Credit & Prudential Regulation

Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

2.1. Changing Regulatory Landscape—Post Brexit Transition and Beyond

Why is it important?

While the UK remains committed to upholding international financial regulatory standards, it is looking to diverge from the EU’s approach to a number of important prudential regulations including the Capital Requirements Directive/Capital Requirements Regulation (CRD/CRR), Solvency II and the Investment Firm Directive/Investment Firm Regulation (IFD/IFR). Prudential regulation continues to be amended/updated with the Prudential Regulation Authority (PRA) publishing their take on the EU’s CRR/CRD legislation. The EU retained legislation has been brought into UK law via Her Majesty’s Treasury (HMT), and the PRA will be taking the lead on updates from now on. This will result in divergences across international banking firms, as well UK-specific banking firms, in relation to which the UK is seeking to adopt more proportionate prudential rules for smaller banks. The UK’s new prudential regime for investment firms may also differ from the EU’s.

What’s new?

  • It is likely that the UK’s adoption of Basel 3.1 will now proceed differently given that the UK has left the EU, with the PRA having greater discretion on how best to calibrate the framework in the UK with the Financial Services Bill nearing finalisation. It is expected that the PRA will consult on this later this year.
  • Whilst some regulation has already been published, such as the PRA’s policy statements 26/20 and 29/20 on Capital Requirement Directive V (CRD V), not all regulatory reform in relation to EU/UK divergence has yet been published or is yet in force. CRD V rules, such as those on interest rate risk in the banking book (IRRBB) come into force on 1 January 2022.
  • The CRR “quick fix” package came into force in the EU ahead of the CRR being retained in UK law from 28 December 2020 when the transition period was near ended, and as such the updates have also been retained by the UK. The PRA intends to reverse some of these amendments, including the capital treatment of software assets.
  • In July 2021, the PRA has published policy on implementing Basel standards which includes near final rules for the UK’s application of CRR II planned to come into effect from 1 January 2022 (a PRA designated delay of 6 months after the EU implementation date of 28 June 2021).
  • Also in July 2021 the Bank of England published a consultation paper reflecting the Bank’s second stage of (Minimum Requirement for own funds and Eligible Liabilities) MREL review (after the first stage discussion paper released in December 2020). The key areas of consultation are in relation to the Bank’s proposed revisions to its approach to: setting resolution strategy thresholds and the calibration of MREL within those thresholds, MREL eligibility, and intragroup MREL issues. The Bank’s intention is for a revised MREL Statement of Policy to be published by end of 2021 to apply from January 2022.
  • In April 2021, the PRA published a discussion paper on creating a “strong and simple” capital framework for smaller, non-systemic banks, in line with its adherence to Basel Committee on Banking Supervision (BCBS) standards. It is expected that a summary of the comments provided in response to this paper will be published in the final quarter of 2021.
  • Further consultations are expected in 2021 by the Bank of England’s Prudential Regulation Committee (PRC) and Financial Policy Committee (FPC) to review the UK leverage ratio framework, and by the PRA on changes to the ‘PRA110—Cash Flow Mismatch’ reporting template.
  • There is also potential for further divergence going forwards as the EU and UK operate independently. An example of this is operational resilience, where the UK is taking its own approach and the EU is introducing the Digital Operational Resilience Act (DORA).

What should Internal Audit be doing?

Internal Audit should be focusing on governance over the changing regulatory landscape, and ensure due consideration is given to proposals for future change. In addition, Internal Audit should also review how regulatory changes are approached and implemented to ensure adherence in an accurate and timely manner. These key themes should feature in the following key areas of audit focus:

Horizon scanning:
Firms will need robust horizon scanning practices and associated analyses to closely monitor EU/UK divergence, and development of UK specific regulations. Given time and resource required to adequately assess any divergence in regulatory guidance, and new UK specific guidance, Internal Audit should assess the ability of First and Second Lines of Defence to be able to do this in a timely and effective manner.

Compliance framework:
Internal Audit should review firms' regulatory compliance frameworks to ensure that existing assumptions and interpretations are fit for purpose, and that any changing regulatory guidance is fully embedded in time for implementation deadlines. This is particularly pertinent for changes from CRR II and wider Basel guidance that the PRA has recently published in policy statement 17/21 as near final rules.

