Regulatory expectations

Governance (including Senior Management and Certification Regime) assessments

Key points

Why is this topic important?

Having the proper governance arrangements and practices is crucial for the long-term performance and sustainability of a firm. Ineffective governance is often an early indicator of risks to the safety and soundness of a firm and can be the root cause of firm failure or material customer harm. Firms with inadequate governance can often fail to identify emerging issues that could result in a major adverse impact.

Effective governance arrangements ensure that all areas of the firm are well controlled and are subject to the appropriate oversight and independent challenge. It all starts with the board – a strong and well-functioning board is central to good governance – and this in turn requires a strong board chair as well as knowledgeable and competent executive and non-executive directors (NEDs).

Expectations

Our rules require firms to have robust and comprehensive governance arrangements, which reflect the nature, scale and complexity of the risks inherent in their business models and activities. For new banks, the board has a pivotal role in ensuring that the bank is able to grow in a sustainable way and that they have the ability to exit the market in an orderly manner, if required.

SS5/16 Corporate governance: Board responsibilities sets out our expectations in that regard. In SS5/16 we highlight our expectations of firms to consider all the necessary sources of information and guidance on corporate governance when they are building their governance arrangements. Some aspects that we highlight include:

• Role of the board: The role of the board is to develop the business strategy and provide effective governance and leadership. It should identify the risks inherent in that strategy and develop the necessary mitigants to take on those risks and achieve the strategy. It should ensure that the firm is supported by appropriate governance arrangements as well as a robust risk management framework, so that the strategy is delivered in a well-governed and controlled manner.
• Board composition: The board needs the appropriate composition of directors to create a solid base for effective governance, well-informed decision-making and strategy setting. The composition of the board should be appropriate to the nature and size of the firm and should be reviewed (and refreshed) regularly to ensure that it remains appropriate as the firm changes and as the economy and market place evolve. For example, the board composition may need to change as the firm grows, to include a greater number of independent directors with sufficient diversity of specialisms. We recognise that the Board will not be fully constituted initially, but firms that are able to put in place a robust governance framework early tend to have a smoother journey to authorisation and beyond. We encourage firms to consider the necessary provisions of General Organisational Requirements 2 and 5 as part of the PRA Rulebook as well as the Senior Management Arrangements Requirements as part of the FCA Handbook.
• Balance: The board needs an appropriate balance of executive and independent non-executive directors (iNEDs) so that no individual director has undue influence over the board’s decision-making and wider operations. INEDs should ensure that there is appropriate oversight and independent challenge of the executives and senior management.
• Independence: The board should be sufficiently independent to ensure that it can provide effective challenge to the executives and senior management. The minimum expectation at authorisation for new banks, who use the mobilisation route, is to have the Chief Executive Officer (CEO) and one other executive in place (usually the Chief Finance Officer, CFO) as well as the board Chair. However, we expect firms to have considered which other roles need to be filled to ensure the Board operates effectively. In particular, risk management expertise is often required to ensure that effective risk management is embedded at the firm from the outset. Upon exiting mobilisation (or if authorised without using mobilisation), they need to have a fully functioning executive team and board. It is established good practice for new banks to have two iNEDs in place at this point.
• Appropriate knowledge, skills and experience: The board should possess adequate collective knowledge, skills and experience to understand the business model and its inherent risks and to be able to set the business strategy. This is critical in order for the board to proactively identify and address potential weaknesses in the business model or control environment, demonstrating self-awareness and willingness to tackle issues early on.
• Individual fitness and propriety: Under the Conduct Rules and other parts of the PRA Rulebook and FCA Handbook, all board directors, have a binding obligation to:
  • act with honesty, integrity and independence of mind;
  • act with due skill, care and diligence; and
  • be open and co-operative with the PRA, FCA and other regulators and bring to their attention any information of which they would reasonably expect notice.
• Long-term success of the firm: The board should promote the long-term interests of the firm and all stakeholders. This should not be limited to value creation but should also consider aspects such as diversity and protecting the environment.
• Culture: The board should set the appropriate tone and culture from the top and ensure that this is cascaded and embedded throughout the firm. It should articulate, embed and maintain a culture of risk awareness and ethical behaviour for the entire firm to follow in pursuit of its business goals. It should ensure that the strategy and culture are aligned and act by example to promote that culture. We also expect firms to be able to demonstrate how the Consumer Duty expectations have been considered and embedded into the business model.
• Effective leadership: The board should ensure that the necessary financial and non-financial resources are available to facilitate the delivery of the business strategy. In addition, the board should establish a framework of risk management and controls together with the relevant policies, processes and procedures to ensure that the business strategy is delivered in a well-governed and controlled manner. Transparency, openness and debate as well as contributions from all directors should be promoted throughout – by ensuring clear and thorough documentation and appropriate board sign-off(s) where applicable.
• Remuneration: The board should ensure that the firm establishes and maintains remuneration policies and procedures, which are consistent with and promote sound and effective risk management and do not encourage risk-taking that exceeds the level of risk tolerated by the firm. In addition, those policies and procedures should be in line with the business strategy, objectives, values and long-term interests of the firm. They need to avoid conflicts of interest, be well-documented and subject to independent annual reviews.

How expectations evolve through the different stages of the authorisation process:

Pre-application

• At the start of the journey to progress an idea into a business, firms often have one or two key individuals in place who run the firm.
• As firms progress through their pre-application engagement with us, and in particular by the time of the feedback stage, they should have in place definitive plans in terms of building their boards and senior management teams.
• By the time of the technical challenge stage, firms should have recruited the key individuals for their boards and senior management teams. This will ensure that those key individuals are in place and contribute to the development of the business proposition.
• Firms should consider the board composition as a whole, the relevant committee structures that will support it and any other governance arrangements that need to be put in place, including having the necessary terms of reference, policies, and procedures.

Upon authorisation of a new bank and beyond

• All new banks should have fully functioning and effective boards. Minimum expectations at authorisation:
  • Upon entry into mobilisation – CEO, one other executive director (usually the CFO) and an independent board chairperson. However, we do expect firms to have considered which other roles need to be filled to be able to develop the proposition – it is likely that additional hires will be needed to ensure this, particularly persons with risk management expertise to ensure that effective risk management is embedded at the firm from the outset.
  • If authorised without mobilisation or upon exiting from mobilisation – fully functioning executive team and board. It is established good practice for new banks to have two iNEDs in place at this point.
• We encourage new banks to strengthen their governance arrangements, increase the independence of their boards as they mature, and have a clear and detailed plan for how this will be achieved. This plan will need to be updated as the firm grows with regular reviews of the skills and composition of their boards to ensure that they remain appropriate for the growing and changing firm.
• We encourage new banks to move towards board independence – by year three of their planning horizon to have a minimum of three iNEDs (including the board Chair) and by year five to meet best practice including, dependent on size and complexity, having a majority independent board.
• Formal board evaluations should be undertaken on an annual basis. This should be led by the board chair and should consider the board’s composition, diversity and effectiveness – from both a collective and an individual director’s perspective. The board chair should then ensure that any remedial actions following that evaluation are completed in a timely and effective manner.
• We encourage new banks to develop and maintain robust succession plans for all board members and senior management, recognising that the individuals who have the skills to launch and build the firm in the early years may not be best suited to lead the firm as it grows.
• As part of the Senior Management and Certifications Regime (SM&CR) and through our governance assessments, we will scrutinise and hold to account all individuals that apply to become Senior Management Function (SMF) holders including those from the wider group and any shareholder directors. This process may include conducting interviews with proposed SMF holders so that we can gain assurance that the people intended to run the bank are fit and proper.

Common challenges

We encourage firms to consider how they will ensure that their proposed governance arrangements sufficiently address the below points:

• Effective management of any conflicts of interest: firms are encouraged to identify any potential conflicts of interest and ensure that they are managed effectively through a robust conflicts of interest policy and other governance arrangements:
  • Executive directors (EDs):
    • EDs are often significant shareholders (for example they are the founders of the firm) or might have been appointed or nominated by a significant shareholder.
    • This can create a significant conflict of interest. For instance, EDs who are also significant shareholders can be highly influential and may have a personal incentive in the firm pursuing certain actions or strategies (in particular, rapid, short-term growth and increased risk taking). This can lead to poorer outcomes for the firm.
    • Independence of mind is a requirement for all directors who should make their own sound, objective and independent decisions and judgements.
    • Firms can have shareholder directors but they should implement appropriate measures to identify, monitor and manage potential conflicts of interest or other challenges that can arise because of their circumstances.
  • Non-executive directors (NEDs):
    • NEDs may have a shareholding in the firm – this may not be as large as the shareholdings held by the EDs (for example the founders of the firm) but it is often material enough to create a significant conflict of interest.
    • While it is not against the PRA rules for iNEDs to have de-minimis shareholdings in the firm, we have a strong preference that the iNEDs (including the board chair) do not hold any shares in order to prevent any conflicts of interest and to ensure that they are truly independent. This is because, having an investment in the firm, may impact their judgement and their decision making may be influenced by their own personal interests as opposed to those of the firm and the remaining stakeholders. Where iNEDs have de-minimis shareholdings in the firm, the firm should consider what additional measures they would need to put in place to identify and manage any conflicts of interest.
    • Any shareholdings held by iNEDs must be de-minimis from the perspective of both the iNED (ie their personal wealth) and the firm (ie the total shares issued). We will consider the combined shareholding of the iNED and their connected parties (for example their spouses), if applicable, as part of that analysis. This ensures that any iNEDs who may hold shares remain independent and do not have undue influence at the board.
    • In addition, iNEDs are not allowed to hold any share options as our remuneration rules prevent variable remuneration for iNEDs.
• Recruiting suitable individuals: We encourage firms to ensure that their boards and senior management have the adequate skills and experience to effectively oversee their firms.
  • Senior Management Function (SMF) applications for individuals should clearly state why the firm consider these individuals to be suitable for the roles for which they have been selected.
  • We encourage firms to demonstrate that they have gone through a robust and fair recruitment process and appointed individuals based on the skills and capability required to deliver the business proposal and strategy. Evidence to that effect should be submitted alongside the formal SMF applications. This evidence should capture how the board and senior management have reached the conclusion that individuals have the relevant skills/experience for the role in question and how they plan to address any gaps in their knowledge and the timeframes for that – this could include formal training and development plans.
  • The board and senior management should ensure that they have satisfied themselves that the individuals recruited are appropriate, not just on an individual basis, but that they will also be a good fit for the board or senior management team. Having formal recruitment processes and using skills matrices can significantly help with that. Skills matrices, for example, can be used to assess the collective knowledge, skills and experience of boards or senior management teams. They are also valuable tools for nomination, training and succession planning purposes. Evidence of the use of skills matrices should be submitted alongside the formal SMF applications.
  • Firms should ensure that SMF appointments and corresponding applications are made as early as possible. This is to ensure that the bank is adequately resourced to build out its operations and to allow the individuals time to settle into their roles. Additionally, it also means more time to replace the individuals if we deem them not to be fit and proper based on their SMF application.
• Appropriate management information (MI) for the board: MI should highlight the key information necessary for the board and not be too lengthy or missing essential information. Good quality MI is essential, as the quality of the decision-making made by the board will, to a large degree, be driven by the information that they receive and on which they base those decisions. Firms should consider how to build and develop their MI so that it is timely, relevant, and accurate, and highlights the most important items for the board’s discussion. MI should be reviewed and improved on an ongoing basis.
• Appropriate structure to support the board: We encourage firms to design and build an appropriate structure of committees that support the board in its day-to-day operations and decision-making. These may include the Board Risk and Audit Committees as well as the Board Remuneration and Nominations Committees.
  • Small, non-systemic firms are not explicitly required to establish separate Board Risk and Audit Committees. However, it is good practice and firms often choose to have those as separate committees. In those instances, firms sometimes propose that the same iNED chairs both their Audit and Risk Committees. This, however, can create conflicts of interest and is not our preferred approach. As such, where a firm choose to have separate Board Risk and Audit Committees, each committee should be chaired by a separate iNED; and
  • Similarly, firms sometimes propose that their board chair also chairs some of their other board committees. This can create a conflict. We generally discourage the board chair from chairing any sub-board committees with the exception of the Nominations Committee.
• Succession plans: Firms should have appropriate succession plans in place, especially for the key roles on their boards and for their senior management teams. There is a significant risk for the firm should any of the key individuals no longer be available, especially if this is without any prior notice. We encourage firms to consider building robust and effective succession plans which promotes personal strength and diversity. This could be led by a separate Board Nominations Committee.

