8.01  This chapter reviews the operation of the main elements of the PRA’s and the FCA’s prudential regulation. Prudential regulation covers a broad range of topics—culture, systems, governance, and risk management as well as capital resources. We additionally review in this chapter three recent developments, which are the operation of macroprudential regulatory change through the agency of the FPC, the recovery and resolution regime for banks and major securities houses introduced by the Banking Act 2009 and now amended to reflect the requirements of the Banking Recovery and Resolution Directive, and lastly the UK’s requirement for banks to ring fence their retail and other core services. This chapter examines in turn:

1. a.  the regulators’ prudential policy (section II);

2. b.  the requirements for culture, integrity, and to cooperate with the regulator, including consideration of PRIN 1 and 11 and FR 1 and 8 (section III);

3. c.  the requirement for a firm to have adequate systems and controls, including consideration of SYSC, PRIN 2 and 3 and FR 2 to 5 (section IV);

4. d.  the requirement for a firm to have adequate governance and risk management systems, including consideration of PRIN 2 and 3 in this context (section V);

5. (p. 280) e.  the requirement for a firm to maintain adequate capital, including review of the FCA and PRA capital rules (section VI);

6. f.  the operation of the recovery and resolution regime for certain firms (section VII);

7. g.  the requirement for banks to separate their wholesale and retail activities, known as ring fencing (section VIII).

8.02  The PRA is the prudential regulator of banks, insurers, and designated investment firms. The objective of its prudential policy is that the firms it regulates conduct their businesses consistently with safety and soundness and, for insurers, with a view to appropriate policyholder protection. The PRA recognises that this is likely to require firms to act more prudently than they might otherwise choose, and that countering the tendency to impose more risk on customers or policyholders, and hence on the stability of the financial system, than is in the public interest is the primary role of a prudential regulator. Principal elements of the PRA’s approach are to require a firm’s board and management to assume the responsibility of managing it prudently, embedding a culture that supports their prudent management, and additionally to require a firm to:

1. a.  manage risk effectively with robust frameworks for risk management and financial and operational control overseen by independent functions;

2. b.  maintain appropriate capital resources in terms of quantity and quality, consistent with safety and soundness and taking into account the risks to which it exposed or the protection of policyholders;

3. c.  ensure it can meet its liabilities with sufficient confidence and maintain adequate liquidity;

4. d.  be in a position so that its failure is orderly and any critical economic functions that it performs can be protected or wound down to minimise disruption, and that an insurer can exit the market in an orderly manner.¹

8.03  The FCA is the prudential regulator for the 24,000 UK firms that are not authorised by the PRA, plus some 50,000 consumer credit firms, and they are subject to the sector-specific prudential rules contained in the Handbook and listed in section 8.36 onwards. The FCA’s prudential policy is to manage failure when it happens rather than seeking to reduce its probability because isolated failures of FCA-regulated firms will, other than for a small number of prudentially critical firms, rarely present a risk to the integrity of the financial system. Its focus is on ensuring that client assets are protected and that a firm can be run down without adversely affecting customers.² The FCA explains that its prudential assessments go beyond quantitative analysis of firms’ financial resources and consider systems and controls, governance arrangements, and risk management capabilities including the risk of misconduct. Its role is not to prevent firms from failing but to minimise effects on customers, counterparties, or market (p. 281) stability. The FCA takes a risk based approach prioritising its attention on firms which would have the greatest impact on consumers and markets if they were to fail. For these P1 and P2 firms (see section 11.15), the FCA takes a proactive approach to supervision. It carries out baseline monitoring of returns to identify rule breaches or proximity to breaches, emerging risks, and notable changes to the financial position or other signs of strain. It performs a Supervisory Review and Examination Process (SREP) on regular cycles to determine the appropriate level of capital and liquidity that the firm should hold, based on the risks posed by its business model, starting with an examination of the firm’s written submission (the Internal Capital Adequacy Assessment Process (ICAAP)). The FCA is especially concerned with operational risk, which represents the single largest risk class for most of its solo-regulated firms, and the FCA reviews systems and controls and IT vulnerabilities such as cybercrime. The FCA also conducts specialist visits on market and credit counterparty risk controls, and prudent valuation frameworks, and seeks to ensure that a firm has adequate wind-down planning. Its supervision of P3 firms is reactive, relying on a range of alerts generated by its systems which may be triggered by something unusual in the returns or information received from the firm, or from other intelligence received from the firm’s counterparties, the Financial Ombudsman Service, consumers, or whistleblowing by the firm’s employees.³

8.04  Both regulators have been concerned to implement the changes resulting from the introduction of the CRD IV Directive for banks and investment firms implementing Basel III, and the PRA with the implementation of the Solvency II Directive for insurers, which are being reflected in their prudential rules and policies.

8.05  Culture is viewed as an important element of a firm’s risk management strategy and reflects the requirements of Principle and Fundamental Rule 1 (integrity) and Principle 11 and Fundamental Rule 8 (cooperation with the regulator).

8.06  As the FSB comments, failures in risk culture are often considered a root cause of the global financial crisis as well as headline risk and compliance events such as the London whale rogue trader and LIBOR manipulation. A firm’s risk culture plays an important role in influencing the actions and decisions taken by individuals and in shaping the institution’s attitude toward its stakeholders, including its supervisors. A risk culture that promotes prudent risk-taking and discourages unrestrained profit maximisation supports an environment that is conducive to ensuring that emerging risks are appropriately recognised, assessed, escalated, and addressed.⁴

8.07  Misconduct at some UK banks involving LIBOR submissions and FX trading has been ascribed to poor cultural standards at all levels. The Parliamentary Commission on Banking (p. 282) Standards commented that the right tone and standard of behaviour at the top of a bank is a necessary condition for sustained improvements in standards and culture but, for lasting change, the tone in the middle and at the bottom are also important, and it called not only for a far wider regime of individual responsibility (see chapter 6) but also for the establishment of a new professional body for bankers, being established as the Banking Standards Review Council.⁵

8.08  The PRA expects firms to have a culture that supports prudent management and that the board leads in establishing, embedding, and maintaining a firm’s culture. Key elements of this are that:

1. a.  management properly understand the risks that the firm faces; senior management articulates the values, monitors the culture, rewards consistent behaviour and acts on inconsistent conduct;

2. b.  risk management and control functions have adequate authority;

3. c.  individuals act consistently with the firm’s safety and soundness;

4. d.  remuneration and incentive structures reward careful and prudent management; and

5. e.  firms and individuals are open and cooperative with the regulators.

8.09  The PRA assesses a firm’s culture through its normal supervisory activity entailing contact with firm representatives, reviews of projections and valuations, assessing the independence and professionalism of the firm’s risk management, the effectiveness of its board, and consideration of its remuneration policies.⁶ The FCA identifies some similar elements while focusing on conduct issues. It states that there are few more pressing priorities for a firm than to establish and maintain a strong corporate culture. Senior management should, in the FCA’s view, be asking not whether a product or strategy is legal, but whether it is right and in the best long-term interests of the firm’s clients.⁷ The FCA has identified three key drivers of culture at a firm:

1. a.  senior management setting the tone from the top by personally demonstrating key firm values and creating a culture where all staff have a responsibility for acting to high ethical standards;

2. b.  translating the culture into actual business practices;

3. c.  supporting the right behaviours through recruitment and promotion policies, performance management, and employee development and reinforced through programmes that incentivise and reward staff to encourage the right outcomes.

8.10  The FCA assesses a firm’s culture from observing its conduct, for example:

1. a.  how it responds to and deals with regulatory issues;

2. b.  what customers experience when buying a product or service from front-line staff;

3. c.  how a firm runs its product approval process;

4. d.  its market conduct;

5. (p. 283) e.  its remuneration structures—the FCA considers that most financial incentives schemes are likely to drive misselling;⁸ and

6. f.  how its board engages in these issues, considers the firm’s strategy, and ensures that products are sold to target markets.⁹

8.11  Further aspects of a positive risk culture are that risk is owned at business level, and that transparency and open dialogue are encouraged throughout the product, service, or transaction lifecycle to ensure that risk issues are identified and escalated. All employees should promptly identify, manage and when appropriate escalate risk issues, should be held accountable for their actions, and made aware of the consequences of breaching the firm’s risk policies.¹⁰

8.12  Principle and Fundamental Rule 1 require a firm to conduct its business with integrity. Action taken by the FCA and its predecessor for breach of PRIN 1 illustrate this requirement, which is breached by acts of dishonesty and also by reckless disregard of regulatory requirements. The cases have been marshalled under these two headings although they are not always treated as distinct categories of misconduct and an intentional rule breach can be described as either dishonest or reckless. An act of misleading the regulator can be treated as a breach of PRIN 1 or PRIN 11.