Risk appetite and regulatory monitoring:
Impending changes to regulation should be socialised internally via management information packs so that their impacts are understood in a timely fashion. Internal Audit should review the management information covering the impacts of anticipated regulatory change and consider any changes to risk appetite that may need to be considered as a result. For example, firms should consider the impacts of Basel 3.1 to ensure that any changes to capital requirements are covered by existing capital resources or plans to increase capital resources.

Scenario analysis:
In addition to regular monitoring, typically of key headline metrics, more detailed impact analysis should be considered not only within business-as-usual assumptions, but also within scenario analyses. As such, Internal Audit should review the extent to which regulatory change has been considered within key scenario analyses such as the Internal Capital Adequacy Assessment Process (ICAAP), Internal Liquidity Adequacy Assessment Process (ILAAP), Recovery Planning and Reverse Stress Testing; and review the appropriateness of any contingency plans to mitigate the impact of these. Furthermore, any changes identified should be fed into strategic planning activities with the approach being reviewed by Internal Audit as part of assurance activity.

Key contacts: Kenny Wong and Laura Ellis

2.2. Resolution Planning and Resolvability

Why is it important?

The UK resolution regime for Banks and Building Societies has been developed over a number of years since the global financial crisis. Under this regime, the Bank of England is the UK’s resolution authority responsible for taking action to manage the failure of financial institutions in the banking sector, including the development of the appropriate resolution strategy for each firm.

Large and mid-tier Banks and Building Societies must have the capabilities necessary to support their resolution, carried out under a resolution strategy determined for them by the Bank of England, which is assessed under a new Resolution Assessment Framework (RAF). Per the RAF’s three main components:

  • Firms’ capabilities must be able to deliver resolvability outcomes necessary to support resolution. These outcomes are supported by Statements of Policy that set out the objectives and principles that firms are expected to meet in order to avoid a determination that they have insufficient capabilities and arrangements to remove identified barriers to resolvability;
  • Certain firms must perform an assessment of their preparations for resolution, in which they should identify any risks to successful resolution and the plans in place to address them, submit a report of that assessment, and publish a summary of their most recent report (public disclosure); and
  • The Bank of England plans to make a public statement concerning the resolvability of each firm in scope of the new Resolution Assessment Part of the Prudential Regulation Authority (PRA) Rulebook.

Firms which are expected to be resolved through a bank insolvency process are not assessed under the RAF, however, they must still ensure that they are nevertheless resolvable under this mechanism including having available a robust ‘single customer view’ of deposits.

What’s new?

Under the RAF, firms are expected to apply their own arrangements to ensure that they have the necessary measures and capabilities in place to support resolvability. This includes testing and review of capabilities and arrangements to assess whether they operate as expected applying a suitably rigorous method and an appropriate level of expertise, independence and senior Management engagement.

Large UK Banks and Building Societies must comply with resolvability requirements by 1 January 2022, after submitting a report to the PRA on their self-assessment of resolvability by 4 October 2021, and thereafter on a two year cycle or otherwise as required by the Regulator.

Mid-tier Banks must comply with resolvability requirements by 1 January 2023.

What should Internal Audit be doing?

Internal Audit teams will have been involved in the testing and review of their firm’s resolution capabilities, given the long lead in time for firms to develop and implement their arrangements. Similarly, there is strong overlap between recovery planning and certain resolvability areas where some synergies can be found: ‘funding in resolution’; ‘restructuring planning’; and ‘management, governance and communication’.

  • In the immediate period up to the submission of the first report of self-assessment of resolvability by 4 October 2021, Internal Audit will be involved in testing and assurance of their firms’ resolution capabilities to support the self-assessment. This should include consideration of any underlying challenges from the regulation still to be addressed.
  • Thereafter, Internal Audit should consider whether their testing and assurance approach to resolvability assessment adequately covers ongoing reporting requirements, specific deficiencies and barriers to resolvability identified by their firm or by the Regulator, and is properly resourced in view of the scale and nature of work involved.
  • Following the first self-assessment report, firms should address any deficiencies and barriers to resolvability identified and establish a framework for continuous improvement and monitoring of their resolution capabilities. Internal Audit should review the firm’s continuous improvement and monitoring plan to ensure it remains fit for purpose.