Resource links

• The General Organisational Requirements Sections of the PRA Rulebook – This includes rules on: (i) whistleblowing; (ii) the individuals who direct the firm; (iii) responsibilities of senior staff; and (iv) the management body etc. Please note that this is not an exhaustive list but just a few examples of what the rules include.
• SS5/16 Corporate governance: Board responsibilities – This document sets out our key expectations with regards to some particular areas of corporate governance. It should be read in addition to more general guidelines on corporate governance such as the UK Corporate Governance Code.
• The Strengthening accountability section of the PRA’s website and the Senior Managers and Certification Regime (SM&CR) sections of the FCA’s website – These comprise a mix of statutory provisions, PRA/FCA rules and Supervisory Statements. Hence, it is crucial to understand and follow as these apply to all regulated firms. They aim to strengthen market confidence and integrity by making individuals accountable for their competences and conduct, and by setting a corporate culture where individuals take personal responsibility for their actions.
• The FCA’s Approach to Authorisation and feedback statement – This sets out the FCA’s approach to assessing applications for individuals under the SM&CR regime.
• The EBA guidelines on Internal governance – This is important to consider as it outlines key principles of good governance, including aspects such as: (i) organisational structures; (ii) risk management processes and mechanisms; (iii) remuneration policies; and (iv) outsourcing and suitability of key function holders.
• The EBA/ESMA guidelines on suitability – This is important to consider as it contains key guidance on assessment the suitability of members of the management body and key function holders.
• UK Corporate Governance Code – While the UK Corporate Governance Code only applies to listed firms and is not a binding financial regulatory resource, we consider it good practice for all firms to follow. As such, it is an essential source to understand and apply. It covers detailed aspects of best corporate governance practice, including the relationships between firms and their stakeholders, the importance of a corporate culture which is aligned with the firm’s purpose and strategy, and thorough policies and practices that promote transparency and trust.
• Culture and governance – Culture is at the heart of how the FCA authorises and supervise firms. Firms’ cultures have been a major root cause of conduct failures. Good culture embedded into a firm’s governance will help prevent harm caused by inappropriate behaviours. The FCA’s work on culture and governance, including the approach to culture can be found on the FCA’s website.
• Fitness and Propriety – Senior Management Functions (SMFs) and Certification Staff need to be fit and proper for their roles. The FCA’s website sets out how the FCA apply the Fitness and Propriety requirements to your firm.
• Remuneration – A firm’s approach to remunerating and incentivising staff is one key element of its culture. This sets out how FCA looks at a firm incentivises its staff and how the incentive arrangements align and support a healthy culture to encourage positive outcomes.

Business model analysis

Key points

Why is this topic important?

The firm’s business model is one of the most important aspects of their proposition. Firms should set out their business models, in their regulatory business plans (RBPs), in sufficient and granular detail to explain why their proposed business models will be successful, ie viable (in the short term) and sustainable (in the longer term).

In terms of sustainability, it is important to understand over what period the proposed business is expected to become profitable and self-sufficient so that it no longer requires external capital support, and why the firm consider this to be plausible.

Expectations

Below are some key questions firms should look to answer when developing their business models throughout their pre-application engagement with us, alongside some examples of how they may cover these questions.

The level of detail firms provide will need to develop and increase as they progress through the pre-application process:

• At the initial stage, this should focus on what they are going to do – what products and services they plan to offer, what markets and customers they plan to target, what their unique selling point is and why they want to become a bank.
• At the feedback stage, it should cover why there is demand for their products, how their business model fits within the wider market, and why their plans are realistic and achievable.
• At the technical challenge stage, this should cover the threats and vulnerabilities to their business plan and how they will react if things do not go to plan.

How expectations evolve through the different stages of the authorisation process:

Pre-application

What should firms be thinking about at each stage of the pre-application process?

Upon authorisation without restrictions of a new bank and beyond

• Changes to business model: New banks may need to make changes/amendments to their business models in response to changes in the macroeconomic and/or market environment that they operate in. Where this is necessary, new banks need to keep us informed of any material issues affecting their business plans, and inform us in advance of making any significant changes to those. They should ensure that they fully assess the risks of any change to their business plans and have suitable controls in place.
• Sustainability of the business model: New banks are often loss making initially and rely on external capital injections to keep the firm going and to maintain their capital adequacy. While this is common for new firms, it may not be sustainable over the longer term and creates a vulnerability to capital not being available when needed. Firms should therefore focus on reaching profitability and the ability to achieve organic capital generation within a reasonable time following authorisation, recognising that the longer they are unprofitable the more uncertainty there is about whether investor sentiment will remain positive. They should use their experience to refine and further develop their business plans and financial projections as they mature. They should ensure that they factor in the ongoing investments in their governance and controls into those financial projections.
• Path to profitability: By year three post-authorisation, new banks should refine their business models based on their experience so far, produce more accurate forecasts and have a credible strategy for a path to profitability. By year five post-authorisation, new banks should have settled business models. They should be either profitable or have a credible strategy for a path to profitability, with definitive capital support to achieve that and have realistic forecasts in place.

Common challenges

We encourage firms to consider how they will ensure that their business propositions and RBPs sufficiently address the below points:

• Aligning market research to the business model: Market research should be specific to the proposed business model and clearly draw out the conclusions on how the research supports the firm’s business proposition. We encourage firms to undertake targeted market research that is specific to their business models in order to demonstrate the potential for their propositions to be viable and sustainable. We encourage firms to include sufficient detail on their market research in their business plans to evidence what they have undertaken, how this has been reviewed and what conclusions they have reached.
• Overoptimistic financial forecasts: Profitability and balance sheet growth forecasts should be realistic. Overoptimistic forecasts raise questions over whether the forecasts have been subject to the necessary internal governance, scrutiny and challenge. Furthermore, overly optimistic projections place unrealistic expectations and pressure on firms and their management once authorised (if successful).
  • Firms should take a prudent approach to profitability and balance sheet forecasting and should ensure that they have been appropriately challenged by their boards and senior management. Evidence to that effect should be captured in their business models.
  • Firms should undertake some sensitivity analysis of their projections to ensure that they are: (i) realistic and achievable; and (ii) can adapt to unexpected stress events – for example, would the firm still break even if costs are higher than forecast and/or the firm suffers an expensive one-off set back. This analysis and its conclusions should also be included in the business model.
• Consideration of why the business proposition will be successful: Business propositions should adequately explain how the proposed business model fits within the wider market and why it will work. While firms do not necessarily need to have an unique selling point, it is important that they set out, in sufficient detail, why they think they will be able to attract customers based on their proposed business models (why there is space in the market for a new entrant) and how they will be able to achieve that.
• Consideration of key risks: Firms should include adequate detail of the key risks to the viability of their proposed business models – this could include not being able to raise the necessary capital to operate the firm until they break even and become profitable or suffering unexpected and/or higher costs and the conduct risks in their business which may cause harm to consumers and markets. This is crucial to demonstrate that they have considered all the risks and will grow safely and soundly and without causing harm. We encourage firms to capture details on each inherent risk to their business model including why they consider it a risk and how they plan to mitigate it on an ongoing basis. We expect those risks to evolve as firms grow and develop. As such, the analysis of key risks should be reviewed and challenged on a regular basis.
• Consideration of costs, capital raising and resources in building a bank: A firm should ensure that it adequately considers the financial costs and resources needed to establish and build a new bank. Moreover, a firm should ensure that its business model is well thought out and realistic to avoid the need for material amendments to its strategic objectives during the authorisation process. New banks often encounter difficulties in raising additional capital when needed, which could impede their ability to scale and expand their intended operations.
• Submission of complete application: Firms should take regulation seriously and plan how they will meet the standards of the regulatory system before they apply. Firms should submit complete applications with all the information available and all the feedback addressed for our assessment and demonstrate that they are ready, willing and organised to be authorised.

Resource links

• The PRA’s approach to banking supervision – The pages relevant to business model are from page 13 onwards.
• SS3/21 Non-systemic UK banks: The Prudential Regulation Authority’s approach to new and growing banks – This outlines our expectations of new banks and how they evolve throughout the authorisation journey.
• FCA Handbook COND 2.7 Business Model – This sets out FCA’s guidance on one of the threshold conditions – business model.
• Firms should also consider the Dear CEO and Dear CFO letters (or similar) relevant to the regulated activities that they wish to undertake to further understand our expectations. These can be found on the FCA and PRA websites.

Risk management assessment

Key points

Why is this topic important?

• Effective risk management and controls ensure that the business strategy is delivered in a well-governed and controlled manner. They reduce the risk of any issues crystallising, which could potentially jeopardise the safety and soundness of the firm.
• Having the appropriate risk culture is paramount in ensuring that firms can identify emerging risks but also minimise the likelihood of any existing risks crystallising, in an ever-changing operating environment. Such a risk culture starts with the right tone from the top and should be cascaded down from the board and embedded in every level of the organisation.
• It is the responsibility of the board and senior management to ensure that firms have adequate internal control environments, which include not only the standards, processes and procedures to identify and manage risk but also the discipline to apply those standards at the relevant times. An effective internal control environment ensures that firms are risk aware and protects the interests of their stakeholders by ensuring that they have the appropriate values, ethos and behaviours in place. This in turn should be supported by the necessary compensation structures (ie compensation packages including bonuses should not encourage the pursuit of short term profits at the expense of prudent risk management), open reporting and clear accountability.
• Different business models have different risk profiles and as such, our expectations of a new bank’s internal control environment and risk management framework will vary depending on the type of business, its complexity and nature of risks to which the firm is exposed.
• Firms should also take into account our rules and expectations such as those relating to: (i) capital; (ii) liquidity; (iii) credit; (iv) operational risks; and (v) outsourcing. Moreover, the risk management framework and controls should be reviewed on a regular basis and developed as needed especially in light of changes to the business model or growth in the business.