8.13  Principle 11 and Fundamental Rule 8 require a firm to deal with its regulators in an open and cooperative way, and disclose appropriately anything relating to the firm of which a regulator would reasonably expect notice. The FCA is making increasing use of personal attestations given by individual senior managers to confirm that specified action has been taken which may increase cases brought for breach of this requirement.²⁷ Circumstances when this requirement has been breached include the following:

1. a.  Providing false or misleading information—circumventing reporting requirements and deliberately submitting misleading returns;²⁸ and giving false information to a regulator.²⁹

2. b.  Providing inaccurate information—failing to undertake adequate enquiries before providing an affirmation of compliance.³⁰

3. c.  Withholding information—failing to provide information required by the regulator during an investigation.³¹

4. d.  Failing to notify material breaches—failing to notify the regulator of material non-compliance;³² and of serious losses and misconduct.³³

5. (p. 285) e.  Late notification—not reporting material compliance failings to the regulator for nearly two years;³⁴ advising the regulator of material compliance failures seven months after they first occurred.³⁵

6. f.  Not reporting overseas regulatory action—failing to inform the regulator of overseas regulatory action relevant to the firm’s UK business;³⁶ and failing to report that an overseas regulator was investigating a group company which the UK regulator considered relevant to its functions.³⁷

7. g.  Not being open about plans—major firm failing to give the regulator early notification of a material planned corporate transaction;³⁸ or intended personnel changes.³⁹

8.14  A fundamental requirement of the regulatory system is that a firm has adequate systems and controls to identify and manage the risks that it faces, and also to comply with the regulators’ requirements. This is contained, at a high level, in Principle 3 which requires a firm to take reasonable care to organise and control its affairs responsibly and effectively and to have adequate risk management systems, and in PRA Fundamental Rules 3 to 5, which add the requirements that a firm must have adequate risk strategies and also act in a prudent manner. A firm is also required, under Principle and Fundamental Rule 2, to conduct its business with due skill, care, and diligence. We consider these requirements together, not least because the regulators frequently take enforcement action against a firm for breach of both principles—see sections 8.18 and 8.19.

8.15  The regulators have set out their requirements for a firm’s systems and controls in the Senior Management Arrangements, Systems and Controls (SYSC) rules which are relevant to all authorised firms; they implement the organisational requirements of the main EU directives, principally MiFID but also UCITS, AIFMD, and CRD. The following summary focuses on the main rules generally applicable to UK deposit takers and investment firms; there are variants for FCA- and PRA-regulated firms, insurers, incoming EU firms, non-mainstream firms and arising under the EU directives. SYSC is intended to encourage firms’ senior managers to accept responsibility for the allocation and oversight of a firm’s functions, and to create a common platform of system and control requirements for all firms (SYSC 1). There is no right of action under section 138D FSMA for breach of SYSC (SYSC 1.4).

1. a.  Governance, organisation and management (SYSC 4)—a firm must have robust governance arrangements including a clear organisational structure, consistent and transparent lines of responsibility, effective processes to identify, report, manage, and (p. 286) monitor risk, and sound administrative and accounting procedures as well as effective safeguards for IT processing.

   A firm should also have, proportionate to the complexity of its business, an organisational structure and decision-making procedures that allocates responsibilities and specifies reporting lines and has internal controls to secure compliance with decisions and procedures, effective internal reporting and communication as well as appropriate accounting procedures and a business continuity policy.

   The management body is responsible for, and should periodically review, the firm’s objectives, risk strategy, and governance, is responsible for the integrity of its financial and operational controls, and must oversee senior management. Senior management should be of sufficient repute and experience to ensure sound and prudent management and is responsible for fulfilment of, and should periodically review, the firm’s regulatory obligations.

2. b.  Appropriate personnel (SYSC 5)—a firm’s staff should be vetted on recruitment and also have the necessary skills, knowledge, and expertise. Senior management should establish procedures to segregate duties and ensure performing multiple functions does not give rise to conflicts.

3. c.  Procedures and control functions (SYSC 6 and 7)—a firm should have adequate procedures to ensure compliance with its regulatory obligations, to minimise and detect breaches, and to counter the risk that it might be used for financial crime. It should also have effective procedures to assess and manage the risks it faces.

4. A  firm should have an independent and permanent compliance function responsible for monitoring its procedures, remedying deficiencies, and advising on compliance and the compliance officer should have authority, resources, and necessary access. It should appoint a money laundering reporting officer of appropriate status and, when appropriate, independent internal audit and risk management functions.

5. d.  Outsourcing (SYSC 8)—a firm that outsources performance of a critical function to a third party remains fully responsible for its performance, and must ensure that the outsourcing and its risks are managed. There should be a clear written contract, and a firm must act skilfully when entering, managing, or exiting an outsourcing. Steps that the FCA expects a firm to take in relation to its outsourcing may include:

   1. i.  having a detailed written contract including clear service level standards, a right to inspect the service provider’s operations, and providing for a regular flow of management information;

   2. ii.  senior management retains responsibility for the outsourced functions and holds line management to account;

   3. iii.  line management oversees the service provider’s day-to-day activities and holds periodical review meetings with the service provider;

   4. iv.  having a contingency plan to deal with service disruption and service provider failure;

   5. v.  retaining operational staff who understand the outsourced functions;

   6. vi.  checking the accuracy of the service provider’s work.⁴⁰

6. e.  Record keeping (SYSC 9)—a firm must keep orderly records of its business, organisation and services to enable the regulator to ascertain compliance. Records must generally be kept for at least five years, and (for some classes of firm) maintained so they cannot be (p. 287) altered and each amendment can be ascertained, and a regulator can reconstitute each key stage in processing a transaction.f. Conflicts (SYSC 10)—a firm must identify and record conflicts between itself (and its staff) and a client, and between clients, where there is a material risk of damage to clients’ interests. This includes where the firm is likely to make a gain or avoid a loss at the client’s expense; has its own interest in the outcome of the service or transaction; has an incentive to favour one client over another; carries on the same business as the client; or receives a third-party inducement other than a standard fee. A firm must have an effective policy that seeks to manage conflicts and prevent them from damaging clients’ interests, for example by maintaining barriers to the flow of information and separating conflicting activities, failing which it must disclose them so that the client can take an informed decision. Conflicts are discussed further in section 9.12 onwards.g. Group risk systems and control requirements (SYSC 12)—a firm that is a member of a group must have adequate processes to assess and manage its exposure to group risk and ensure there are appropriate risk management processes at group level.

7. h.  Insurers’ risk management (SYSC 11 and 13 to 17)—insurers are given guidance on systems and controls for managing liquidity risk, on stress testing and scenario analysis, and rules and guidance on managing operational, prudential, credit, market, and insurance risk.

8. i.  Whistleblowing (SYSC 18)—a firm should have appropriate procedures for handling staff concerns.

9. j.  Remuneration code (SYSC 19A to C)—the codes and their application varies between different types of firm and they are generally applied on a proportionate basis. Deposit takers and investment firms are subject to remuneration principles for senior managers, risk takers, and control functions:

   1. i.  A firm must have remuneration policies that are consistent with and promote sound and effective risk management and avoid excessive risk taking, and must align its remuneration and pensions policies to its strategy, objectives, values, and long-term interests.

   2. ii.  A firm’s management must adopt and review its remuneration policy.

   3. iii.  A firm’s total variable remuneration must not limit its ability to strengthen its capital base.

   4. iv.  The calculation of variable remuneration must include adjustments for risks, cost of capital and liquidity, and future revenues.

   5. v.  A firm must not, and must ensure its staff do not, avoid these requirements.

   6. vi.  Base remuneration should reflect duties contained in a job description with any variable remuneration reflecting additional performance; the ratio should normally be 1:1 and no higher than 1:2.

   7. vii.  Performance-related remuneration should be assessed on a multi-year basis and take into account team and firm results as well as individual performance, which should be assessed on a balanced basis to include risk and compliance metrics.

