This blog was published on 05 April 2022.
At a glance: Regulators have turned up the heat on banks’ regulatory reporting, just as the breadth and depth of reporting requirements are increasing. Banks with poor data and systems, ineffective governance, insufficiently qualified teams, patchy documentation, or other challenges in the regulatory reporting area need to act now to avoid regulatory action.
Target Audience: Board Audit Committees; CFOs; CROs; Heads of Regulatory Reporting functions
Reading time: 5-7 minutes
Since 2014, UK regulators have fined banks operating in the UK over GBP 300 million for reporting or reporting-related transgressions. These fines have been levied on banks of all types, as shown in the charts below:
In September 2021, the PRA issued a “Dear CEO” letter setting out thematic findings on the quality of UK banks’ regulatory reporting. The letter raised a number of issues and was particularly robust in its tone. You can read our view of its contents here. In a nutshell, the PRA requires banks to apply the same standards of accuracy, oversight and rigour to regulatory reporting that they apply to financial reporting.
So why do so many banks struggle with regulatory reporting – and what can they do to fix it?
The reasons for banks’ challenges with regulatory reporting are several; while there are some common issues across the industry, each bank’s particular circumstances will be specific. For any given bank the historic reasons could be one, some, many or all of the following.
Poor data and infrastructure
Some banks struggle with collating all the data necessary for regulatory reporting, particularly where the data differs from that used in management or financial reporting. This can be the result of several factors, including historic under-investment in regulatory reporting and/or adoption of tactical solutions that are never actually replaced by strategic systems upgrades. Some of the challenges we observe in relation to poor data and infrastructure include:
- Poor source data integrity and/or no data dictionary resulting in incomplete, inaccurate or unreliable inputs and returns.
- Lack of visibility at a senior level of the potential impact of known data issues on the reports.
- Extensive use of Excel spreadsheets/EUCs/other tactical solutions for producing regulatory returns, resulting in increased risk of errors and potential misstatements in individual returns.
Lack of governance and poor controls
Governance of regulatory reporting is often separate from the governance of financial reporting, and the control framework can be designed and held to a different, often lower, standard. This can lead to a number of problems, including:
- Senior management not taking an active role in challenging and approving key regulatory interpretation and mapping assumptions.
- Poorly defined and embedded oversight, accountability and responsibility for preparation and review of returns, regulatory interpretations and controls.
- Absence of formal MI on controls, reconciliations, data quality, validation and analysis.
- Responsibility for approval of reports delegated to individuals with insufficient seniority to drive real change and improvement.
- Management being unable to identify, track and remediate issues or risks with reporting controls.
- Application of manual adjustments to calculations without a sufficient level of review.
- Insufficient evidence of “prevent and detect” controls through the end-to-end process.
- Lack of independent monitoring of the operation and effectiveness of controls.
Lack of resourcing and inconsistent or inappropriate regulatory interpretations
Regulatory reporting is complicated. COREP reporting guidelines, particularly for firms operating in multiple jurisdictions, run to dozens of documents, both binding through RTS and informative through Guidelines. The requirements change frequently, and in many banks the pool of individuals with deep knowledge of both the regulatory requirements and how to complete reports given data and systems constraints is shallow. We see these challenges manifesting in several ways:
- Inaccurate or erroneous interpretations of regulatory requirements, leading to inaccurate regulatory submissions.
- Inconsistent formal governance process for review/challenge and approval of material regulatory interpretations that affect regulatory reporting.
- Ineffective second line coverage of regulatory calculations and reports – both modelled and non-modelled elements.
- No schedule or process to review/refresh regulatory interpretations when regulation changes (e.g. EBA Q&A, new RTS issued).
- Insufficient second line challenge of policy interpretation and application.
- Limited third line assurance activities over regulatory reporting.
- Absence of succession planning to mitigate key-person risk within regulatory reporting teams.
Poor record-keeping can lead to difficult conversations with supervisors if/when they query regulatory returns. Some of the issues we have seen include:
- Out of date/insufficient documentation of systems, processes, ownership and controls. This includes lack of evidence of key preventative and detective controls within the end-to-end production process.
- Lack of documentation of key regulatory interpretations and judgements including governance audit trail.
- Insufficient documentation of oversight, independent challenge and review of regulatory returns.
- Insufficient documentation of report production procedures resulting in heightened key person risk.
In addition to these existing or historic issues, there are impending regulatory reporting challenges that banks face:
The Basel Committee published an updated Pillar 3 framework to accompany the finalisation of the Basel framework. It contains new disclosure requirements for credit, market and operational risks, as well as increased frequencies for some existing Pillar 3 disclosures. Banks will need to incorporate these reporting requirements into their reporting framework as they implement Basel 3.1.
An increasing burden of environmental reporting is being implemented now and over coming years, which will place even greater pressure on banks’ regulatory reporting processes, data and infrastructure. Examples of specific current and impending climate reporting requirements include:
- The EBA’s Pillar 3 requirements for ESG risks, for which the first disclosure reference date is 31 December 2022. These requirements include the Green Asset Ratio (from start-2024) and the Banking Book Taxonomy Alignment Ratio (from mid-2024).
- The requirement for UK companies (including banks) to meet the reporting standards set out by the Taskforce for Climate-related Financial Disclosures. While some may say this straddles the boundary between regulatory and financial reporting, regulators are very interested in the outputs.
In addition, there is considerable pressure on banks to improve the transparency around both their own climate impact and the broader climate impact of their business including that of the customers with whom they have lending or other business relationships. Examples here include:
- The increasing focus by regulators on greenwashing.
- The increasing pressure from investors and customers for banks to demonstrate that they are re-orienting their business to be more environmentally conscious.
Lastly, the PRA has flagged that it expects to undertake further work to determine what climate information may need to be included in banks’ regulatory reporting.
Changes to the reporting regime
Both in the EU and the UK, regulators are designing and implementing changes to the data and infrastructure that underpin regulatory reporting. Although these changes will lead to long-term benefits in terms of consistent data requests, standardisation of reports, and a reduced need for ad hoc data requests, there will be short-to-medium term cost to deliver what regulators expect.
What banks can do to improve their regulatory reporting
The PRA has been clear that it expects banks operating in the UK to make meaningful changes to put regulatory reporting on the same footing as financial reporting. The solution for each bank will be just as individual as the challenges the banks face, but some common considerations are:
- Incorporate regulatory reporting into the agenda of senior executive and board committees and ensure that appropriate governance and oversight is applied.
- Improve the control framework around regulatory reporting, ensuring that controls pick up problems and that those problems are escalated and resolved.
- Increase the pool of people who understand and can run regulatory reports. In some firms only one or two people know how to complete certain regulatory returns – ensure that these key-person risks are understood and rectified.
- Improve the documentation of regulatory reporting, particularly in relation to regulatory interpretations, and the challenge applied to them.
- Improve data and infrastructure for regulatory reporting to meet future regulatory expectations.
- Ensure second and third-line functions have the skills and resources to challenge regulatory reporting functions, processes, interpretations and outputs properly.
One concluding observation: in the UK, the PRA has in recent years made considerable use of its Section 166 power to appoint external parties to review banks’ regulatory reporting approaches and has indicated that it will continue to do so where it feels that banks are not meeting appropriate standards. Management and Boards should act now to ensure they meet regulatory expectations in order to reduce the likelihood of facing the cost and challenge of a Section 166 review.
 Pillar 3 disclosure requirements - updated framework. This has now been incorporated into the online Basel Framework, which can be found here.
 The PRA’s Climate Change Adaptation Report, p. 22