Expectations

The below figure demonstrates how effective risk management and controls start at the top and are cascaded down to every level of the organisation.

Figure 2: Risk management framework pyramid

• Effective risk management and controls start at the top and should be cascaded and embedded throughout the firm.
• The board sets the business strategy but also the risk appetite and culture within which to deliver that business strategy. The board and senior management team then ensure that firms have the adequate risk management frameworks and controls to support the delivery of the business strategy.
• Firms often adopt the three lines of defence model when designing their risk management framework and controls. In this framework, the business areas are the first line of defence, independent risk management units are the second line of defence, and internal audit is the third line of defence. If firms choose to adopt this model, then we expect the first line to effectively identify, measure, manage and report risks within limits. Monitoring activities are performed independently by the second line. This framework is subject to independent oversight and challenge from the third line of defence.

The below figure outlines the key components of a risk management framework.

Figure 3: Key components of a risk management framework

Risks identification:

• Firms should:
  • ensure that they have sufficiently skilled individuals (including on their boards) to identify risks and assess the potential impact of those risks on the firm.
  • design and then implement a risk management framework that is appropriate for the nature and complexity of their business model and the environment that they operate in.
  • allocate sufficient resources to their risk functions so that they are able to adequately discharge their duties.

Risks measurement and monitoring:

• Firms should establish a prudent risk appetite, which is commensurate with the nature, scale and complexity of their business proposition, and measure and monitor their performance against that risk appetite on an ongoing basis.
• We encourage firms to develop a comprehensive set of indicators that covers all risks in their firm – this should comprise a complete spectrum of indicators (for example green, amber and red) and include at what point management/recovery actions or the solvent exit execution plan will be triggered. This spectrum of high-level indicators should be developed by the senior management and approved by the board after it has been subject to the necessary review and challenge.
• We encourage firms to ensure that the high-level indicators are supported by lower-level metrics and robust processes and procedures for the monitoring of the metrics and any necessary escalation such as to the Board Risk Committee or to the board itself.
• Moreover, firms should avoid setting their risk indicators and triggers too close to the regulatory minimums – this is to ensure that they have sufficient time to react and adopt any management actions in a stress. In addition, the risk appetite and triggers should be integrated (as necessary) in all key documents of the firm including the Regulatory Business Plan, Internal Capital Adequacy Assessment Process, Internal Liquidity Adequacy Assessment Process, recovery and solvent exit analysis.
• We encourage firms to provide evidence to demonstrate that their risk appetites and associated metrics and trigger points have been subject to the appropriate internal governance processes including challenge and approval by their boards.

Risks management:

• We encourage firms to design the appropriate policies, processes and procedures to manage risks in an effective manner. It is essential that their boards and senior management are sufficiently involved in this and the management approach for any key risks is considered and approved by the board.
• As firms grow, their operational models will evolve and their risk management frameworks and controls should evolve in line with these changes – this will include the policies, processes and procedures to effectively manage any risks in the firm.
• We encourage firms to invest significantly in the development and ongoing maintenance of their risk management frameworks and controls such that they have a mature control environment typically five years after authorisation.

Reporting of risks:

• We encourage there to be clear ownership and accountability of the risk management framework so that risks are reported accurately, in a timely manner and in a way that is appropriate for the audience – for example, in comparison to the risk reports provided to Board Risk Committee the risk reports to the board will be more focused on the key priority risks and breaches.
• We encourage firms to ensure that their management information on risks is accurate, timely and relevant and is improved on an ongoing basis. As part of that, we encourage the board and its committees to specify the nature, source, format and frequency of the management information that they require to monitor and manage risk.
• We encourage both the board and senior management to have the necessary knowledge and skills in relation to risk management and to be able to explain, amongst other things:
  • what the key risks are for the firm and how they are managed, including trigger points and the processes for escalation; and
  • what the processes are for bringing any significant issues to the attention of the board in relation to any risks crystallising or any new risks emerging.

How expectations evolve through the different stages of the authorisation process:

Pre-application

• Initially, while firms are finalising their business models and associated risk management frameworks and controls, it will not be possible to fully define their risk environment. We expect that this will become clearer as firms progress through their pre-application engagement with us.
• By the time a firm is at the end of its pre-application engagement, we expect there to be a near complete risk management framework that identifies the key risks to their firm and is supported by a board approved risk appetite statement.
• When a new bank application is submitted, it should include a detailed risk management framework and supporting policies, processes and procedures, which clearly set out how the risks have been identified, and how they will be monitored, managed and reported on. This should include sufficient detail on the governance arrangements that will provide oversight and challenge to the framework.

Upon authorisation of a new bank and beyond

• At the time of authorisation , we would have assessed only the design of the risk management framework and controls based on the documentation that has been submitted. As the firm has only recently been launched and is becoming operational, the actual effectiveness of the risk management framework and controls is usually untested at this time.
• Development of the risk management framework needs to keep pace with the firm’s business ambitions. New banks should ensure that they regularly assess whether their controls remain fit for purpose in the context of changes to the business and whether there is a clear framework for risk identification, management, and mitigation.
  • Such an assessment could comprise internal reviews, for example, led by the Chief Risk Officer or the Chair of the Board Risk Committee or even Internal Audit or more formal external reviewed undertaken by an independent third party commissioned by the new bank.
  • The assessment should also take into consideration, but not be limited to, the following:
    • the adequacy of technical knowledge, skills and expertise within the risk management framework;
    • whether stress testing and downside risk analysis have sufficient prominence in decision-making and key management documents; and,
    • whether the firm can produce accurate data and management information.
• Firms need to ensure that their risk management frameworks and controls evolve in line with their business growth and are effective for the type and scale of business being written. We will monitor this on an ongoing basis as part of our regulatory engagement.
• By around three years post-authorisation, we expect that the risk management framework and controls are fit for purpose, although a new bank’s controls will evolve in light of their experience. New banks should prioritise developing controls for their most material risks.
• By around five years post-authorisation, we expect new banks to have a mature control environment, which includes a fully embedded risk management framework linked to a stable business model and provides a forward-looking view across all risk types. We will continue to monitor this and may undertake formal reviews as part of our regulatory engagement.
• We encourage new banks to undertake thorough ‘lessons learnt’ exercises in cases where things do go wrong. Those should include analysis of the root cause of the issues and whether they could have been prevented. Moreover, new banks should develop and introduce additional controls, processes and procedures to avoid similar issues occurring again in the future.
• Very often, new banks choose to outsource their internal audit functions rather than building the capability in-house. This is acceptable as long as the firm ensures that they appoint a third party which have the required skills, resources and experience to perform the internal audit function for them and which is fully independent of the firm. Regardless of whether the internal audit function is outsourced, the board remains ultimately responsible for the internal audit function. Firms are encouraged to refer to the Basel Committee on Banking Supervision document on The internal audit function in banks.

Common challenges

Firms should consider how their proposed risk management frameworks and controls sufficiently address the below points:

• Defining the risk appetite: The risk appetite must be well defined and clearly articulated – from both a quantitative and qualitative perspective. A clearly defined risk appetite is crucial in being able to monitor and report the performance of the firm and the delivery of the business strategy. We encourage firms to develop detailed risk appetites, which are realistic and linked to their overall strategy and can be used to measure their performance. Moreover, firms should demonstrate the internal governance process that was followed to review, challenge and agree their risk appetites.
• Recruiting the right skills and experience: Firms must dedicate sufficient financial and/or non-financial resources to develop and mature their risk functions. Failure to do so creates a significant risk that the risk function will not be able to adequately support the growing firm due to lack of resources. Hiring good quality individuals is key and firms should consider how their boards and senior management have determined that the individuals in their risk functions are appropriate in terms of their skills and experience and how they plan to address any gaps in their knowledge.
• Evolving risk management capabilities: We often find that firms have ambitious growth and profitability targets, but they are not always supported by a risk management framework that grows in line with the projections. This results in firms not being able to:
  • monitor and manage their existing risks, and as such, those risks worsen and lead to losses (for example firms experiencing high credit losses when having underwritten large amounts of business without that being subject to the necessary underwriting and credit checks); and
  • identify new or emerging risks and implement the necessary mitigants to prevent such risks from crystallising.
• We encourage firms to demonstrate that their proposed risk management frameworks and controls are not only effective at launch but remain appropriate for the size and complexity of their firms as they grow – this should be captured in the firm’s business model.
• Effective management information (MI) for the board: It is important to ensure that MI is not under-developed, too long, unfocused or not relevant for the needs of its audience – for example we have seen instances of where boards receive very extensive packs, which include a large number of metrics and triggers and which make it very challenging for the board to determine what they need to focus their discussion and decisions on. This creates a risk that the board is not able to make the right decisions for the firm. We encourage firms to ensure that their boards and senior management receive timely, accurate and relevant MI to foster their discussions and decision-making. This is because the quality of their decision-making will, to a large degree, be driven by the quality of information received on which to base those decisions. As such, it is essential that the MI provides relevant risk information, is appropriately tabled for the discussion and is accurate. In addition, firms should consider how this MI needs to change and improve as the firm grows.

Resource links

• The Risk Control and Group Risk Systems sections of the PRA Rulebook – These include relevant information, which will be helpful to consider when building risk management frameworks and controls.
• The Risk Control, Group risk systems and controls requirements, Operational risk systems and controls requirements and Risk control: guidance on governance arrangements sections of the FCA Handbook – These include more useful guidance to consider when building risk management frameworks and controls.
• The PRA’s approach to banking supervision – Pages 17–18 set out our requirements for banks in terms of their risk management and controls.
• SS2/21 Outsourcing and third party risk management – This sets out how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.
• SS3/18 Model risk management principles for stress testing – This sets out our expectations as to the model risk management practices firms should adopt when using stress-test models.
• Basel Committee on Banking Supervision document on ‘Corporate governance principles for banks' – Refer to Principle 6 on ‘risk management function’; Principle 7 on ‘risk identification, monitoring and controlling’; and Principle 8 on ‘risk communication’.
• Basel Committee on Banking Supervision document on ‘The internal audit function in banks’ – This is a very helpful guide to the internal audit function in banks.

Capital assessment

Key points

Why is this topic important?

Authorised banks are required to maintain appropriate capital resources, both in terms of quality and quantity, consistent with the safety and soundness of the firm and taking into account the risks to which they are exposed.