   8. viii.  Variable remuneration should only exceptionally be guaranteed; comprise at least 50% in capital instruments subject to deferred vesting and the majority of a large bonus must be deferred (and subject to deduction until paid or vested); only be paid or allowed to vest if sustainable for the firm and still justified; and subject to clawback for seven years for significant breach or misconduct.

8.16  The FCA considers that performance management and reward schemes are a powerful lever to influence organisational culture and that misalignment between incentives structures and corporate values can lead to excessive risk taking. The FCA requires that (p. 288) pay practices do not encourage inappropriate risk taking and that variable remuneration is only paid or allowed to vest where justified by performance. The remuneration codes apply to banks, building societies, broker-dealers, asset managers, and some other firms. The FCA has criticised firms’ remuneration policies in a number of enforcement cases which, while they did not concern breaches of the codes or of this specific rule, emphasises the need for a firm to ensure that its remuneration policy is conducive to what the FCA terms as good customer outcomes.⁴¹

1. k.  Reverse stress testing (SYSC 20)—certain firms must identify and assess the circumstances that would cause their business to become unviable.

2. l.  Risk function governance (SYSC 21)—guidance is provided on the appointment and responsibilities of a Chief Risk Officer and a risk committee.

8.17  Breach of PRIN 3 is one of the commonest grounds for regulatory action with over 100 cases having been brought against firms for inadequate systems and controls; the charges will usually also include breach of one or more SYSC rules. The range of topics falling within these cases illustrates the breadth of matters that require to be managed through adequate systems and controls; some of the cases span a number of topics and show how weaknesses can be widespread throughout a firm. While each case is different, a pervasive theme is the need for a firm to ensure that it:

1. a.  identifies the risks it faces;

2. b.  constructs policies and procedures to manage and mitigate those risks, which are actively overseen by line management;

3. c.  ensures that there is a flow of management information about the incidence of those risks received and acted upon by line management that is accurate, timely, and properly calibrated;

4. d.  has an effective risk management framework and a properly resourced risk and Compliance function;

5. e.  secures that senior management oversees the operation of this process, and periodically tests and reviews it.

8.18  The regulators have taken action for failure to have adequate systems and controls in breach of PRIN 3 in relation to the following areas; where action has also been taken for breach of PRIN 2 this is indicated in the reference:

1. a.  Accuracy of charges;⁴² of customer communications;⁴³ of LIBOR submissions;⁴⁴ of mortgage records;⁴⁵ of premium calculations.⁴⁶

2. (p. 289) b.  Aggressive growth strategy focusing on high risk business despite being aware of weaknesses in the control framework.⁴⁷

3. c.  Client money, where action can also be taken for breach of the client money rules and under PRIN 10 (see section 9.32).⁴⁸

4. d.  Complaints handling, where action can also be taken for failing to treat customers fairly (see section 14.19).⁴⁹

5. e.  Compliance or risk function, monitoring or oversight.⁵⁰

6. f.  Data security, discussed further in chapter 13.⁵¹

7. g.  Employment of a chief executive without regulatory approval.⁵²

8. h.  Financial crime: anti-money laundering;⁵³ employee fraud;⁵⁴ external fraud;⁵⁵ share fraud; discussed further in chapter 13.⁵⁶

9. i.  Financial promotions and other marketing material, discussed further in chapter 10.⁵⁷

10. j.  Governance arrangements;⁵⁸ reviewing the operation of procedures.⁵⁹

11. k.  Identifying and applying regulatory requirements.⁶⁰

12. l.  Improper activities: illegitimate reinsurance transactions;⁶¹ mismarking positions and booking fictional trades;⁶² mispricing securities;⁶³ unauthorised customer trading.⁶⁴

13. (p. 290) m.  Management oversight of operations;⁶⁵ of risk controls;⁶⁶ board and senior management not paying sufficient attention to regulatory issues;⁶⁷ failing to escalate issues, supervise traders, and consult compliance;⁶⁸ management not recognising responsibility for managing risk.⁶⁹

14. n.  Oversight of outsourced sales or customer servicing activities;⁷⁰ or appointed investment manager.⁷¹

15. o.  Providing customers with required information.⁷²

16. p.  Record keeping.⁷³

17. q.  Remuneration and staff incentivisation.⁷⁴

18. r.  Suitability of retail advice or portfolio management.⁷⁵

19. s.  Trade recording and allocation.⁷⁶

20. t.  Training and recruitment.⁷⁷

21. u.  Transaction reporting.⁷⁸

22. v.  Treating customers fairly where action can also be taken under PRIN 6.⁷⁹

8.19  The regulators have taken action for breach of PRIN 2, sometimes in conjunction with PRIN 3, for:

1. a)  Acting inconsistently with a sound risk policy—authorising and executing a trading strategy without regard for the risks on the operation of a trading platform;⁸⁰ undertaking a major book building exercise without consulting compliance or senior management, and trading in a restricted security.⁸¹

2. b)  Failure to supervise a complex business.⁸²

3. (p. 291) c)  Inadequate management controls leading to significant losses.⁸³

4. d)  Compliance failing to act on escalated LIBOR concerns;⁸⁴ or to investigate increased profitability of a trading desk.⁸⁵

5. e)  Regulatory interaction—providing the regulator with sample files that had been improperly altered;⁸⁶ failing adequately to respond to warnings from the regulator.⁸⁷

6. f)  Other breaches—inadequate complaints handling;⁸⁸ failing to test systems to ensure accuracy;⁸⁹ failing accurately to describe the scope of FSCS cover for a product;⁹⁰ failing to identify the miscategorisation of investments in a portfolio.⁹¹

8.20  From a regulatory perspective, governance is the process whereby a strong and well-informed board oversees operational management which in turn procures a strong risk function. The firm’s risk function identifies, monitors, and manages risk and feeds risk reports thorough operational management to the board. This enables the board to hold management to account, and take strategic decisions, in light of the actual risks that the firm faces. This virtuous circle of authority and information emphasises the close connection between sound governance and effective risk management.

8.21  The Walker review of corporate governance in financial institutions, published in 2009, identified that weaknesses in risk management, board practice, control of remuneration, and in the exercise of ownership rights significantly contributed to excessive risk taking in the lead up to the financial crisis. It proposed a number of recommendations, of which those particularly relevant from a regulatory perspective were that boards should increase engagement in the management of their firm’s risk, and should substantially enhance oversight of remuneration with significant amounts of variable remuneration being deferred as a long-term incentive.⁹² The European regulators, and to a lesser extent the UK regulators, have in recent years published significant guidance on governance, seeking to codify the elements of sound governance.⁹³ Most recently the Bank for International Settlements has proposed a dozen principles, which are reflected in this section; while focused on large banks, they (p. 292) reflect evolving good practice for other sectors; it points out that sound corporate governance may permit the supervisor to place more reliance on the firm’s internal processes, and that implementation of these principles should be commensurate with the size, complexity, structure, economic significance, and risk profile of the firm and any group to which it belongs.⁹⁴

8.22  Principle 1: Board’s overall responsibilities—the board has ultimate responsibility for a firm’s business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations.

1. a.  It should ensure that the firm’s organisational structure enables the board and senior management to carry out their responsibilities and facilitates effective decision-making and good governance. It should oversee implementation of an appropriate governance framework so that it is clear throughout the firm who is responsible for what function, what reports they receive and to whom they report. The board should ensure that it receives adequate MI and take timely decisions in light of it.

2. b.  The board should establish and monitor the firm’s business objectives and strategy, and develop the firm’s risk appetite; and approve and oversee the implementation of the firm’s capital and liquidity plans, compliance policies and obligations, and internal control system.

3. c.  In order to promote a sound corporate culture, the board should lead in establishing the ‘tone at the top’ by setting and adhering to corporate values for itself, senior management, and other employees that create expectations that all business should be conducted in a legal and ethical manner; promoting risk awareness within a strong risk culture.

4. d.  The board is responsible for ensuring that risk is effectively identified, monitored, managed and mitigated, and overseeing a strong risk governance framework. The board should ensure that the risk management, compliance, and audit functions are properly positioned, staffed, and resourced and carry out their responsibilities independently and effectively.

5. e.  The board should select and oversee the CEO and other key members of senior management, as well as the heads of the control functions. It should hold members of senior management accountable for their actions and articulate the board’s performance expectations including adherence to the firm’s values, risk appetite, and risk culture.

