The Prudential Regulation Authority (PRA) recently released a Dear CEO letter concerning the reliability and integrity of regulatory reporting.
The letter reiterates the role of regulatory reporting as a prescribed responsibility under the Senior Managers and Certification Regime (SM&CR), highlighting that accurate returns are the “foundation of effective supervision”.
Firms failing to meet the PRA’s reporting expectations may expect a skilled persons review. As such, firms should review their supporting processes and related control frameworks around the production of the various regulatory returns.
The reliability of regulatory returns has been a supervisory priority for some time, with concerns around data accuracy and effective data processing. The latest Dear CEO letter follows two previous ones from the PRA in 2016 and a letter from the FCA in 2018, demonstrating that accurate regulatory reporting is an ongoing issue and appropriate standards are still not being met. The PRA has set out the following expectations for firms to:
Should the PRA commission a skilled person review, it will focus on the COREP framework and related returns (including PRA110) and seek reasonable assurance over their preparation. This will include a review of the associated governance processes and controls, as well as reviewing the information and reasoning behind key judgements.
At the second line of defence, firms should consider the PRA’s terminology and establish consistent definitions for terms such as ‘appropriate quality’, ‘key interpretations and judgements’ and ‘material regulatory reporting errors’. Process maps should be developed to demonstrate how these requirements are met, which can be used by assurance teams and for regulatory examination. Building on this, firms should review their policies, procedures and processes around COREP (and other regulatory returns), establishing the extent to which they are fit for purpose and how effectively they are applied in practice.
The PRA is interested in how judgements in regulatory reports are applied and it seeks assurance over data reliability. Data management is an ongoing challenge and firms should review how their data is captured, cleaned and represented within their regulatory reports. A process should be in place to regularly evaluate how key judgements are reached and to assess their appropriateness. If there is not enough information on which to base these reviews, firms should reassess and update their existing capabilities.
Firms are also expected to have robust processes for identifying and remedying reporting errors, including an error log, which triggers escalation protocols and effective remediation processes.
At the third line, an audit approach should be developed around the PRA’s requirement. This can be standalone or aligned to regular COREP audit work, but either way, it must explicitly demonstrate coverage against PRA expectations. The third line should review the work of the second line and assess the reasonableness of second line interpretations around key terminology and validating associated governance.
The third line should offer assurance over the design and operating effectiveness of end-to-end regulatory reporting processes, including control frameworks supporting:
Depending on the timing and extent of work required in the second line to improve regulatory reporting, audit functions may assess the appropriateness of remedial activity, including timing, scope and the ability to meet requirements.
While the letter itself contains no new regulation per se, it emphasises the ongoing challenge that firms face around data management, secondary data calculation, ownership and reporting. Data flows typically exist across multiple businesses and infrastructure functions. Managing them involves pan-institutional effort and senior management oversight in order to drive effective inter-departmental collaboration. The need for firms to align their risk and finance data processing and reporting grows stronger. The focus of the letter is limited to regulatory reporting, but the implications are vast, incorporating everything from front office data capture through BCBS 239 and risk calculations through accounting disclosures.
The PRA has encouraged firms to seek third party assurance over their regulatory reporting processes, which can include assessment and benchmarking over COREP capabilities, in addition to bespoke reviews. For more information on how to meet the PRA’s reporting expectations, please get in touch.