Having enough capital of sufficiently high quality is essential in being able to absorb losses. In addition, it reduces the risk of an authorised bank becoming unable to meet the claims of its creditors and is crucial for maintaining depositor confidence. Sufficient capital resources are also essential to demonstrate compliance with the PRA’s ‘Prudential conduct of business’ Threshold Condition (having appropriate financial resources).

A documented Internal Capital Adequacy Assessment Process (ICAAP) is an integral part of a firm identifying the risks in their business model and ensuring that the capital they have against those risks is adequate and proportionate to the nature, scale and complexities of their business proposition.

It is critical that the ICAAP is owned by the board. It should be updated at least annually or more frequently if there are changes in the business strategy or the operational environment that suggests the current level of financial resources is no longer adequate.

Expectations

Extensive information and guidance on capital has already been published and as such the below list is not exhaustive but highlights some of our key regulatory expectations. Firms are required to fully consider the guidance that is available as part of their capital management and ICAAP processes.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• As part of their pre-application engagement with us, firms should provide a draft ICAAP document for us to review and challenge. We expect to see a good quality draft ICAAP and will provide detailed feedback (where needed) on that draft ICAAP document.
• We expect that the ICAAP document develops as firms go through their pre-application engagement with us and by the time firms reach the Challenge Stage (and submit the ICAAP to us for review), the ICAAP document should include, at a high level, the following:

• As part of a new bank application, firms need to submit a final version of the ICAAP document covering the business plan and incorporating all the feedback provided.

Upon authorisation of a new bank and beyond

• We expect firms to provide proof of capital before (i) they are authorised (either directly or into mobilisation) and (ii) they can exit mobilisation (if this is the chosen route).
• Authorised banks (including those in mobilisation) must meet their minimum capital requirements at all times.
• We expect new banks to have high capital burn rates as they invest in order to build their firms while at the same time they are still loss making. As a result, new banks should have sufficient levels of capital to meet their capital requirements (ie their Pillar 1 and Pillar 2a requirements as well as their buffers and any minimum requirement for own funds and eligible liabilities (MREL) (if applicable) for at least 12 months after being authorised (either exiting from mobilisation or upon authorisation if a firm does not follow the mobilisation route). This is key to ensure that new banks maintain sufficient capital during their first year. In addition, this may help new banks to focus on building and running their firms without having to raise new capital soon after being authorised.
• The PRA buffer for established banks is calculated based on the amount of capital needed to remain above Total Capital Requirement (TCR) under a severe but plausible stress scenario. For new banks, the amount of capital needed to survive such a scenario would be generally very large. This could give rise to a disproportionate level of capital relative to the financial stability risks posed by new banks, as these banks should be able to exit the market easily if required. As a result, an alternative approach is applied to calculating the PRA buffer for new banks. This is introduced in SS3/21 and it replaces the existing methodology where we set the PRA buffer for new banks on the basis of wind down costs. The new approach allows new banks time to find alternative sources of capital or make business model adjustments, in the event of a loss of investor support and assumes that a reasonable amount of time to do that is around six months. Therefore, new banks are expected to calibrate their PRA buffer to be equal to six months projected operating expenses, defined as those costs associated with the day-to-day running of the business.
• The PRA’s approach for setting the PRA buffer is designed to support new banks in their early years of operation, and as such is time-limited. Once the new bank has been trading fully for five years or they have become profitable for a full trading year (whichever is sooner), they are expected to transition the calculation of their PRA buffer onto stress testing, in line with established banks. As such, firms are expected to prepare for that and undertake stress testing from the point of authorisation.
• While we accept the use of forecast data before a firm is authorised, once authorised, firms are expected to use actual data.

Common challenges

Our review of the ICAAP document is a key part of our assessment – both during our pre-application engagement and as part of our assessment of a new bank application. We encourage firms to consider how they will ensure that their ICAAP documents sufficiently address the below issues:

• Governance: The board and senior management must be familiar with the high level ICAAP content and principles, and be able to demonstrate proportionate understanding of the risks and methodologies that have been considered in the document. Firms must also be able to demonstrate that robust challenge has taken place. This will help to prevent ICAAPs, which are too long, not clear and not consistent with the other key documents. The ICAAP is an essential document, which needs to be embedded within the firm’s capital management process and procedures and not referred to as merely a regulatory requirement. As such, firms should ensure that there is sufficient board engagement and understanding of the ICAAP as well as thorough oversight and independent challenge.
• Consistency: Firms should ensure that their ICAAPs clearly communicate the assessment that they have carried out – this includes what key risks have been identified as well as the supporting analysis and conclusions of how much capital to hold against each of the risks. In addition, firms should ensure that their ICAAPs are consistent throughout the document and aligned with other key documents such as the RBP. Sometimes, firms address our feedback in their RBP or in one part of their ICAAP but do not reflect these changes throughout the remainder of the ICAAP document. Having effective internal governance, review and challenge of the ICAAP and other remaining documents will significantly help with consistency. As such, it is essential for firms to ensure that such arrangements are in place.
• Articulation of the risk appetite: Firms should clearly articulate their risk appetite with regard to both the amount and quality of capital within in their ICAAP. Firms often set their capital risk appetites very close to their capital regulatory requirements without having sufficient analysis or justification as to why the risk appetite has been calibrated at that level.
• Capital contingency plans: Market uncertainty can leave a firm’s access to external capital exposed to enhanced risk, particularly, where there are limited sources of capital. In many instances, firms rely on a single investor or a small pool of investors for their future capital raising. This creates a significant risk should those investors no longer be able or willing to commit to their investments. Firms should develop capital contingency plans that consider what they would do if their capital raising does not go to plan or does not raise a sufficient amount of capital or they take longer to become profitable (and capital self-sufficient). This plan should capture in sufficient detail the proposed management actions and how firms have ensured that the actions are credible and achievable. Evidence of this should be captured in the ICAAP document.
• Stress testing: Across all stages of the application journey, stress testing must be sufficiently detailed, appropriate for the business model and its inherent risks, and should have the numerical analysis to back the conclusions. Firms should develop their own scenarios and ensure that these are as severe in relation to their business model as the concurrent stress-testing scenario (for firms participating in concurrent stress testing) or the scenario published by the PRA (for all other firms). Firms should consider the severity expectations about stress testing outlined in SS31/15 ‘The Internal Capital Adequacy Assessment Process (ICAAP)’. Stress testing should be forward-looking and linked to risk appetite, in order to show the true vulnerabilities in the firms’ capital profile. Comprehensive and robust stress testing which has been subject to the necessary internal governance, oversight and challenge is vital to ensure compliance with the overall level of capital adequacy.
• Mobilisation versus post-mobilisation: Firms need to demonstrate an understanding of the regulatory requirements at the different stages of the authorisation process and embed these requirements into their capital planning and management processes. For example, we often see ICAAPs which do not include the proposed capital requirements during mobilisation (if this is the chosen route). However, the requirements for the mobilisation and post-mobilisation periods will differ. As a result, the ICAAP needs to set out how the capital position and risks change over that timeline and over the course of the planning horizon. Firms must meet their mobilisation capital requirements throughout the period of time they remain in mobilisation. In some instances, this may require them to raise additional capital during mobilisation and should be incorporated into their capital funding plans.
• New investment needed to meet capital requirements: New banks often encounter challenges in securing additional capital when needed, which could impede on their ability to scale and execute intended expansion strategies. Firms should incorporate considerations of required capital levels from their ICAAP and regulatory capital requirements into their early-stage planning.

Resource links

• The Internal Capital Adequacy Assessment part of the PRA Rulebook – These rules provide more detail on a range of topics including the different risks against which capital must be available, stress testing and reverse stress testing etc.
• SS31/15 The Internal Capital Adequacy Assessment Process (ICAAP) – This outlines the PRA’s expectations about the ICAAP document as well as the PRA’s Capital Review (SREP) processes.
• The PRA’s methodologies for setting Pillar 2 capital (Statement of Policy) – Firms should be familiar with the PRA’s methodologies for setting both Pillar 2a and Pillar 2b capital requirements.
• Stress testing (published results of annual stress test and ICAAP scenarios for firms to use as benchmark) – Although not necessarily applicable to newly authorised firms, this can be very useful when designing the stress-test scenarios and analysing their results and conclusions. This will help ensure that stress tests are both plausible and sufficiently severe.
• The Bank of England’s approach to setting a minimum requirement for own funds and eligible liabilities (MREL) (SP) – This outlines the powers that the Bank of England has, as a Resolution Authority, to require firms to maintain a minimum level of MREL (if applicable).
• PS29/20 Capital Requirements Directive V (CRD V) – This outlines changes to the PRA’s rules, supervisory statements and statements of policy in order to implement elements of CRD V.
• SS3/21 Non-systemic UK banks: The Prudential Regulation Authority’s approach to new and growing banks – This is the latest Supervisory Statement outlining our expectations of firms and new banks and how those evolve throughout the authorisation journey.
• The ICAAP Section of the New Banks Seminar Slides (October 2019) – There are very helpful slides to consider as they outline some of our key expectations and review processes.

Capital instruments assessment

Key points

Why is this topic important?

For a firm to be authorised as a new bank they must have sufficient capital of the right quality in place, ie the capital must meet the criteria for regulatory capital as outlined in the Capital Requirements Regulation (CRR). In the case of Common Equity Tier 1 (CET1) capital, we are required by the CRR to evaluate whether the firm’s proposed CET1 capital instruments are eligible as regulatory capital against the specific criteria set by the CRR (for example Articles 26(3) and 28(1)). Only when we are satisfied that the instruments fully comply with the criteria, we will grant a permission for the firm’s capital to be classified as regulatory capital.

Expectations

• Share structures should be designed to be as simple as possible. As set out in SS7/13 ‘Definition of capital (CRR) firms’, our preference is for firms to adopt simple, vanilla share structures consisting of preferably only one class of shares that is:
  • fully subordinated to all other capital and debt; and
  • has full voting rights and equal rights across all shares with respect to dividends and rights in liquidation.
• Issuances with complex structures often have features that are inconsistent with the spirit of the CRR eligibility requirements and our supervisory expectations.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• We encourage firms to design and build their share structures to be as vanilla as possible (for example with one class of shares and equal rights across all of the shares) and have good governance arrangements; and,
• As part of your new bank application, for CET1 instruments, we encourage firms to submit the following for our review: (i) pre-issuance notification form; (ii) CET1 compliance template; (iii) independent legal opinion; (iv) the terms and conditions of the CET1 capital instruments including any side agreement; and (v) CRR permission application form.

Upon authorisation of a new bank and beyond

• We operate a capital quality review regime achieved through the pre/post-issuance notification (PIN) rules that require firms to notify us of issuances of capital instruments – either in advance of the issuance for CET1 and AT1 instruments (unless the instruments are on ‘substantially the same’^{footnote [2]} terms as previously issued instruments that qualify as CET1 or Additional Tier 1 (AT1) capital, in which case the PIN should be submitted no later than the day of issuance) or on or after the issuance for Tier 2 (T2) instruments.
• Based on our experience, new banks do not often issue AT1 or T2 instruments. However, this is acceptable (ie as part of the overall capital stack) and more information can be found in the links included in the ‘Resource links’ below.
• It is important to have clear, individual accountability for the firm’s capital arrangements consistent with those set out in the Senior Management Regime (SMR). Hence, firms should ensure that the responsibility for the quantity and quality of capital is allocated to an appropriate Senior Management Function (SMF) holder.