8.23  Principle 2: Board qualifications and composition—the board should comprise individuals with a balance of skills, diversity, and expertise, who collectively possess the necessary qualifications commensurate with the size, complexity, and risk profile of the bank. There should be an appropriate number of non-executive directors to provide effective challenge. Board members have responsibilities to the firm’s overall interests, regardless of who appoints them.

8.24  Principle 3: Board’s own structure and practices—the board should structure itself effectively to perform its oversight role and other responsibilities, covering all topics in (p. 293) sufficient depth and having a robust discussion of issues. The chair should ensure that board decisions are taken on a sound and well informed basis. The board may establish committees with a charter stating mandate, scope, and working procedures. An audit committee is responsible for financial reporting and oversight of and interacting with internal and external auditors, receiving key audit reports, and ensuring that senior management is taking prompt corrective action. A risk committee should oversee risk strategies and implementation of the firm’s risk appetite and seek to ensure the firm has effective risk management policies.

8.25  Principle 4: Senior management—senior management comprises those individuals who are responsible and accountable to the board for effectively overseeing the firm’s day-to-day management. They should have the necessary experience, competence, and integrity to manage the businesses and people under their supervision. Their organisation, procedures, and decision-making should be clear and transparent and designed to promote effective management and their roles and authority should be clear.

8.26  Principle 5: Governance of group structures—the board of the parent company has overall responsibility for the group and for ensuring it has a clear and appropriate governance framework. Its board and senior management should understand the risks and issues of the group as a whole and should establish a group legal entity and business structure that contributes to the effective oversight of the group and each of its entities. It should exercise adequate oversight over subsidiaries while respecting their independent legal and governance responsibilities.

8.27  Principle 6: Risk management—there should be a risk management function independent of the operational business responsible for overseeing the firm’s risk-taking activities. It should identify risks, assess the firm’s exposure to them, review and maintain the firm’s risk governance framework, monitor the firm’s risk-taking activities, establish a system to identify actual or potential breaches of the firm’s risk limits; participate in material risk decisions; and report to senior management and the board or risk committee. Elements of risk management may include:

1. a.  Adopting a comprehensive view of exposures—a firm that shares qualitative and quantitative information throughout its organisation is better placed to identify sources of risk and implement plans to manage or reduce them than one that relies on individual business units to do this.

2. b.  Effective capital management—a firm that aligns its treasury and risk management functions is better placed to manage capital and liquidity than where information is held in separate divisions as it may not be shared and decisions taken in isolation when they should have been coordinated.

3. c.  Adequate and responsive management information—a system that assesses risk positions using a number of tools and differing assumptions and risk measures will gain a broad perspective on current and evolving risk positions. The timely provision of accurate information to management can be critical to a firm’s ability to respond rapidly. A hierarchical structure can act as a filter that delays or distorts data received by senior management

4. d.  Senior management oversight—senior management should include persons with expertise in a wide range of relevant risks who promote a continuous dialogue between business areas and risk management to ensure risks are identified, challenged, and (p. 294) managed and that the business does not expand too quickly or beyond the capacity of its controls.⁹⁵

8.28  Principle 7: Risk identification, monitoring, and control—risk identification should cover all material risks to the firm, and the board and senior management should regularly re-evaluate existing, new, and emerging risks. The firm should use stress tests and scenario analyses to understand potential risk exposures under a variety of adverse circumstances. The firm’s risk management infrastructure should keep pace with business developments. The regulators have issued guidance addressing good practice in managing compliance or regulatory risk, especially in a trading environment, although a number of the following points will be of wider application.⁹⁶

1. a.  Defining compliance risk and responsibilities—there should be a clear definition of compliance risk and a clear message that it is the responsibility of the business and that staff must adhere to the desired compliance culture. Senior management must provide leadership in defining and embedding desired behaviours and culture. Compliance behaviour should be considered in staff assessments and reflected in remuneration. The compliance function should be independent and able to challenge the views and practices of the business and of other control functions and have equal access to senior management.

2. b.  Compliance planning—there should be clear processes for business line input into compliance planning. The firm’s aggregate compliance plan should be presented to local as well as central management for challenge and consideration against risk tolerance. The compliance function should regularly present to management on their work including key findings, emerging issues, and changing priorities.

3. c.  Compliance risk assessment process—a risk assessment process should be based on a robust rating methodology that uses qualitative and quantitative factors and input together with input from the business to assess the gross and net level of risk. This can be performed by compliance or by business units on a self-assessment basis facilitated and moderated by the compliance function. The output from this process helps determine compliance’s work programme across a range of its activities including monitoring, training, and strengthening policy and controls.

4. d.  Compliance monitoring, desk reviews, and trade surveillance—there should be a robust compliance monitoring and desk review programme which focuses on the principal risks identified through the compliance risk assessment process. There should be targeted surveillance, with appropriate levels of automation, aimed at the key risks associated with activities such as trading and (principally for retail business) marketing, advising, achieving suitability, and handling claims and complaints. Outcomes of reviews should be focused on business practice improvements and not merely reporting routine breaches of internal or external requirements. Findings should be reported to management together with the tracking of progress in correcting breaches.

5. e.  Evaluating compliance performance—the compliance function’s effectiveness in helping to manage compliance risk should be subject to formal assessment using performance indicators and feedback from business and senior management.

6. (p. 295) f.  Front office oversight and governance—a firm should consider whether the structure and organisation of its front office operations is consistent with the effective identification and management of risk. This may include, in a trading environment:

   1. i.  Reviewing how clearly responsibilities and reporting lines are established and recorded.

   2. ii.  Considering the quality of management information and exception reports available to trading management.

   3. iii.  Ensuring that appropriately specified and detailed trading mandates are in place for each trader which are up to date and monitored along with corresponding risk limits.

   4. iv.  Ensuring that staff in control functions have sufficient understanding, skill, and authority to challenge front office staff effectively when agreed parameters are breached or when suspicious activity takes place.

   5. v.  Monitoring risks by reference to trader mandates and overall desk position for all material risks.

   6. vi.  Ensuring that management information on key performance indicators is sufficiently detailed and appropriate both at team and trader level to spot unexpected performance and suspicious activity.

   7. vii.  Having controls in place to check transactions done at an ‘off-market’ or unexpected rate.

   8. viii.  Ensuring it understands where all its profit and loss (P&L) is coming from; this is a key control for understanding the risk in a trading operation.

   9. ix.  Performing reconciliations to ensure positions are consistent within the firm between front office, risk management, and back office systems, and with outside custodians, banks, exchanges, and brokers. A firm should use key performance indicators such as aging of unresolved breaks and review whether its reconciliation processes prevent gaps or significant points of weakness, and to help identify and resolve breaks.

   10. x.  Checking trade confirmations—transactions between firms have to be confirmed to make sure the positions booked on a firm’s system are accurate. A firm should ensure confirmations and valuations are sent directly from the external counterparty or provider to the middle or back office, not via the front office. It should also track and analyse outstanding confirmations.

   11. xi.  Segregating functions—a firm should ensure that a single individual cannot originate, book, and settle a transaction. It should also consider whether its security and access controls are properly implemented so that a user may only access functions his duties require, and system access rights should periodically be refreshed.

8.29  Principle 8: Risk communication—risk issues, including risk strategy, should be communicated throughout the firm as a key tenet of a strong risk culture which promotes risk awareness and encourages open communication and challenge about risk-taking. Senior management should keep control functions informed of major plans and activities so that they can properly assess the risks. Information presented in a concise, fully contextualised manner should be communicated to the board and senior management so that they are equipped to take informed decisions. The board should institute periodic reviews of the relevance and accuracy of information it receives and determine if additional information is needed.

(p. 296) 8.30  Principle 9: Compliance—an independent compliance function is a key component of a firm’s risk management and is responsible for promoting and monitoring that the firm operates with integrity and in compliance with applicable laws, regulations, and internal policies. It should advise the board and senior management on compliance with laws, rules, and standards and provide guidance to staff through policies, procedures, and documents such as compliance manuals and practice guidelines. It must have sufficient authority, stature, independence, resources, and access to the board. Compliance is most effective in a corporate culture that emphasises standards of honesty and integrity and in which the board of directors and senior management lead by example.

8.31  Principle 10: Internal audit—the internal audit function provides independent assurance to the board and supports it and senior management in promoting an effective governance process and the firm’s long-term interests. It should have a clear mandate, be accountable to the board, be independent of the audited activities, and have sufficient standing, skills, resources, and authority within the bank.