Key contacts: Alex Brown and Steve Goodlud

2.3. Recovery Planning

Why is it important?

In previous years and since the release of the Prudential Regulation Authority’s (PRA’s) Supervisory Statement SS9/17—“Recovery Planning” in 2017, there has been a strong regulatory focus on firms to enhance Recovery Plans and the scenarios modelled within. Most firms based their stresses on iterations of macro-economic scenarios provided by the Bank of England, adverse impacts of Brexit and / or idiosyncratic impacts of an event which impacts the firm’s reputation such as operational disruption which threatens business viability. On this last example, there may be synergies to be gained from work being done by firms on operational resilience.

The COVID-19 pandemic presented a different dimension of stress, with potential rapid asset quality, liquidity and capital impacts and the ability of a firm’s Recovery Plan to track a deterioration in the business as usual (BAU) environment has been of particular interest across the market.

Firms’ Recovery Plan indicator frameworks are now brought back into sharp focus, especially as a number of asset quality metrics are directly impacted by the COVID-19 pandemic (such as arrears and provisions).

What’s new?

The following changes were made to the PRA’s approach to Recovery Planning requirements in December 2020 when the Supervisory Statement SS9/17 was updated:

  • Firms should consider options available to raise liquidity by encumbering assets in each stress scenario, noting the impact of such asset encumbrance on Recovery Planning as a whole; and
  • Simplified obligations have been introduced for eligible firms, which reduces the number of scenarios to two, as well as re-affirming proportionality in that such firms need not submit the Recovery Plan Information Template.

Whilst these are relatively minor changes, they require new thinking from firms around what scenario testing should include, and what the impacts of asset encumbrance are on Recovery Planning. Furthermore, the impact and response to the COVID-19 pandemic should bring out practical adjustments and enhancements to a firm’s Recovery Plan, especially in an environment where operational changes (such as working remotely or an increase in collections activity) is running alongside this.

What should Internal Audit be doing?

Continued scrutiny remains on firms with regard to the quality of their Recovery Plans. With the COVID-19 pandemic and a focus on how firms are identifying changes in the BAU risk environment, the areas of concern highlighted in the PRA’s Dear CEO letter in October 2018 are still very relevant.

Internal Audit should assess whether the quality of Recovery Planning continues to be enhanced and that the practical learnings and ongoing response to COVID-19 is embedded.

Internal Audit should also consider whether their assurance approach to Recovery Planning includes coverage of the following typical issues identified in firms’ Recovery Plans:

  • Indicators included in the Recovery Plan are not broad enough to allow for identification of potential financial risk. Furthermore, the metrics are not calibrated to a suitable level to allow Management to respond in a timely fashion;
  • Recovery options provide little to no benefit (i.e. an increase to resources, or reduction in requirements) to the capital and liquidity position of the firm;
  • Scenario testing is focused on too few risks and does not always capture the key risks that the firm faces;
  • Dependencies between recovery options, as well as the dependencies the options have operationally and during stress scenario events are analysed at a high-level and not in sufficient detail, potentially reducing the usability of options; and
  • Invocation of the Recovery Plan and the practicalities of actually implementing the Plan are not clear, and have not been properly tested through Fire Drilling of the Recovery Plan.

Key contacts: Alex Brown and Steve Goodlud

2.4. Stress Testing

Why is it important?