Common challenges

We encourage firms to consider how they will ensure that their proposed capital instruments sufficiently address the below points:

• Complex share structures and features:
  • We often see very complex ownership and shareholding structures being proposed by firms. However, it is important to consider whether those structures fit within our risk tolerance and supervisory expectations, ie to have a capital structure, which is as simple as possible.
  • There is a risk that complex features and structures can complicate the prudential assessment and may undermine the loss absorbing properties of the capital instruments and hence their compliance with the CRR.
• Shareholder versus regulatory expectations:
  • We appreciate the importance of satisfying investor demands so that they can provide funding for the firm, however this often results in complex share structures that do not fully comply with the CRR. It is crucial for firms to consider how they will manage and balance those demands against our supervisory expectations when they design their capital structuress.
  • We have a strong preference for simple and vanilla share structures. We encourage firms to avoid complex features such as multiple classes of shares, different rights and entitlements with respect to voting rights and proceeds on share sales and the inclusion of anti-dilution provisions.
  • Access to external capital will be exposed to greater risk where investors demand capital instruments with such complex features, ie this could adversely affect a firm’s ability to recapitalise. Hence, it is important for firms to build the necessary contingencies and management actions within their capital planning in order to manage and mitigate this risk.
  • The availability of external capital will also be subject to investor expectations around profitability of the firm and other targets that investors would expect firms to meet. We encourage firms to be transparent with us around investor expectations including any associated timelines. In addition, we encourage firms to share with us any known investor exit strategies that are in place should any of the targets not be met.
• Appropriate governance arrangements:
  • Having the right individuals identified to implement and manage the firm’s capital arrangements is a critical part of the process. The board should consider why those individuals are suitable for the role and whether they have the right skills and experience to manage the overall quality of capital within the firm.

Resource links

• PS5/20 Regulatory capital instruments: update to Pre-Issuance Notification (PIN) requirements – This document provides useful information on how to submit a PIN in order to classify the firm’s capital as regulatory capital.
• SS7/13 CRD IV and capital – This document sets out our expectations on how to comply with the relevant CRR criteria for the quality of capital. It covers areas such as composition of the capital base, preference rights, subordination, events of default, triggers and set offs etc.
• Capital instruments – pre/post-issuance notification (PIN) – these are the PIN rules for firms to follow when issuing or amending capital instruments that will be included as either capital resources or own funds.
• PRA’s CET1 flow chart – This outlines the interaction of the PIN and CRR 26(3) CET1 permission processes.
• PRA’s AT1 flow chart – This outlines the interaction of the PIN process for the issuance of AT1 instruments.

Liquidity assessment

Key points

Why is this topic important?

Sufficient liquidity is key to ensuring that firms are able to meet their liabilities as they fall due and to survive any liquidity stresses. As well as capital, sufficient liquidity is critical in being able to meet the PRA’s ‘Prudential Conduct of Business’ Threshold Condition (having appropriate financial resources). Firms are therefore required to identify, measure, manage and monitor liquidity and funding risks that arise from their business models.

The Internal Liquidity Adequacy Assessment Process (ILAAP) is the key document, which sets out the firm’s approach to liquidity and funding. Our review of the ILAAP therefore forms a key part of our assessment of a new bank application and once a firm is authorised as a new bank (if successful).

Expectations

The table below is not exhaustive but pulls together some of our key regulatory expectations. Firms should read and apply all the necessary liquidity guidance that has been published:

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• As part of their pre-application engagement with us, firms should provide a draft ILAAP document for us to review and challenge. We expect to see a good quality draft ILAAP and will provide detailed feedback (where needed) on that draft ILAAP document.
• We expect that the ILAAP document develops as firms go through their pre-application engagement with us and by the time they reach the Challenge Stage (and submit the ILAAP to us to review) it should be a comprehensive document that covers the relevant content set out in Appendix 1 or Appendix 2 of SS24/15 as applicable. By necessity, some of the content will be forward-looking and reflect the expectations of the firm’s future approach to liquidity and funding and how it intends to achieve overall liquidity adequacy.
• As part of a new bank application, firms needs to submit a final version of the ILAAP document covering the business plan and incorporating all the feedback provided.

Upon authorisation of a new bank and beyond

• All authorised banks should meet the LCR standard and their Individual Liquidity Guidance at all times, absent a situation of financial stress.
• All authorised banks should consider their medium to longer-term liquidity and funding needs and firms that are not small domestic deposit-takers should meet the net stable funding ratio (NSFR) standard in normal times, in addition to the LCR.
• While we accept the use of forecast data before a firm is authorised, once authorised, firms are expected to use actual data.
• The ILAAP document should be updated on an annual basis (or more regularly if there are significant changes) to reflect any key changes to the new bank’s business model and to become more detailed as the firm grows and/or becomes more complex. The ILAAP should be an integral part of the new bank’s risk management processes and decision-making.

Common challenges

Our review of the ILAAP document is a key part of our authorisation assessment and ongoing supervision of banks. Firms should consider how they will ensure that their ILAAP documents sufficiently address the following key issues:

• Governance: The board and senior management must be familiar with the ILAAP document and be able to demonstrate proportionate understanding of the risks and the proposals for managing these risks that have been considered in the document. In addition, firms must be able to demonstrate that robust challenge has taken place. Where ILAAPs are very long, unclear and inconsistent with other key documents this would suggest adequate challenge has not taken place. The ILAAP is an essential document, which needs to be embedded within the firm’s liquidity management process and procedures rather than being merely a regulatory requirement. As such, firms should ensure that there is sufficient board engagement and understanding of the ILAAP (for example, through providing appropriate oversight and independent challenge).
• Consistency: The ILAAP needs to be consistent both within itself and with other key documents. Where it is not, it can lead us to require clarification from firms and in some cases request for documents to be resubmitted. This is often due to firms having addressed feedback in their RBP or in one part of their ILAAP but failing to reflect these changes throughout the ILAAP document. This often indicates that the ILAAP and other documents have not been subject to the necessary internal review and challenge processes. Moreover, this often results in significant delays and hinders our ability to set the firm’s liquidity requirements.
• Liquidity contingency plans (LCP): Firms should develop an LCP as this is a crucial aspect of their overall liquidity and funding risk management. Having such a plan in place provides firms with options in the event of a liquidity stress and reduces the risk of liquidity issues crystallising further. We encourage firms to develop detailed and robust LCPs that set out how they will respond to any potential liquidity shortfalls or stress events. Firms should have in place forward-looking early warning indicators, which will detect any signs of stress as early as possible. LCPs must capture in sufficient detail proposed management actions and how they have ensured that those actions will be feasible and achievable in order to bring them out of the stress event.
• Stress testing: Liquidity stress testing should be focused and relevant to the business proposition and risks within the firm. We encourage firms to undertake comprehensive stress testing which is appropriate to their business models and the risks inherent within those. The stress test scenarios must be plausible and sufficiently severe in order to show the true vulnerabilities in their liquidity profile. We encourage that both the board and senior management have the necessary understanding and knowledge of stress testing and are fully involved in (i) the development of the stress test scenarios, (ii) quantifying the outflows that could result under the scenarios, and (iii) the discussion and challenge of the results of those scenarios.
• Mobilisation versus post-mobilisation: Firms, that use the mobilisation route, should clearly articulate the different liquidity risks that they will have during their mobilisation versus post-mobilisation periods. This is important because firms must meet their regulatory liquidity requirements as soon as they are authorised (no matter whether using the mobilisation route or not). The ILAAP also needs to set out how the firm’s liquidity position and risks evolve over the course of their planning horizon.
• Access to the Bank of England reserve account: Many firms express a preference, within their ILAAPs, for holding the majority of their HQLA in a Bank of England reserve account. We often see firms making overoptimistic plans in terms of when they will be able to have access to a Bank of England reserves account. However, this is subject to a separate application process led by the Bank of England Markets Division and is usually not available until a firm is authorised. We encourage firms to factor that into their plans and consider alternative arrangements until they have access to a Bank of England reserve account.

Resource links

• The Internal Liquidity Adequacy Assessment part of the PRA Rulebook – These rules are referenced within SS24/15 above and provide more detail on a range of topics including liquidity risk drivers, liquidity contingency plans and stress testing etc.
• SS24/15 The PRA's approach to supervising liquidity and funding risks – This is the key document to read, understand, and apply proportionately. It includes what areas to include in the ILAAP document (where applicable) in Appendix 1.
• Statement of Policy ‘Pillar 2 liquidity’ – While a lot of this may not be directly relevant to many new banks straight away, this should be considered from the outset and as it will become relevant as firms grow.
• Liquidity Coverage Ratio Delegated Act, reporting guidance and reporting clarifications – Firms should familiarise themselves with these as they contain detail on the liquidity coverage ratio and how to report on this.
• EBA/GL/2014/13 – Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) – This is the European Banking Authority (EBA) Liquidity SREP guidelines which are cross-referenced in SS24/15.
• Bank of England Markets Operations Guide – This is the the Bank's published framework for market operations conducted in support of monetary and financial stability.
• Regulatory reporting:
  • Instructions and templates
  • Additionally, the PRA Rulebook contains rules on reporting:
    • Liquidity Coverage Ratio
    • Net Stable Funding Ratio

Owner/controller assessment

Key points

Why is this topic important?

An investor is classed as a controller when they have at least 10% of the economic or voting interest in the firm. Some investors with less than 10% voting interest may be classed as controllers if they are acting in concert with other investors/controllers. To determine this, firms should share with us, as part of the application process, a full group structure chart outlining all their investors.

As part of a new bank application assessment, we assess whether their proposed controllers are fit to run a UK bank and the safety and soundness of their source of funds.

Firms should disclose to us the full extent of investor/controller involvement and influence as part of their proposed governance arrangements. This should include how firms plan to manage investor expectations and any conflicts of interest.

Firms should consult all the relevant guidance that has been published concerning this topic – we have provided some useful links below, under the heading ‘Resource Links’.

Expectations

Firms need to have investors/controllers in place, who are disclosed to us before we can reach a decision on their new bank applications.

Firms should have clear plans that set out how and when they expect to raise capital including the source and amount of each capital raise. We expect these plans to evolve throughout the application process and as firms grow and develop.

The exact timing of when they raise their capital is largely up to the firms – but they will need to be open and transparent with us throughout, and submit the necessary controller forms and other supporting documentation as part of their new bank applications. Firms must have the necessary capital in place before they can be authorised.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• Firms should disclose the investors that they are talking to during their pre-application engagement with us, as well as, if they have any plans to merge with or acquire an existing firm.

