PRA highlights significant deficiencies in regulatory reporting processes, urging firms to improve governance, controls, and investment in infrastructure.
Regulatory Reporting And Controls: Thematic Findings From The PRA
On the 10th September 2021, the Prudential Regulation Authority (PRA) sent an open letter to Chief Executive Officers (CEOs) of banks and building societies, stating that they found significant deficiencies in many member firm processes, which impacted their ability to deliver accurate returns. All member firms are required to prepare their regulatory returns with the same care and diligence applied to financial reporting. The letter stated that some member firms had not met the PRA's expectations, and they needed to improve the governance and controls associated with regulatory reporting processes.
Regulatory Reporting Thematic Findings
Companies regulated by the PRA must deliver accurate and reliable regulatory returns. The Bank of England's PRA sent a letter on this specific matter to banks and building societies in 2019, stating their renewed focus on regulatory reporting as an industry body. However, in the three years between 2019 and September 2021, the PRA found shortfalls in several firms' reporting processes. The PRA identified that the reliability of regulatory reporting was impacted by a historical lack of investment and focus in governance, resulting in inadequate controls and a lack of process ownership.
The PRA's letter highlights that part of the problem with delivering accurate and reliable regulatory returns is that organisations often prioritise tactical fixes rather than strategically investing in adequate infrastructure to support operational processes. Furthermore, the PRA detected a high degree of manual intervention associated with the regulatory process, which increases the risk of potential errors in the reporting process. Through our work with financial services clients, Workscope has also identified that when firms take a band-aid approach to governance and control, the root cause of the operational problems never gets addressed, and operational risks can compound.
The PRA voiced their expectations for firms to fix their issues, ensuring compliance in the future with the regulatory reporting requirements. If firms do not deliver accurate reporting, the PRA will consider enforcing stricter measures and the supervisory responses they have at their disposal. Firms will be given a transition period to improve their reporting processes, and during this time, they should strategically invest in these areas to address the weaknesses within their operations.
The EUC Challenges Associated With Regulatory Reporting
Regulatory reporting often depends on end-user computing applications (EUCs), such as spreadsheets. With EUCs comes a high degree of manual intervention in supporting manual processes, resulting in errors and mistakes if there is inadequate governance and controls in place.
The PRA's letter highlights that many firms had not formally registered their EUC's and had no programme for the ongoing review of the underlying logic.
Wordscope works with financial services organisations and often sees situations where organisations only get partial visibility over their EUC inventory. This partial visibility is because organisations rely on legacy approaches such as manual surveys or periodic discovery scans. These methods are time-consuming and often inaccurate.
Three Critical Areas of Concern Raised by the PRA
Governance And Ownership
The PRA suggested senior managers need more ownership and accountability over the financial and reporting process. The complexity and fragmentation of reporting processes have led to a situation where reliance is placed on teams with little oversight. Senior managers often lack insight and understanding of the entire process. Senior managers must have overall visibility over front-to-back and cross-functional processes to ensure accurate and reliable regulatory returns.
Controls
The PRA requires that all firms have an effective and robust control framework for completing regulatory returns. They also require that all operating models are audited and documented, with sufficient controls at every stage.
The PRA found several gaps in the end-to-end processes for regulatory reporting, especially around insufficient controls for models and the lack of reconciliation checks for errors. The problem was exacerbated by the high amount of manual intervention in EUCs and spreadsheets.
Some of the problems highlighted included:
- Poor record-keeping of original model documentation
- Lack of controls around the use of spreadsheets
- Poor documentation and insufficient register of EUC's
- Unsatisfactory reconciliation disciplines
Data and Investment
The PRA pointed out that many problems with regulatory reporting arise from a lack of investment in strategic reporting solutions. Firms are overly reliant on manual intervention and tactical workarounds, which can cause data errors and misstatements.
However, firms that invested in proper systems and had more efficient data infrastructure experienced better outcomes such as less manual intervention and far fewer errors. The result was an effective and efficient use of data in the long term.
Next Steps For PRA Member Firms
It's clear that the quality of regulatory reporting has come under scrutiny and will remain a key focus area of the PRA in the future. The PRA plans to follow up on their findings. Where organisations fall short, the PRA will consider using the range of supervisory responses and enforcement powers at their disposal.
Conclusion
The PRA protects the integrity of over 1500 major financial companies in the UK. The PRA found that some firms were not meeting the operational resilience standards expected for regulatory reporting in the last three years. More work needs to be done, and the PRA will take action when regulated firms continue to fall short. Workscope believes that technology is part of the solution, especially when managing spreadsheets and EUCs.
Stay up to date and read the latest news from Workscope
Related Posts
Everything You Need To Know About End-User Computing — EUC & EUDAs
End-user computing is a broad term, so we break down what it is, why you should care, and how you can start improving governance and controls today.
SR 11-7 Compliance & Model Risk Management
Regulators are expecting firms to invest more in governance and controls to ensure Model Risk Management standards are maintained.
Process Mining vs Task Mining: Understanding the differences & where Workscope fits in
This post explores the differences between process mining and task mining and how Workscope's spreadsheet mining solution can enhance the process optimisation journey.