8.32  Principle 11: Remuneration—the firm’s remuneration structure should be aligned with sound risk management and promote the firm’s long-term interests and appropriate risk-taking behaviour. It should promote long-term performance and be in line with the firm’s business and risk strategy, objectives and values and incorporate measures to prevent conflicts of interest. Remuneration programmes should facilitate adherence to risk appetite, promote appropriate risk-taking behaviour and encourage employees to act in the interest of the firm as a whole, taking into account client interests, rather than for themselves or only their business lines. The board is responsible for overall oversight of remuneration and should regularly monitor and review outcomes to ensure it is operating as intended.

8.33  Principle 12: Disclosure and transparency—the firm’s governance should be transparent to its shareholders, customers, other stakeholders, and market participants.

8.34  Principle 13: The role of supervisors—supervisors should provide guidance for and supervise firms’ corporate governance, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors.

8.35  The regulators have taken action against firms for breach of PRIN 2 or 3 on account of inadequate governance on a number of occasions, including:

1. a.  Ineffectual governance—failing to ensure that effective internal governance arrangements were in place to enable it to manage and monitor the risks its customers were exposed to in a number of areas;⁹⁷ failing to put in place effective governance arrangements and controls to identify and manage the risk that its customers would be treated unfairly, and failing to take effective action when issues arose;⁹⁸ diversifying into a new business area without adequate controls and where senior management did not have the skills and experience to provide sufficient control and oversight;⁹⁹ a bank’s risk (p. 297) governance framework in respect of its process for preparing redress payments to send to PPI complainants was ineffective and did not enable it to identify and address, in a timely way, the systems and controls deficiencies in its process.¹⁰⁰

2. b.  Unclear governance—a firm’s governance arrangements for its with-profits business were unclear and inadequate in design and in operation so that there was an unacceptably high risk that policyholders’ interests would not be protected properly.¹⁰¹

3. c.  Not responding to concerns—failing to take adequate action in response to concerns identified internally, or brought to the firm’s attention by the regulator.¹⁰²

4. d.  Inadequate oversight—a firm’s management failing to oversee and ensure that an outsourcing company would treat the firm’s customers fairly.¹⁰³

8.36  In this section we briefly review the structure of the current rules relating to capital; the length and technical complexity of these rules make it impracticable to provide more than an outline summary of the principal elements of the five main rulebook regimes:

1. a.  FCA regulated:

   1. i.  BIPRU firms;

   2. ii.  CRR firms;

   3. iii.  retail intermediaries.

2. b.  PRA regulated:

   1. i.  deposit takers and major investment firms;

   2. ii.  insurers.

8.37  Principle and Fundamental Rule 4 require a firm to maintain adequate financial resources. This is an area of major regulatory reform both domestically and internationally in relation to the absolute amount of capital held by a firm, especially a bank, and achieving a closer alignment between the risks arising from a firm’s activities, its risk management and the capital that it is required to hold against those risks. There have been major reforms at both European and international level to achieve this for banks under Basel III, implemented in the EU through CRD IV, and for insurers through Solvency II.

8.38  Investment firms are subject to the IFPRU prudential sourcebook, which implements the Capital Requirements Directive, if they are not a BIPRU firm; they may (depending on categorisation) hold client assets and deal as principal.

1. a.  A firm must maintain adequate financial resources so there is no significant risk it cannot meet its liabilities as they fall due and must have systems to assess the resources (p. 298) it requires to cover the risks it faces. A firm is required to assess the adequacy of its capital through performing and recording an internal capital adequacy assessment process (ICAAP), which the FCA reviews through its supervisory review and evaluation process (SREP). The FCA may, having performed the SREP, issue a firm with individual capital guidance (ICG) advising it of the amount and quality of capital it is required to hold, which may require it to increase the amount, type or characteristics, of capital, and a capital planning buffer additional to the ICG to enable the firm to meet severe stress (IFPRU 2).

2. b.  A firm must maintain a base own funds requirement according to its category comprising qualifying capital (IFPRU 3).

3. c.  A firm must observe requirements in relation to credit, operational, and market risk (IFPRU 4, 5, and 6).

4. d.  The BIPRU 12 liquidity regime applies until the CRR regime commences (IFPRU 7).

5. e.  The FCA has discretion to allow a parent to consolidate its subsidiaries’ assets and for a firm to exempt group exposures from applicable limits (IFPRU 8).

6. f.  A firm must annually disclose its return on assets (IFPRU 9).

7. g.  A firm must maintain a countercyclical capital buffer of common equity tier 1 capital (IFPRU 10).

8. h.  A major firm and its parent may need to prepare a recovery plan and, if a member of a group, may be subject to requirements in relation to group financial support (IFPRU 11).

8.39  An insurer is subject to the General Prudential Sourcebook (see 8.40 (a) to (c)) and also to the Prudential Sourcebook for insurers (INSPRU).

1. a.  An insurer must meet requirements for its capital resources and technical provisions, with different requirements for general and long-term business (INSPRU 1).

2. b.  An insurer must restrict its credit risk to prudent levels and ensure adequate diversification (INSPRU 2).

3. c.  An insurer must hold adequate capital to cover market risk (INSPRU 3).

4. d.  Guidance is provided on managing an insurer’s liquidity risk and operational risk (INSPRU 4 and 5).

5. e.  An insurer that is a member of a group must calculate its group capital resources and requirement, while a parent must maintain adequate group resources (INSPRU 6).

6. f.  An insurer must periodically assess the adequacy of its financial resources through an individual capital assessment (ICA) (INSPRU 7).

7. g.  INSPRU and GENPRU are applied to Lloyd’s at INSPRU 8.

8.40  BIPRU firms (arrangers, advisers, and managers who neither deal as principal nor hold client moneys) outside the scope of the IFPRU prudential sourcebook are subject to the General Prudential Sourcebook (GENPRU) and also to the Banking, Building Societies and Investment Firms Sourcebook (BIPRU) which, despite its name, no longer applies to deposit takers and is restricted in its application to BIPRU firms falling outside IFPRU.

1. a.  A firm must maintain adequate financial resources so there is no significant risk it cannot meet its liabilities as they fall due and must have systems to assess the resources it (p. 299) requires to cover the risks it faces. It must carry out an ICAAP on which the FCA will perform a SREP and issue an ICG (GENPRU 1 and BIPRU 2).

2. b.  A firm must maintain minimum capital resources of stated quality comprising a base capital requirement depending upon its category, and a variable capital requirement based on the risks it faces (GENPRU 2).

3. c.  There are additional provisions for a firm that is part of a financial conglomerate (GENPRU 3).

4. d.  A firm may be granted a solo consolidation waiver, so that its parent may incorporate its subsidiary’s capital requirements into its own capital resources and requirement (BIPRU 2).

5. e.  A firm must calculate its credit risk capital component (BIPRU 3 to 5) and position risk requirement (BIPRU 7).

6. f.  A firm that is a member of a group must meet consolidation requirements (BIPRU 8).

7. g.  A firm must calculate its risk weighted exposure amount for securitization positions (BIPRU 9).

8. h.  A firm must periodically disclose its risk management policies and capital resources (BIPRU 11).

9. i.  A firm must have adequate systems and controls to manage liquidity risk and maintain an adequate liquidity buffer (BIPRU 12).

10. j.  A firm must calculate counterparty risk exposure, and capital requirements for settlement and counterparty risk, following stated methodologies (BIPRU 13 and 14).

8.41  Mortgage, home finance, and insurance intermediaries (and other firms with permission to carry on those activities) are subject to the MIPRU Prudential Sourcebook, which implements the requirements of the Insurance Mediation Directive.

1. a.  An insurance intermediary firm must allocate responsibility to a senior manager and its staff must have knowledge, ability and be of good repute (MIPRU 2).

2. b.  A firm may be required to hold professional indemnity insurance at a stated level (MIPRU 3).

3. c.  An intermediary firm must be able to meet its liabilities as they fall due and fulfil the applicable capital resources requirement (MIPRU 4);

4. d.  A mortgage lender, other home finance firm and an insurer may only use a regulated intermediary (MIPRU 5).