Application assessment

• As part of a new bank application firms should disclose to us who their investors are and submit all the necessary documentation for us to assess them. The capital injected in the firm must be provided by the same investors that have been disclosed to us and that we have assessed.
• For those investors holding a controlling share (above 10% economic interest or voting power), the firm needs to submit the relevant controller forms. Controllers will also need to provide supporting documents, such as, audited financial statements and letters of good standing. These supporting documents should demonstrate the controller has adequate financial resources and that they have a suitable source of funds.
• Firms should be open and transparent with us regarding the influence of the investors at their firm – for example, do the investors have the power to make decisions that directly impact the running of the firm or do they have significant influence over the remaining board members?
  • Firms should share with us the expectations of their investors such as targeted growth rates, profitability and returns and demonstrate how their board will manage those expectations.
  • We have a strong preference for there to be no more than two investor non-executive directors on the board. This is because a heavy investor presence could pose a risk to the independence of the board.

Upon authorisation of a new bank and beyond

• Once a firm has been authorised, we will review and approve any new controllers or changes to the existing controllers and must grant approval of any changes to a bank’s controllers before the changes take place.
• We encourage all firms to alert us to any new controllers or changes to their controller bands before they happen. We will then assess any new controllers, and any impact on the firm’s business model and governance arrangements.

Common challenges

We encourage firms to consider how they will ensure that their new bank applications and controller submissions address the below points:

• Investor disclosure: Some investors may not want to commit funding until they are confident that the firm will be authorised. However, to be able to fully assess a new bank application, we need to know who the investors are. While we are not expecting investors to actively fund the firm until they are ready to inject the capital, it is important that they disclose who they are as part of the new bank application so that we can determine if they are controllers (including if there are parties acting in concert), and their impact and influence on firms’ governance arrangements.
  • Firms must submit the relevant controller forms and supporting documents so that we can assess the controllers and their source of funds accordingly.
  • For us to be able to authorise the firm, they need to have the capital in place and provide us with the necessary proof that this is case.
• Determining the controllers: Firms should disclose to us the ultimate parent of their controller Group structure – this is to ensure that we are aware of who the ultimate parent is and we have assessed their fitness and propriety as well as the suitability of their source of funds. It also ensures that we capture the correct entities/ individuals in the group structure as controllers. It is therefore important for firms to provide us with the full controller group structure (up to the ultimate owners of the firm) when they apply. Firms should ensure that they have identified all controllers in the structure chart and submit the relevant controller forms alongside their application.
• Connected parties and/or acting in concert: We encourage firms to disclose instances where any connected parties (such as the spouses of any board members) also have a shareholding in the firm. In addition, we encourage firms to disclose any other personal relationships or connections – for example, between the board members themselves or between board members and investors. This is to ensure that any potential conflicts of interest are identified, disclosed to us and managed appropriately.

Resource links

• Change in control – quick reference guide – This includes information to support firms going through a change in control.
• New firm authorisation – controller forms under ‘Banks: application forms and guidance’ – This provides links to the relevant controller form to be submitted alongside your application.

Recovery planning

Key points

Why is this topic important?

Recovery planning addresses the risk that the management of firms concentrate disproportionately on growth opportunities at the expense of managing downside risk. It advances the PRA’s primary objective to promote the safety and soundness of the firms that we regulate.

We encourage firms to undertake robust and detailed recovery planning so that they are ready for periods of financial stress, can stabilise their financial positions and can recover from financial losses.

Firms should have a number of recovery options and maintain and test their recovery plans on a regular basis. Governance of the recovery plan should be clearly defined and firms should have effective processes to identify and report the risks affecting their ability to recover. Ownership of the recovery plan should be allocated to an appropriate Senior Management Function (SMF) individual.

Expectations

The below figure sets out the key questions that a recovery plan should cover.

Figure 4: Key components of a recovery plan

• A recovery plan is a formal document that includes essential information on how an authorised bank will respond to a financial stress. It captures aspects such as the strategies/recovery options to be used to stabilise and restore the financial position of the firm.
• To ensure that it can be useable in a stress, the recovery plan needs to be sufficiently detailed and practical. Firms should consider the range of recovery options that they have available – what their limitations are, how quickly they can be executed and whether they can be improved over time.
• While the recovery plan is prepared by senior management it should be signed off by the board and refreshed at least annually (or more often if the circumstances demand that). Boards should ensure that the recovery plan (i) has been through the necessary internal governance including ample oversight and challenge and (ii) is credible, realistic and current.
• Firms should consider the components of recovery planning, shown in the chart above, and ensure that these are sufficiently covered in their recovery plans. In addition, firms should consult the relevant PRA and European Banking Authority (EBA) guidance.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• Upon submitting a new bank application, we expect firms to consider all recovery options that they have available to them and to start to build a robust and credible recovery plan.

Upon authorisation of a new bank and beyond

• At authorisation (or exit from mobilisation if this is the chosen route), new banks should have in place a board approved recovery plan.
• Post authorisation, new banks should continue to keep their recovery plans up to date by ensuring that they are sufficiently detailed and appropriate as their firms grow. The plans should be reviewed at least annually.

Common challenges

We encourage firms to consider how they will ensure that their proposed recovery plans and arrangements sufficiently address the below points:

Recovery plans

• Recovery plan indicators: The recovery plan should include a comprehensive set of indicators that are appropriate for the firm’s specific business model and can enable the firm to spot a stress emerging. Setting multiple thresholds for each metric helps the firm to monitor the stress as it unfolds.
  • A breach of an indicator threshold should trigger a governance process where there is a discussion on whether to take any action, ie it should not automatically trigger action. If the Board risk appetite/risk tolerance has been breached, then the Board should be having a discussion over whether management action should be taken. Use of projections, change in metrics and forward looking indicators such as asset quality and macroeconomic indicators could prompt discussions at Board level on whether to take action prior to risk appetite being breached.
  • The calibration of the last recovery indicator threshold should ensure there is sufficient time to execute the remaining, difficult to execute and franchise damaging options. In a stress, we would expect non-franchise damaging actions to be taken well before this point. Firms should articulate how the range and calibration of indicators have been reviewed and challenged and how they have taken into account the EBA guidelines on recovery plan indicators. We expect recovery indicator frameworks to be integrated into the firm’s risk management practices. Firms should ensure they have a coherent process for monitoring indicator metrics within their management information framework. They should set out the governance surrounding the monitoring of indicators and associated escalation procedures.
• Recovery options: The recovery plan should clearly set out the recovery options available. The plan needs to set out why these are feasible and achievable and provide the necessary analysis to justify the conclusions. This includes not only the description of the recovery options but also numerical analysis on how any of the options are capable of restoring the firm. Firms should consider the mutual exclusivity of their recovery options, ie how the implementation of one recovery option may affect their ability to implement other recovery options.
• Governance: The board and senior management must be familiar with the recovery plan. We encourage firms to ensure that their boards and senior management have sufficient knowledge and skills to be able to be fully involved in the development of their recovery plans. This includes ensuring that the recovery plan is taken through the necessary internal governance, including review and challenge, before it is formally signed off by the board.
• Usability and structure: The recovery plan should contain adequate detail to support the firm in the stress. For example, having to clarify decision-making processes or draft communications detracts the board and senior management from being able to respond quickly and effectively to the stress. Therefore, the structure of the recovery plan should ensure that it is practical, usable and accessible during a stress period. Firms should consider designing and implementing fire drill simulation exercises to test their recovery plans as well as developing a playbook, which is a concise implementation guide for the board and senior management.
• Recovery capacity: The recovery plan should include analysis of the firm’s recovery capacity, ie the total financial benefits they could credibly realise in a range of stresses if they need to do so. Recovery capacity should be quantified in terms of CET1, leverage ratio and LCR percentage points and relevant nominal amounts for each scenario included in the plan and the plan should clearly detail the timelines over which these benefits could be realised. SS9/17 sets out an appropriate methodology for calculating recovery capacity.
• Scenario testing: The recovery plan should capture details on scenario testing, ie how firms have considered and decided which options would likely be selected in response to the specific conditions in the different scenarios. Scenario testing is important for demonstrating that the recovery plan is suitable for use in a range of different types of stress, and testing how different elements of the plan (such as indicators, governance and options) would interact in these stresses.

Resource links

• SS9/17 Recovery planning – This document sets out our expectations on the content of recovery plans. It should be read together with the following key documents:
  • The Recovery Planning part of the PRA Rulebook
  • The Commission Delegated Regulation (EU) 2016/1075

Solvent exit planning and resolution

Key points

Why is this topic important?

As new banks build and grow, their focus will be on how to make the firm a success. As such, they may not necessarily consider, at that point, the need to make preparations to exit the market in an orderly way. However, we consider it crucial to have these preparations in place to ensure that if things do not go to plan firms can exit in an orderly manner. These are also needed to ensure that firms comply with the PRA’s Fundamental Rule 8, ‘A firm must prepare for resolution so, if the need arises, it can be resolved in an orderly manner with a minimum disruption of critical services’. This is because competitive markets involve firms being able to enter and exit in an orderly manner. Our aim is not to avoid all instances of firm failure but to ensure that authorised banks would be able to, if necessary, exit in an orderly manner. The orderly exit of a new bank at an early stage of its life is likely to have no or minimal impact on financial stability and is a natural part of a competitive economy.

This topic is particularly important to new banks as the likelihood of exit is higher during the early years of their development. Factors which may lead new banks to exit, include failure to obtain the required capital or inability to realise their business model.

Many new banks operate in highly competitive markets and many have novel and untested business plans. This facilitates innovation and competition but not all of the proposed business models may prove to be viable. Coupled with this, new banks may have fewer recovery options available to them than established banks, meaning that it is crucial that they have the ability to make preparations to exit the market in an orderly way, if needed. A bank may discontinue its business (whether in part or in full) via the following routes:

• Recovery: a firm implements recovery options such as asset sales and disposal options to maintain or restore its viability or financial position following a significant deterioration of its financial situation.
• Solvent exit: a firm ceases its PRA-regulated activities while remaining solvent. The firm should transfer or repay (or both) all deposits as part of its solvent exit.
• Resolution: a firm enters into the resolution regime.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• As part of their pre-application engagement with us, firms should start thinking about orderly solvent exit and resolution planning.

