reviewing whether to reform any aspects of the protection framework offered by the Financial Services Compensation Scheme (FSCS) during insolvency.
Digitalisation
Third party service providers and Cyber risk | Banks and insurers should remain aware of publications regarding digitalisation, with the PRA having particular focus on systemic risks stemming from concentrations of third-party services provision to firms as well as exposure to cyber risk. See the latest version of the PRA’s CBEST Threat Intelligence-Led Assessments Implementation Guide here. Regulated firms should take a proactive approach in ensuring that their risk management frameworks adequately capture third party risk and cyber risk. There should be room for a read-across on this matter with new operational risk rules. |
Financial inclusion | Banks and insurers must ensure that they assess the governance and controls with their practices such that discriminatory practices can be prevented, particularly where complex non-linear and machine-learning models are involved. Regulated firms should also maintain awareness of reports or supervisory statements on financial inclusion, as this is a key area of focus for the PRA. See this discussion paper which will be used to inform the PRA’s approach: DP2/21 – Diversity and inclusion in the financial sector – working together to drive change |
Discussion paper on liquidity
The Bank of England published a Discussion paper on Liquidity on the last day of Q1, presenting their concerns centred around banks’ reluctance to draw on their HQLA during times of stress. They identify a number of reasons for this – including the potential for regulatory action and market reaction to a dropping (or low) LCR. It was pleasing to see the PRA re-iterated what we have always known, that it is absolutely acceptable for a bank to have a LCR of less than 100% during a time of stress, as long as there is a credible action plan to build liquidity reserves back up. Although the PRA largely cites larger banks’ unwillingness to bear a drop in LCR due to their disclosure of spot (as opposed to averaged) positions of that metric; we have observed that smaller banks are much more conscious about breaching regulatory requirements than larger counterparts. Some smaller banks’ LCRs go beyond 400%. There is indeed a question about what kind of policy will enable smaller banks to be more confident about HQLA utilisation not only during stress but also in BAU; and the question perhaps extends to how effectively the PRA might be delivering its secondary statutory objective on competition.
What management should consider:It is important to take note of the fact that it is entirely reasonable for LCR to drop below regulatory minima, as long as there is a robust plan to replenish liquidity. The opportunity to feed into the discussion is now closed, but banks should expect a subsequent consultation paper in Q4 this year.
Thematic review of Wind down planning
The FCA published its thematic review on Wind-down planning (WDP) in April 2022. In summary, the review found that: (a) firms need to do more – such as, testing the outcomes of their wind down planning – to ensure that the plan is credible and operable; and (b) draw a clearer link between liquidity needs during wind-down to financial resources adequacy and the critical elements of firms’ RMF
What management should consider: In our view, the best way that points (a) and (b) could be honoured is by ensuring that firms’ 2nd and/or 3rd line of defence test the credibility, operability and the interaction of their WDP with their enterprise-wide RMF, at some point prior to the end of 2022. Some of the key scope points could include:
- Are all financial and non-financial risks linked to wind-down captured in the assessment?
- Have these risks been “quantified” prudently, and on the basis of historic trends (e.g. attrition rates), effectiveness of in-situ controls (e.g. preventive controls in the context of a cyber attack or financial crime), and future growth?
- How quickly can the implementation of the WDP follow the activation of the wind-down trigger? Factors to consider include time taken to: operationalise the wind-down steering group, put reporting packs in place and implement wind-down actions. Some key questions are: can processes and decisions around redundancies and retentions be expedited in a period of low morale and resource leakages; will there still be adequate group support, and what are the ramifications if there isn’t?
- How does management assess the consistency of wind-down indicators with firms’ actual and projected growth, and their risk appetite? For example, are wind-down indicators refreshed in line with the firm’s growth (which inevitably alters firms’ risk appetite)
PRA’s strong and simple regime
The PRA published a Consultation paper on the definition of a “simpler regime firm”. The regulator has proposed the following criteria and thresholds for firms to determine whether they might fall within this category. Whilst the specific rules that will apply to simpler-regime firms are still unclear; it is highly likely that the majority of the UK CRR’s positions may not apply to them.
Criteria | Proposed Thresholds |
Size | Total assets ≤ £15 billion, calculated using a three-year average; based on FINREP definition of total assets |
Trading Activity | - Trading book business ≤ 5% of total assets and ≤ £44 million. - Overall net foreign exchange position ≤ 2% of own funds. - No commodities positions. |
IRB | No IRB approvals, but a firm could develop and submit an IRB application while remaining a simpler regime firm. |
Clearing and Settlement | No provision of clearing, settlement, custody or correspondent banking services to another bank or building society; and, does not operate a payment system |
Domestic Activity | ≥ 85% of the firm’s credit exposures must be to obligors located in the UK; based on the COREP data used to determine Countercyclical Capital Buffer |
Level of Application | A firm, the consolidation group, and all firms in the group, need to meet the criteria; and firms that are part of foreign groups need to apply for a waiver or modification. |
What management should consider: This exemption could only be relevant for Category 4 and 5 firms, and a small handful of Category 2 and 3 firms. The two main things to consider are (a) data and (b) plans for future growth. Smaller firms are least mature in terms of regulatory reporting data, and the above elements would be absolutely critical in helping determine their classification. Management should therefore ensure that their internal and regulatory reporting data strategy is robust, and effectively implemented.
In the same vein, if the firm is planning to expand rapidly in the future, meaning that they may breach some of the proposed criteria, they might have to deal with two sets of regulatory change. In such cases, it might be best for the firm to ask for an exemption from the simpler regime and continue under the full UK CRR.
Firms should respond to the consultation by 22 July 2022.
Trading Activity Wind-down
The PRA also published its Policy statement on Trading Activity wind-down. Affected firms must comply with the new regulations from 3 March 2025. We have shared their thoughts on the matter in previous quarterly newsletters whilst the policy was still in its consultation phase. We will be publishing a full article on this policy in Q3 2022. Please follow us on Linkedin and keep an eye on our regulatory insights page for further updates.