8.42  As indicated, the PRA has four variant sets of rules and by way of illustration we have selected some of those applicable to banks and PRA-regulated investment firms that fall within CRR. The PRA’s policy is to streamline and amend the PRA Handbook and associated materials taken over from the FCA to produce its own distinctive rulebook and supervisory statements. The PRA is adopting a shorter and sparser style, with some rulebooks merely copying out the bare EU requirements with commentary consigned to a brief accompanying Supervisory Statement.¹⁰⁴

1. a.  Internal capital adequacy assessment—a firm must maintain adequate financial resources to ensure there is no significant risk that its liabilities cannot be met as they fall due. It must have effective systems in place to assess and maintain the amount and type of capital it requires to cover the risks that it faces. A firm must, in order to manage credit and counterparty risk, base the granting and renewing of credit on sound criteria. It must also manage residual credit, concentration, securitization, market, interest, operational, and excessive leverage risk. It must periodically perform, and document, stress and scenario tests for the major risks it faces to identify the financial resources.

2. b.  Definition of capital—this specifies the base capital resources requirement.

3. c.  Credit risk, market risk, related party transaction risk and large exposures—these sections address specific aspects of managing the risks that a firm faces.

4. d.  Capital buffers—sets out requirements in relation to capital conservation and countercyclical capital buffers.

5. e.  Capital requirements—the CRR is directly applicable and the PRA will not transpose it; it will delete BIPRU (save 12 which retains interim national liquidity provisions) and GENPRU (save 3, dealing with cross-sector groups).

8.43  The Capital Requirements Directive IV comprises the Directive and the Capital Requirements Regulation (CRR), which is directly applicable to firms across the EU, which implement the Basel III agreement in the EU commencing in January 2014. The main purpose of CRD IV is to enhance requirements for the quality and quantity of capital as well as introducing new liquidity and leverage requirements, new rules for counterparty risk, and new macroprudential standards including a counter-cyclical capital buffer and capital buffers for systemically important institutions. CRD IV also makes changes to rules on corporate governance, including remuneration, and introduces standardized EU regulatory reporting for own funds, large exposures, and financial information.

8.44  A firm’s capital is, under CRD IV, divided into Pillars 1 and 2. A firm is required to calculate its Pillar 1 capital requirement in accordance with the methodology contained in the CRR. Pillar 2 requires a firm to undertake a regular assessment of the amounts, types, and distribution of capital it considers adequate to cover the risks to which it is or may be exposed so as to identify risks that are inadequately, or not, covered under Pillar 1. The purpose of Pillar 2 is both to ensure that a firm has adequate capital to support the risks it faces, and also to encourage it to enhance its risk management techniques. The PRA has explained how it expects firms to fulfil its rules implementing CRD IV.

1. a.  A firm must carry out an internal capital adequacy assessment process (ICAAP) in accordance with the PRA’s ICAAP rules, including ongoing requirements to assess the amounts, types, and distribution of capital that it considers adequate to cover the level and nature of the risks to which it is or might be exposed. This assessment should cover the major sources of risks to the firm’s ability to meet its liabilities as they fall due, and should incorporate stress testing and scenario analysis. The ICAAP should be documented and updated annually by the firm, or more frequently if changes in the business, strategy, nature, or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate.

2. b.  The PRA will perform a supervisory review and evaluation process (SREP) whereby the PRA takes into account the nature, scale, and complexity of a firm’s (p. 301) activities and reviews and evaluates the firm’s strategies and processes to comply with the PRA’s requirements, the risks to which it is or might be exposed, the risks it poses to the financial system, and any further risks revealed by stress testing. The PRA will review the firm’s ICAAP and consider its governance arrangements, corporate culture, and the capability of its board members. The PRA has particular regard to:

   1. a.  Pillar 2A—risks to the firm not, or not fully, captured, under the Pillar 1 requirements; and

   2. b.  Pillar 2B—risks to which the firm may become exposed over a forward-looking planning horizon.

   The PRA regards capital held under Pillars 1 and 2A as the minimum level of regulatory it must maintain to cover the risks to which it is or might be exposed. Pillar 2B is a capital buffer intended to help to ensure that it can continue to meet minimum requirements during a stressed period.

3. c.  The PRA will normally set individual capital guidance (ICG). On the basis of the SREP, the PRA will determine whether the firm’s capital and other arrangements provide sound management and adequate coverage of its risks. It may require it to take prompt remedial action and will normally set an ICG, advising the firm of the amount and quality of capital that the PRA considers it should hold to meet the overall financial adequacy rule in Internal Capital Adequacy Assessment 2.1. This will usually be an amount of additional Pillar 2A capital it should hold stated as a percentage of the firm’s Pillar 1 risk-weighted assets (RWAs), plus one or more static add-ons in relation to specific risks in accordance with the overall Pillar 2 rule in Internal Capital Adequacy Assessment 3.1. The PRA expects firms to meet Pillar 2A with at least 56% CET1 capital and no more than 25% Tier 2 capital.

4. d.  The PRA will set a PRA buffer, a firm-specific buffer for use in adverse circumstances only if it judges that the CRD IV buffers are inadequate for a particular firm given its vulnerability in a stress scenario, or where the PRA has identified risk management and governance failings, which the CRD IV buffers are not intended to address. The requirement to hold the PRA buffer will be phased in increasing proportions of CET1 from January 2016 to January 2019.

5. e.  A firm with significantly weak risk management and governance may be required, until the weakness is remedied, to hold additional capital in the form of a scalar ranging from 10% to 40% of its CET1 Pillar 1 plus Pillar 2A capital requirements.¹⁰⁵

8.45  There are a significant number of other rules (see Table 7.5) including the following:

1. a.  Auditors—appointment, cooperation, and duties.

2. b.  General—provisions of general application to all firms including non-compliance in an emergency, retail disclosure, insurance against fines, and description of regulated status.

3. c.  Information gathering—rules requiring cooperation with the PRA, and access to documents, personnel, and premises.

4. (p. 302) d.  Internal governance—rules (similar to SYSC, which it largely replaces) organised under chapters covering general organisational requirements, skills of staff, compliance and internal audit, risk control, outsourcing, and record keeping.

5. e.  Notifications—the requirement to make notification of certain events: adverse occurrences and future development, with an overriding requirement that information provided is accurate.

6. f.  Permissions and waivers—rules governing the variation and cancellation of Part 4A permission; and seeking the waiver or modification of a rule.

7. g.  Public disclosure—the requirement to disclose return on assets.

8. h.  Recovery and resolution—a firm must prepare and submit to the PRA (a) a recovery plan setting out the actions that could be taken to secure its business if adverse circumstances arose containing a comprehensive range of options; and (b) a resolution pack containing information and analysis that would facilitate the taking of action if it is failing.

9. i.  Use of skilled persons—rules governing the appointment of a skilled person.

8.46  During the recent financial crisis the UK and other EU governments provided public funds to recapitalise banks because of the risks to financial stability that would have arisen had they been allowed to enter normal insolvency procedures. While a stable financial system requires that a financial institution can fail, this must be in an orderly fashion, not cause excessive disruption to the financial system, and taxpayers should not bear the losses. It should also not interrupt the firm’s provision of critical economic functions—making and receiving payments; extending credit and taking deposits; clearing and settling financial transactions; other retail and corporate banking; borrowing and lending between financial institutions; market-making in certain securities; and custody services.

8.47  The Banking Act 2009 reflected these requirements and provided that losses arising from failure are borne by the shareholders and unsecured creditors of the failed firm, rather than the general public; it was considered that removing an implicit government guarantee to the largest financial institutions would improve market discipline in the pricing of risks being taken by these firms. The 2009 Act was amended by the Financial Services (Banking Reform) Act 2013 and further amended in 2015 when the Bank Recovery and Resolution Directive (BRRD) was finalised. This Directive establishes a common approach within the EU to the recovery and resolution of banks and investment firms and covers credit institutions, 730k investment firms, financial institutions that are subsidiaries of credit institutions or investment firms or of financial holding companies, and financial holding companies, mixed financial holding companies and mixed-activity holding companies. The Bank of England is the UK resolution authority while the PRA and the FCA will carry out the functions of the competent authority specified in the Directive. The statutory process is described in section 11.103, and PRA has implemented the BRRD through the following rules, supported by a Supervisory Statement:

1. a.  Recovery Plans, requiring an affected firm to maintain one;

2. b.  Resolution Pack, requiring an affected firm to maintain one;

3. (p. 303) c.  Group Financial Support, limiting the circumstances when this is permitted; and

4. d.  Contractual Recognition of Bail-In.¹⁰⁶

8.48  There are two main elements to the process:

1. 1.  Resolution planning—firms are required to submit information to the PRA in two phases to facilitate resolution planning. Phase 1 information will be periodically submitted by all firms.