Upon authorisation without restrictions of a new bank and beyond

• Information on resolution planning will be requested from firms in two main phases, Phase 1 and Phase 2, with ad hoc contingent information requests if required. Phase 1 outlines the baseline information needed to establish a resolution strategy and it should be submitted by all firms. Phase 2 outlines the detailed information needed to support the preferred resolution strategy, while ensuring that critical economic functions are maintained and it is tailored to individual firms. Phase 2 information is more likely to be requested from firms with a bail-in or partial transfer resolution strategy. More details on both Phase 1 and Phase 2 resolution planning can be found in SS19/13 Resolution planning.
• As part of a new bank application assessment, firms need to demonstrate that they will be able to exit the market in an orderly way, if needed, and that they will be able to produce a compliant SCV file and the submission of the relevant Phase 1 information as detailed in SS19/13 Resolution planning.
• At authorisation without restrictions, new banks should have in place preparations for a solvent exit approved by the Board and a Phase 1 resolution pack. New banks should also be able to produce credible SCV and exclusions files within 24 hours.
• Post authorisation, banks should continue to prepare for an orderly solvent exit and produce a ‘solvent exit analysis’ as part of their BAU activities, and if needed, a ‘solvent exit execution plan’ when solvent exit becomes a reasonable prospect. A bank should review and update its solvent exit analysis to ensure it remains appropriate as the business develops. More detail on ‘solvent exit analysis’ and ‘solvent exit execution plan’ can be found in SS2/24 Solvent exit planning for non-systemic banks and building societies.
• As a new bank grows, it may become appropriate for the Bank of England to change its preferred resolution strategy (for example, from bank insolvency procedure (BIP) to a transfer or bail-in resolution strategy). Authorised banks should be aware of the PRA’s and Bank of England’s Resolvability Assessment Framework (RAF). Firms need to consider the implications of a change in their resolution strategy and forward plan and how these affect the applicability of different policies, for example minimum requirement for own funds and eligible liabilities (MREL) or operational continuity in resolution (OCIR). Authorised banks should plan for this well in advance and consider how they will transition to meet these policies.

Solvent exit planning – overall expectations

• According to Chapter 7 of the Recovery Plans Part of the PRA Rulebook, a non-systemic firm must prepare for solvent exit so that, if the need arises, it can effect a solvent exit in an orderly manner. Chapter 7 also states that a non-systemic firm must produce and maintain a ‘solvent exit analysis’ and provide this to the PRA on request. SS2/24 Solvent exit planning for non-systemic banks and building societies sets out expectations for the solvent exit analysis, as well as for any ‘solvent exit execution plan’, which a firm should produce when a solvent exit becomes a reasonable prospect.
• The PRA expects banks to have in place preparations for a solvent exit approved by the Board at the point of authorisation without restrictions. The level of detail in the solvent exit analysis should be proportionate to the nature, scale and complexity of the firm. A firm may find it helpful to include the solvent exit analysis as a discrete section of its recovery plan. The firm can also decide to set out the solvent exit analysis separately if the firm finds it appropriate.
• A new and growing bank should have in place clear governance arrangements for solvent exit preparations. The Board of a new or growing bank is expected to play a key role in the approval of solvent exit analysis decision-making to initiate a solvent exit and monitoring of its execution. The PRA expects banks to engage with their supervisor at an early stage on decisions to execute (or not to execute) solvent exit actions.
• If the firm no longer meets the PRA’s and/or FCA’s threshold conditions, and an orderly solvent exit is not possible, the Bank of England and the PRA will assess whether the firm would meet the conditions to be placed into resolution. If it appears to a firm that a solvent exit will no longer be successful, the firm’s directors should consider their fiduciary duties under the Companies Act 2006 and their statutory obligations such as those under the Insolvency Act 1986 and Market Abuse Regulations.

Common challenges

We encourage firms to consider how they will ensure that their proposed solvent exit analysis and preparations sufficiently address the below points:

• Unrealistic expectations: Solvent exit analysis should be proportionate to the nature, scale and complexity of the firm and should take account of plausible circumstances that could lead to it needing to execute a solvent exit. Furthermore, a bank should set out the actions that would be needed to cease its PRA-regulated activities while remaining solvent.
• Insufficient preparation: Solvent exit analysis should include level of detail that is proportionate to the nature, scale, and complexity of a firm. It is essential for new banks to have in place preparations for a solvent exit. A bank should review and update its solvent exit analysis to ensure it remains appropriate as the business develops.
• Resources and costs: A solvent exit itself is likely to lead to additional costs. In addition to costs to cover possible losses (or ‘haircuts’) on the sale of assets or portfolios below book value, these costs may include fees for specialist services, redundancy and retention payments, contract termination penalties and pension fund deficits. The firm should therefore identify the absolute minimum level of financial resources needed, below which there would be no reasonable prospects of successfully executing a solvent exit. Furthermore, a firm should consider the non-financial resources needed to execute a solvent exit, including the costs of maintaining these resources throughout the execution of the solvent exit.

Resolution planning

As described in the Bank of England’s approach to resolution, the Bank of England is responsible for taking action to manage the failure of banks, building societies and certain investment firms. This process is known as ‘resolution’. It is distinct from a normal corporate insolvency. The Bank of England carries out a resolution if it determines that action is needed to protect financial stability. Resolution is designed to protect the stability of the financial system of the UK by ensuring continuity in critical economic functions, including deposits, as well as to avoid the use of public funds to support failed banks.

• Resolution takes place if a bank is ‘failing or likely to fail’ and it is not reasonably likely that action will be taken by the firm to change this. But resolution powers are only used if it is in the public interest. Two conditions must be met before a firm is resolved by the Bank of England:
  • Firstly, the firm must be deemed ‘failing or likely to fail’. This includes where the firm is failing or likely to fail to meet the PRA’s and FCA’s threshold conditions in a manner that would justify the withdrawal or variations of their authorisation. The specific threshold conditions include that the bank must have: (i) adequate resources to satisfy applicable capital and liquidity requirements; (ii) appropriate resources to measure, monitor and manage risk; and (iii) fit and proper management who conduct business prudently. This assessment is made by the PRA, having consulted with the Bank of England as a resolution authority.
  • Secondly, it is not reasonably likely that action will be taken that will result in the firm recovering. This assessment is made by the Bank of England, as a resolution authority, having consulted the PRA, the FCA and HM Treasury (HMT).
• The conditions for entry into the resolution regime are designed to strike a balance between, on the one hand, avoiding placing an authorised bank into resolution before all realistic options for a private sector solution have been exhausted and, on the other, reducing the chances of an orderly resolution by waiting until it is technically insolvent.
• The determination that a bank satisfies the conditions for resolution discussed above does not, on its own, allow the use of all the resolution tools. Resolution powers allow the authorities to take actions, which directly affect people’s property rights and should therefore not be exercised unless justified in the public interest. In conducting the public interest assessment, the Bank of England must determine that resolution action is necessary to advance its statutory resolution objectives – those are summarised in Figure 2 of The Bank of England's approach to resolution, December 2023.
• If the public interest test is not met, firms are placed instead into a modified insolvency regime, if they hold deposits or client assets, and a normal corporate insolvency if they do not.
• The Bank of England sets the preferred resolution strategies for all authorised banks. For non-systemic authorised banks that do not supply transactional accounts or other critical functions to a scale likely to justify the use of resolution tools, the preferred resolution strategy is the applicable modified insolvency procedure. This is the bank insolvency procedure (BIP) as described in the Banking Act 2009, which is designed to ensure that, where a bank fails, depositors who are eligible claimants under the terms of the Financial Services Compensation Scheme (FSCS) are paid out promptly. Under this, the authorised bank’s business and assets are sold or wound up after covered depositors have been paid by the FSCS or had their account transferred by the insolvency practitioner to another institution using FSCS funds. BIP is likely to be the preferred resolution strategy for most new banks. Note that:
  • A transactional account refers to an account used at least nine times in the three months prior to an annual monitoring date.
  • The Bank of England will re-confirm and pursue the appropriate resolution strategy that best meets the statutory resolution objectives, including use of stabilisation powers, taking into account the circumstances at that time of a firm’s failure.
• In order to support orderly resolution, all authorised banks must maintain a SCV and exclusions files and are required to provide these to the PRA or FSCS within 24 hours of a request – these are formal documents which list all depositors including all necessary details for the FSCS to be able to facilitate a payout. Authorised banks should have the necessary systems and processes in place to be able to automatically identify the amount of covered deposits payable to each depositor and identify any portion of an eligible deposit that is over the specified coverage level.
• Authorised banks should prepare and maintain resolution packs . This will need to include Phase 1 information as described under SS19/13 Resolution Planning.

Resource links

• SS3/21 Non-systemic UK banks: The Prudential Regulation Authority’s approach to new and growing banks – This outlines our expectations of firms and new and growing banks and how those evolve throughout the authorisation journey.
• SS19/13 Resolution Planning – This document sets out our expectations on the information that authorised banks should include in resolution packs.
• SS2/24 Solvent exit planning for non-systemic banks and building societies – This outlines the PRA’s expectations for non-systemic banks and building societies in the UK to prepare, as part of their BAU activities for an orderly ‘solvent exit’; and if needed, to be able to execute one.
• The Bank of England’s approach to resolution – This includes lots of useful resources on the UK resolution regime including a link to the Bank of England’s approach to resolution (also known as the ‘Purple Book’).
• Bank of England's Resolvability Assessment Framework (RAF) – This includes details on the RAF and a link to the latest Statement of Policy ‘The Bank of England’s approach to assessing resolvability’.

Operational resilience, outsourcing and IT

Key points

Why is this topic important?

Operational resilience supports the objectives of the PRA and the FCA by ensuring that firms can recover from operational disruptions, before they threaten to cause customer harm, disrupt market integrity, or threaten the safety and soundness of firms.

Our approach to operational resilience is based on the assumption that, from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period. As a result, it is important for firms to have an effective governance framework that manages the risk of operational disruption and resilience of its important business services.

It is important for firms to be able to identify their important business services (as per SS1/21) and set impact tolerances for those services. We require firms to ensure they are able to deliver their important business services within impact tolerances in severe but plausible scenarios. Mapping and testing the delivery of important business services will equip firms to identify and remediate vulnerabilities and establish whether and how they can remain within impact tolerances.

A clear focus by Boards and Senior Management on their firm’s operational resilience will become increasingly important as the wider financial sector becomes more dynamic, complex and reliant on technology and third parties. Moreover, international interconnectedness is increasing, for example as UK firms may outsource to cloud computing providers operating in a number of different countries. While this can improve firms’ resilience, it also gives rise to new risks to new operations which the Regulators expect firms to manage effectively.

Firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations. Firms must be able to remain within impact tolerances for important business services, irrespective of whether or not they use third parties in the delivery of these services. This means that firms should effectively manage their use of third parties to ensure they can meet the required standard of operational resilience.

Further details on our expectations in this area can be found on the FCA Outsourcing and Operational Resilience webpage.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• As part of their pre-application engagement, firms should start thinking about their approach to operational resilience, outsourcing and IT arrangements.
• Upon application, we expect firms to have an approach to identifying their important business services, which if disrupted, could pose a risk to a firm’s safety and soundness or the financial stability of the UK. Firms are also required to have an approach for setting impacts tolerances for each of their important business services.
• Firms may refer to the operational resilience information request; new banks outsourcing and third-party information request; and important business services and impact tolerances documents as key considerations when developing their approaches to operational resilience and outsourcing arrangements.