Stress testing continues to be a significant tool for firms to use in risk management practices, and this is heightened amidst the unfolding of the COVID-19 pandemic (specifically in relation to the payment deferrals that have occurred) and also with the climate change agenda continuing to be a huge focus for the regulatory bodies. Whilst stress testing is still routinely used to directly inform firms’ capital and liquidity holdings, it is being increasingly used for a breadth of exercises including business model viability, enhanced understanding of risk drivers, and developing understanding of new risks such as those posed by climate related events. Regulatory bodies continue to assess firms’ stress testing capabilities and outputs using the Bank of England prescribed Annual Concurrent Stress (ACS, termed the ‘solvency stress’) for 2021, as well as exploring the capabilities and outputs from new areas such as that covered by the Biennial Exploratory Scenario (BES) which focused on financial risks from climate change. The Bank of England’s Dear CEO letter on managing climate-relate financial risk clarified the expectations of firms by stating ‘Firms should have fully embedded their approaches to managing climate-related financial risks by the end of 2021’ which incorporates climate-related scenario analysis. More detailed guidance for new and growing Banks includes expectations on stress testing that help prepare for downside risks and embed the learnings in business decision-making.

What’s new?

The Prudential Regulatory Authority (PRA) have previously published requirements for Internal Capital Adequacy Assessment Processes (ICAAPs) for climate-related risks but have since stated the expectation for these to be fully embedded by 31 December 2021. Whilst the Bank of England’s BES published in 2019 prescribed climate related scenarios, this exercise was paused due to the COVID-19 pandemic and has been restarted with an updated position for 2021. This update included variables paths out to 2050 and data templates for submissions for those participating in the exercise. The results from the BES are expected to be published in due course and will be a useful insight into the potential quantitative impacts of climate related financial risks which have so far been limited to mainly qualitative impacts.

The key requirements for scenario analysis for assessing climate related financial risks are:

  • Three scenarios:
    • Early action: orderly transition to achieve a net zero CO₂ emissions economy within ambitious timescales;
    • Late action: disorderly action to achieve net zero CO₂ emissions economy which is unanticipated/sudden and disruptive; and
    • No additional action: minimal action results in a ‘hot house world’ which leads to global warming and an increasingly significant impact from physical risks (see below).
  • Two key risks:
    • Transition Risk: risks associated with the implementation of significant policy and economical changes required to achieve net zero emissions; and
    • Physical risk: risks associated with the impact from higher global temperatures such as extreme weather events, both currently and expected resultant impacts from taking no further policy action.

The Bank of England have published their Annual Cyclical Scenario (ACS) ‘solvency stress’ which reflects a severe adverse scenario based on a starting point of a downturn as a result of the COVID-19 pandemic. In this regard the scenario reflects a ‘double dip’ scenario, and there is a focus on utilisation of capital buffers to withstand the stress. Whilst participation in the ACS is designed for the larger Banks and Building Societies, the scenario published for those not participating in the ACS and for use within ICAAPs, is very similar.

What should Internal Audit be doing?

Internal Audit should continue to focus on key topical areas such as COVID-19 related impacts and climate change. These two key themes should feature in the following key areas of audit focus:

Scenario generation capabilities:
Strong capabilities for projecting outcomes should include a robust base case plan which can be updated in a timely manner to respond to changes in the external environment such as a stress event/scenario. As such, stress testing of base case plans should be commonplace and should include a range of relevant scenarios that can be utilised effectively to consider any required Management response. These capabilities should be developed for new and growing Banks and should be widened to incorporate climate-related risks. Internal Audit should determine the adequacy of the base case plan and the corresponding capacity of the business to respond to stress events/scenarios.

Horizon scanning:
Horizon scanning practices and associated analyses should be performed to understand the impacts given the many recent and expected changes to guidance as a result of Brexit, CRD V, CRR2, Basel 3.1, COVID-19 and climate related risks. Regulatory Initiatives Grid—May 2021 ( Internal Audit should review the adequacy of the horizon scanning framework to ensure it effectively responds to identifiable future events and scenarios.

Risk appetite:
As the regulatory environment changes, and new insights are gained from stress testing analysis, firms need to ensure they are updating and regularly monitoring their risk appetites to ensure adherence to regulatory minima. Internal Audit should review the approach to this updating process and ensure robust monitoring controls are in place.

Models and data:
Internal Audit should continue to review the adequacy of the governance frameworks and processes around data and models that are heavily used to inform day to day planning and stress testing. There should be a focus on the approach to model updates as result of recent regulatory changes that will impact upon stress testing activities, such as the Pillar 2B assessment as part of the ICAAP. 

Key contacts: Kenny Wong and Laura Ellis

Did you find this useful?