   1. a.  Part A of Phase 1 requests information relating to group structure, significant legal entities, and the firm’s business model to enable the authorities to identify the most appropriate resolution strategy for the individual firm.

   2. b.  Part B of Phase 1 requests information on firms’ economic functions to enable the authorities to identify those functions which are critical to the financial system and which will need to be protected in resolution and retained in post-resolution restructuring.

   The requirement for Phase 2 information will be based on a review of a firm’s Phase 1 information and will be tailored to reflect the complexity of its business. A firm may be required to submit information relating to more than one resolution strategy in order to assess feasibility across a range of possible options. This may include information about the firm’s loss-absorbing capacity, its intragroup exposures, the terms of its contractual document, its shared services, and an analysis of how its business could be transferred while maintaining continuity of critical services.¹⁰⁷

2. 2.  Recovery planning—the PRA requires a firm to maintain a credible recovery plan setting out actions to implement in the event of severe stress to enable it to return its business to a stable and sustainable condition. It should include all credible options for addressing liquidity and capital difficulties and include:

   1. a.  A summary of a firm’s complete list of recovery options.

   2. b.  A description of each option, including assessment of the likelihood of success and benefits considering the factors that could reduce the likelihood of success and how these could be mitigated.

   3. c.  Identification of a range of indicators to activate the implementation of the recovery plan.

   4. d.  A clear description of the escalation and decision-making process in relation to a recovery.

   5. e.  An operational plan for accessing central bank liquidity facilities.

   6. f.  Confirmation that the firm’s board has reviewed and approved the recovery plan.

   7. g.  A communication plan for distributing timely and appropriate information.

      The PRA expects all globally systemic important institutions (G-SIIs) and other systemically important institutions (O-SIIs) to provide four scenarios in their recovery plans, and other firms should provide three scenarios.¹⁰⁸

8.49  The key substantive provisions of the recovery and resolution regime include the following:

1. a.  A requirement for deposit-takers and significant investment firms to have in place a credible recovery plan.b. The establishment of resolution authorities, with responsibility for planning for and managing the failure of banks and investment firms, and with the necessary tools to (p. 304) manage the failure of banks. This includes a bail-in tool, which allows the resolution authority to write down or cancel debt in a failing firm, and convert it into equity.

2. c.  The establishment of resolution financing arrangements to help ensure that the resolution tools can be used effectively. Member states must establish resolution funds of at least 1% of deposits that are protected by their national deposit guarantee scheme financed by industry through a risk-based ex-ante levy system and supplemented by additional levies after resolution as necessary. In the United Kingdom this requirement is met through the existing levy on deposit-takers.

3. d.  A no shareholder or creditor worse off principle provides protection by requiring the resolution authority to identify if its actions have resulted in a worse outcome than normal insolvency proceedings, or if they have been left worse off after use of stabilisation tools compared with the firm being placed into insolvency. Where there is a shortfall, shareholders and creditors are entitled to industry-financed compensation.

4. e.  A firm is likely to be subject to intense and heightened supervision by the PRA or FCA as its difficulties increase. For example, under the PRA’s Proactive Intervention Framework which captures the supervisory judgement of how close a firm is to failure, supervisors will expect the firm’s management to take action as the condition of the firm deteriorates. A range of possible actions should be contained within the firm’s recovery plan, designed to enable it to return to a stable and sustainable footing.

5. f.  The regulators can intervene in a firm that is at risk of failing and can (in ascending order of seriousness) (1) require it to implement its recovery plan; (2) replace the board of directors and senior management; and (3) appoint a temporary administrator.

6. g.  The resolution authorities must act in the way that will best achieve the resolution objectives, which are (1) to ensure the continuity of UK banking services and critical functions; (2) to protect and enhance the stability of the UK financial systems by preventing contagion and maintaining market discipline; (3) to protect and enhance public confidence in the stability of the UK financial system; (4) to protect public funds; (5) to protect depositors and investors falling within an EU protection scheme; (6) to protect client assets; and (7) to avoid interfering with property rights in contravention of the ECHR.

7. h.  The conditions for entry into resolution, which may occur before a firm is balance-sheet insolvent, are (1) a determination has been made that the firm is failing or likely to fail; (2) there is no reasonable prospect that any alternative private sector measures or supervisory action would prevent its failure within a reasonable timeframe; and (3) resolution action is necessary in the public interest.

8. i.  The authorities’ roles are likely to be:

   1. i.  The prudential supervisor (which may be the PRA or, in the case of most investment firms, the FCA) and the resolution authority (the Bank of England) makes the decision to put a firm into the resolution regime, having consulted the Treasury.

   2. ii.  The Bank of England, having consulted the other authorities, decides which of the tools to use and conducts the resolution, in all cases except temporary public ownership and the public equity support tool. The Treasury decides whether to put a firm into temporary public ownership or make a public equity injection, and conducts the resolution in this case, together with the Bank. The Bank must expose 8% of the liabilities of the firm in resolution to loss, before the Treasury can put the firm into temporary public ownership or make a public equity injection.

   3. (p. 305) iii.  The Financial Services Compensation Scheme (FSCS) pays out or funds the transfer of deposits protected by the deposit guarantee scheme, up to a limit of £85,000. Deposits covered by the FSCS are excluded from bail-in and will also be preferred liabilities on any eventual insolvency. The FSCS may also protect investors for losses up to £50,000, subject to amendment.

9. j.  If the public interest test is met, the Bank of England may use one or more stabilisation tools to meet the resolution objectives by achieving continuity of the critical economic functions provided by the firm. None of the tools may be used before capital has been written down or converted to absorb losses. The stabilisation tools are:

   1. i.  Private sector purchaser—this is used to transfer all or part of a firm’s business, which can include either its shares or its property, to a willing and appropriately-authorised private sector purchaser.

   2. ii.  Bridge bank—this is used to transfer all or part of a firm’s business to a subsidiary of the Bank which meets the relevant conditions for authorisation, pending a future sale or share issuance.

   3. iii.  Bail-in—this is used to absorb the losses of a failed firm, and recapitalise that firm (or its successor) using the firm’s own resources. The claims of shareholders and unsecured creditors are written down and/or converted into equity to restore solvency, in a manner that respects the hierarchy of claims in insolvency.

10. For those parts of the firm that do not need to be maintained permanently but may need to be wound down in a measured way, there are two tools introduced by the BRRD that can be used only in conjunction with one or more stabilisation tools. These are:

    1. i.  Asset separation tool—this is used to allow assets and liabilities of the failed firm to be transferred to and managed by a separate asset management vehicle, with a view to maximising their value through an eventual sale or orderly wind-down.

    2. ii.  Bank (or building society) administration procedure—this is used to put the part of a failed firm that is not transferred to the bridge or private sector purchaser (known as the residual bank) into administration. The priority of the administrator is to ensure that the residual bank continues to provide necessary services (for example, IT infrastructure, or mortgage servicing) to the new owner of any transferred business until permanent arrangements for those services can be put in place. Once this priority has been discharged, normal administration follows. Where a firm has client assets, the residual firm may be placed into a special administration (bank administration) procedure, which combines bank administration and special administration. In this procedure, the objectives of bank administration are given precedence over the objectives of special administration.

11. k.  The three phases to any resolution are likely to be:

    1. i.  stabilisation phase, in which the provision of critical economic functions is assured, either through transfer to a solvent third party or through bail-in to recapitalise the failed firm;

    2. ii.  restructuring phase, during which any necessary changes are made to the structure and business model of the whole firm or its constituent parts to address the causes of failure; and

    3. iii.  exit from resolution, where the Bank’s involvement as a resolution authority in the failed firm has concluded.

12. l.  In order for the stabilisation tools to be effective, it must be possible for the Bank to use them without triggering disorderly termination of the firm’s existing contracts. (p. 306) Counterparties to financial contracts entered into by the failing firm should not be able to exercise rights to terminate their contracts. A firm’s entry into resolution does not, by itself, trigger contractual early termination rights or other events of default. The Bank of England can suspend payment and delivery obligations and other termination rights for a short period to facilitate bail-in or the transfer of contracts to a solvent purchaser or bridge bank.¹⁰⁹

8.50  Following recommendations made by the Independent Commission on Banking, chaired by Sir John Vickers, the Financial Services (Banking Reform) Act 2013 enables the ring-fencing of core banking services in the UK from activities associated with trading and financial interconnectedness to ensure that ring-fenced banks, and groups containing ring-fenced banks (ring fenced bodies, termed RFBs), can be resolved in an orderly manner with minimal disruption to the provision of core services. The PRA’s general safety and soundness objective has been amended so that, when discharging its general functions in relation to ring-fencing, RFBs and groups containing RFBs, it should seek to:

1. a.  ensure that the business of RFBs is carried on in a way that avoids any adverse effect on the continuity of the provision in the United Kingdom of core services;

2. b.  ensure that the business of RFBs is protected from risks that could adversely affect the continuity of the provision in the UK of core services; and

3. c.  minimise the risk that the failure of an RFB or of a member of its group could affect the continuity of the provision in the UK of core services.

8.51  From 1 January 2019, banks with core deposits greater than £25bn (broadly those from individuals and small businesses) will be required to ring-fence their core activities. All banks that expect to reach the threshold for being subject to ring-fencing requirements by 2019 were required to submit a preliminary plan of their expected legal and operating structures to the PRA by 31 December 2014.

8.52  Ring fencing is achieved through two groups of statutory provision; one prohibiting a bank providing core activities from dealing as principal, and a second empowering the regulators to require that a banking group restructures itself to meet regulatory requirements.

8.53  To protect the continuity of UK core services, meaning:

1. a.  facilities for accepting deposits or other payments into an account;

2. b.  facilities for withdrawing money or making payments from such an account;

3. c.  overdraft facilities in connection with such an account;

4. d.  any other services specified by Treasury Order,

(p. 307) The Treasury may make an order directed at a ring-fenced body, which is a UK-incorporated institution (other than a building society or a class of institution exempted by Treasury order) which has a Part 4A permission to carry on a core activity, meaning:

1. a.  accepting deposits (save as stated in a Treasury order);

2. b.  any other regulated activity specified in a Treasury order where interruption could adversely affect UK financial stability,

which prohibits it from entering into specified transactions, or transactions with a specified class of persons; from establishing or maintaining a branch in a specified territory; or from holding shares or voting power in companies of a specified description (sections 142A to 142C and 142E FSMA). The principal orders made in relation to ring-fencing require to be approved by the resolution of each House of Parliament, although there are exceptions in case of urgency (section 142Z FSMA).

8.54  The regulated activity of dealing in investments as principal, in the UK or otherwise, is an excluded activity save as specified by Treasury order, and the Treasury may also designate other activities, whether or not regulated, as excluded activities when necessary to protect the continuity of core services (section 142D FSMA). The appropriate regulator (the PRA in relation to persons whom it authorises, and otherwise the FCA) is required to make rules implementing these provisions, and to review them at least every five years and publish a report (sections 142F, 142H to 142J FSMA).

8.55  A ring-fenced body that carries on, or purports to carry on, an excluded activity or which contravenes a prohibition is deemed to have contravened a regulatory requirement. Contravention is not, however, an offence, does not make the transaction void or enforceable, and is only actionable as breach of statutory duty by a person who suffers loss when specified by Treasury order (section 142G FSMA).¹¹⁰

8.56  The PRA considers the principal objective of ring-fencing is to restrict the business of an RFB and so limit its exposure to group and global risks in order to improve its resilience and reduce the likelihood of disruption to the core services it provides. A further objective is to simplify group structures by more closely aligning business lines with legal entities. The three elements to this are proposed to be:

1. a.  Legal structure—the PRA expects that an RFB will not have an ownership interest in any entity which undertakes excluded or prohibited activities (an excluded entity), and that an excluded entity will not have an ownership interest in an RFB. An RFB may in principle own entities that do not carry on excluded activities, and the parent of an RFB may carry on excluded activities. However, where a group contains both an RFB and an excluded entity, the expectation is that they will be structured as separate clusters of subsidiaries beneath a UK holding company.

2. b.  Governance—the PRA expects that an RFB will have sufficiently independent governance, and in particular:

   1. i.  can take decisions independently of other group members;

   2. (p. 308) ii.  has a sufficiently independent chair and board and its own risk, audit and other board committees;

   3. iii.  has sufficient representation on the parent’s board;

   4. iv.  can manage group conflicts and competing interests, and also those faced by senior management;

   5. v.  has adequate risk and internal audit functions;

   6. vi.  has remuneration policies consistent with its own rather than group interests;

   7. vii.  does not depend on personnel who will cease to be available if another group member becomes insolvent.

3. c.  Continuity of services and facilities—an RFB may form a subgroup with other group entities not performing excluded activities and may receive shared services and facilities from them provided default cannot disrupt the RFB’s conduct of its core activities.¹¹¹

8.57  Where a ring-fenced body (RFB) is a member of a group and the appropriate regulator (the PRA where it authorises the ring-fenced body, but otherwise the FCA) considers that one or more of the following conditions is met (section 142K FSMA):

1. a.  RFB’s carrying on of a core activity is being adversely affected by the acts or omissions of other group members (GMs);

2. b.  RFB cannot take decisions independently of other GMs when carrying on its business;

3. c.  RFB depends on resources provided by another GM that would be unavailable on GM’s insolvency;

4. d.  RFB would be unable to carry on core activities if a GM became insolvent;

5. e.  either RFB or a GM has engaged or is engaging in conduct having or likely to have an adverse effect on the appropriate regulator’s objective of protecting the continuity of UK core services;

it may, provided they have not been exercised in relation to the same person within the two preceding years, exercise group restructuring powers to do the following. Where the appropriate regulator is the PRA it may:

1. a.  require an RFB to dispose of specified property or rights to an outside person (meaning a person who will not be a member of RFB’s group—OP); to apply to the court for a Part 7 order sanctioning the transfer of all or part of its business to OP; or otherwise to discharge it from specified liabilities (section 142L(5) and (7) FSMA);

2. b.  require a PRA-authorised person that is a member of RFB’s group to dispose of shares in or securities of RFB to OP; to apply to the court for a Part 7 order sanctioning the transfer of all or part of its or a qualifying parent undertaking’s business to OP; to dispose of any interest in another body corporate that is a member of RFB’s group to OP; or to dispose of other rights or property to OP. An RFB’s parent undertaking is a qualifying parent undertaking if it is a non-authorised body corporate both incorporated and with a place of business in the UK (section 142L(4), (6) and (7) FSMA);

3. c.  direct the FCA to require a non PRA-authorised member of RFB’s group to take any step in (b);

4. d.  direct a qualifying parent undertaking to take any step in (b) (section 142L(2) FSMA).

(p. 309) 8.58  Where the appropriate regulator is the FCA, it may:

1. a.  require RFB to take any step mentioned in (a);

2. b.  require a non PRA-authorised person that is a member of RFB’s group to take any step mentioned in (b);

3. c.  direct the PRA to require a PRA-authorised member of RFB’s group to take any step in (b);

4. d.  direct a qualifying parent undertaking to take any step in (b) (section 142L (3) FSMA).

8.59  A requirement need not be one that either regulator could have imposed under sections 55L or M (section 142L (8) FSMA).

8.60  The procedure for the exercise of a group restructuring power is as follows:

1. a.  If the regulator proposes to exercise the power in relation to an authorised person or qualifying parent undertaking (a person concerned), it must give a reasoned preliminary notice specifying at least fourteen days to make representations to that person, the ring-fenced body (if different) and any other authorised person it considers likely to be significantly affected (together, relevant persons), and copy the notice to the Treasury (section 142M FSMA).

2. b.  If the regulator:

   1. i.  having considered any representations, still proposes to exercise the power, it must give each relevant person a warning notice approved by the Treasury between three to six months after the end of the period for making representations. The action contained in the warning notice may differ from that in the preliminary notice to reflect the regulator’s view of changing circumstances or action taken by the person concerned;

   2. ii.  decides not to exercise the power, it must within the same period give each relevant person a written notice, copied to the Treasury, so advising them.

3. c.  If the regulator decides to exercise the power it must give each relevant person a decision notice, specifying by when the specified action is to be completed (section 142N FSMA).

4. d.  A relevant person aggrieved by the imposition of a requirement or a direction may refer the matter to the Tribunal (section 142O FSMA).

8.61  The person concerned may at any time apply for the variation of a requirement or direction, which is treated as an application for the variation of a requirement imposed by the regulator. The regulator may also vary a requirement or direction with that person’s consent (section 142P FSMA). Where the exercise of the power relates to a direction given by one regulator to the other, they must consult before issuing a notice or making a variation (section 142Q FSMA).