Upon authorisation of a new bank and beyond

• We expect firms to have identified their important business services and set the impact tolerances prior to being authorised without restrictions. When setting an impact tolerance for an individual important business service, we expect firms to take into account the impact of failure of other related important business services.
• Firms are required to submit the operational resilience information request; new banks outsourcing and third-party information request; and important business services and impact tolerances documents prior to submitting their variation of permission application.
• The FCA also expects firms to set impact tolerances including harms to consumers and risk to market integrity for each of their important business services.
• Firms should consider the practicalities of how they identify their important business services. For example, firms should identify important business services so that: an impact tolerance can be applied and tested; and Boards and Senior Management can make prioritisation and investment decisions. When assessing if Boards and Senior Management can make effective prioritisation and investment decisions relating to important business services, firms are expected to consider whether the number of important business services is proportionate to their business. It is likely that larger firms will identify a larger number of important business services than smaller firms.
• Firms should map their important business services by identifying and documenting the technology, so they have a clear picture of the resource and technology estate for important business services to function effectively, and the impact if disrupted.
• Firms who use third-party providers and services for important business services are expected to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management, systems and controls.
• We expect firms to review their important business services annually at a minimum, or sooner if a significant change occurs, and to determine whether any changes are required to their list of important business services.
• Firms should design operational resilience into their business processes and controls from the outset and follow all relevant policies. Firms need to ensure they consider important business services, impact tolerances and scenario testing when looking at broader elements of operational risk management, such as Incident Management; Business Continuity Planning; and IT Change management and Outsourcing. Boards are expected to lead on and be actively involved in the oversight of its firm’s operational resilience work.
• Firms should establish clear accountability and responsibility for the management of operational resilience. We expect firms to structure their oversight of operational resilience in the most effective way for their business, using existing committees and roles or establishing new ones if necessary.
• Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these. A firm’s Board must regularly review the firm’s important business services, impact tolerances, and written self-assessment. A good self-assessment document serves as a point-in-time view as to where a firm is against the policy. The self-assessment should include information such as who is the accountable owner for the firm’s Operational Resilience compliance programme, and what the governance is around the programme and self-assessment process, including around how mapping and scenario testing plans are agreed and approved.
• Furthermore, the self-assessment document should include a sufficient level of detail to allow any Board member to understand their firm’s progress, strategy, and further plans on getting assurance that the firm can remain within impact tolerances for all important business services. A self-assessment should also include a brief description of each important business service, the rationale for why it is ‘important’, all relevant impact tolerances, and a brief explanation of the impact if each of these impact tolerances were breached and provide sufficient details of their scenarios in their self-assessments, in particular their response and recovery plans and the steps taken to remain within impact tolerances.
• Firms should develop forward testing plans with defined severe but plausible scenarios, and ensure they also have a process in place to incorporate lessons learnt from testing results. Firms should continue to scan the threat landscape to identify emerging risks, which in turn are to be incorporated into scenarios and testing plans.
• While individual Board members are not required to be technical experts on operational resilience, we expect Boards to ensure that they have the appropriate management information. Boards should also collectively possess adequate knowledge, skills and experience to provide constructive challenge to senior management and inform decisions that have consequences for operational resilience.

Common challenges

Some of the concepts in our operational resilience policy and rules are new for incumbent firms; they had to identify their important business services based on the services they were already providing to their customers and set impact tolerances accordingly. We expect identifying important business services to be simpler for new firms and encourage these firms to consider how they will ensure that they build operational resilience into their business operations from the beginning. Their approach will need to cover the points below:

• Governance: Good governance is critical in firms delivering a sound and well-run business. To demonstrate operational resilience, firms are expected to have an effective governance framework that manages the risk of operational disruption to and resilience of its important business services. Firms need to establish clear accountability and management of operational resilience and implement and oversee this in the most effective way for their business. Where it exists, the Chief Operations Senior Management Function (SMF) 24 should hold overall responsibility for implementing operational resilience policies and reporting on these to the board. If this SMF function is shared or split among two or more individuals, we expect there to be clear delineation of accountability.
• Setting impact tolerances: The PRA and FCA require firms to consider both of their respective objectives when setting impact tolerances. Where appropriate, a firm may set its PRA impact tolerance for a given important business service at the same point as its FCA impact tolerance. The PRA expects that work done to meet the requirements of one regulator should be leveraged to meet those of the other and would encourage firms to avoid duplicative work. Firms should consider supplementing their quantitative impact tolerances with additional metrics and management information to underpin the impact of an important business service being disrupted (eg, number of customers impacted, number of transactions or value of transactions). This will help to plan for any mitigating actions a firm may need to take while the important business service is being fully restored.
• Reliance on outsourcing arrangements: Firms should understand the reliance placed on outsourcing arrangements and if these arrangements pose a threat to their operational resilience. Firms that enter into outsourcing arrangements remain fully accountable for complying with all regulatory requirements. Therefore, a firm will remain responsible if a third-party provider on whom it relies, wholly or in part, to provide an important business service, causes the firm to fail to remain within impact tolerance for one or more important business service. Firms should ensure that service providers have the ability and capacity on an ongoing basis to appropriately oversee any material outsourcing in line with the firm’s relevant policy or policies.
• Technology obsolescence and rapid technology change: We expect firms to have sound and effective systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service in the event of a severe but plausible disruption. As part of this, firms need to ensure that there is detailed planning in place to address the risk of ageing technology. Mapping the systems and processes which underpin each important business service will help to ensure that impact tolerances are considered when IT changes are being proposed, designed, and implemented. This applies to replacing ageing systems, but also to dealing with rapid technology change.
• Rapid short-term business growth: Rapid short-term growth can lead to poorer outcomes for firms, their customers, and other counterparts. New and growing banks do not always seem aware of the importance of developing their control environment in line with the size and/or complexity of their business. We observed a theme of banks outgrowing their control environment and having to retrospectively invest in control functions. This is not an appropriate way to develop the business and in the long run can be more expensive, as banks may then need to undertake extensive remediation activity. The governance and controls which are appropriate at authorisation are unlikely to remain appropriate as the bank grows, and consequently banks should expect to make significant investment in controls in their early years of operation and plan for this accordingly. We expect firms to take action where they identify a limitation in their ability to deliver important business services within impact tolerances. We expect firms to develop and implement effective remediation plans for the important business services that would not be able to remain within their impact tolerance. Firms should take prompt action where they cannot remain within the impact tolerance, so these plans should include appropriate timing for the necessary improvements.
• Lack of clear communication strategy: We expect firms to develop communication strategies for both internal and external stakeholders as part of their planning for responding to operational disruptions. These communication plans should be developed with a view to reducing harm to counterparties (including customers) and other market participants and supporting confidence in both the firm and financial sector. We expect firms’ plans to include the escalation paths they would use to manage communications during an incident and to identify the appropriate decision makers. For example, the plan should address how to contact key individuals, operational staff suppliers and the appropriate regulators.

Resource links

• SS3/21 Non-systemic UK banks: The Prudential Regulation Authority’s approach to new and growing banks – This outlines our expectations of firms and new banks and how those evolve throughout the authorisation journey.
• SS1/21 Operational Resilience: Impact tolerances for important business services – This sets out our expectations for the operational resilience of firms’ important business services, for which they are required to set impact tolerances.
• SS2/21 Outsourcing and third-party risk management – This outlines our expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.
• FCA Outsourcing and operational resilience.
• FCA Handbook SYSC 13.9 (Outsourcing) and SYSC 8.1 (General outsourcing requirements).
• Operational resilience information request; new banks outsourcing and third-party information requests; and important business services and impact tolerances documents – These are documents are to be completed and submitted prior to submitting a Variance of Permission application.

Conduct risk of harm and Consumer Duty

Key points

Why is this topic important?

For a firm to be authorised as a new bank, its affairs must be conducted in an appropriate manner having regard to the interests of consumers and the integrity of the UK financial system.

The FCA’s Consumer Duty requirements came into force on 31 July 2023, and set higher and clearer standards of consumer protection and require firms to put their customers’ needs first.

The Consumer Duty sets out four outcomes that cover the key elements of the firm-customer relationship. The Duty means consumers should receive communications they understand, products and services that meet their needs and offer fair value, and receive the customer support they need when they need it.

We want good outcomes for customers to be at the heart of firms’ strategies and business objectives, and leaders have a key role to play here. Firms’ Boards and senior management should embed the interests of customers into the culture and purpose of the firm.

Expectations

• An effective conduct risk framework should be established and embedded throughout the firm’s business model, in order to identify and manage conduct risks or customer harms which could arise from the firm’s business model, strategy or culture and governance arrangements.^{footnote [3]}
• Firms should act to deliver good outcomes for retail customers and act in good faith towards customers, avoid causing them foreseeable harm, and enable and support them to pursue their financial objectives.
• The Consumer Duty applies to products and services offered to retail customers, and to all parts of the business who determine or have a material influence over customer outcomes – not just those with a direct customer relationship.
• We want firms’ Boards and senior management to make good outcomes for consumers central to their culture, strategy and business objectives, and expect firms to have a champion at Board (or equivalent governing body) level.
• A key part of the Duty is that firms are able to define, monitor, evidence and stand behind the outcomes their customers are experiencing. This monitoring must enable firms to identify where customers, or groups of customers, are experiencing poor outcomes, and where this is the case firms must take appropriate action to rectify the situation.

Common challenges

We encourage firms to consider how their implementation of Consumer Duty sufficiently address the below points:

• Customers outcomes versus requirement: Firms may potentially underestimate what the Consumer Duty requires of them when designing and building its business model, for example because it considers itself to be providing very niche services or products in the sector.
• Adequate resourcing: We appreciate the importance of the firms to ensure adequate resourcing of implementing the Consumer Duty in the design of the bank, including investing sensibly in support or advice from third-party experts where that assists or adds value.
• Adequate data needs: Firms should adequately assess the extent of the data needs associated with the Consumer Duty. Firms must carefully design, source, and deliver the data and dashboards they will need for this (emphasis on the quality, focus and clarity of management information and indicators rather than their quantity), and establish mechanisms for governing and reviewing those and acting promptly on them.
• Embedded in the risk management framework (RMF): Firms need be able to demonstrate how their RMF captures the Consumer Duty, and how it effectively monitors, controls and reports the risks.

Resource links

• Consumer Duty – This includes final rules and guidance for the Consumer Duty, information for firms and other publications.
• Dear CEO Letter dated 3 February 2023 Implementing the Consumer Duty in the Retail Banks and Building Societies sector – This sets out FCA’s expectation for how firms should embed the Consumer Duty.

Financial crime risk

Key points

Why is this topic important?

Firms should have systems and controls in place to mitigate the risk that they might be used to commit financial crime to ensure the integrity of the UK financial markets. By implementing effective systems and controls, firms can detect, prevent and deter financial crime.

Expectations

• Firms must prove that they have robust governance, effective risk procedures and adequate internal control mechanisms to manage their financial crime risk. The systems and controls need to be appropriate and proportionate to the nature and scale of the firms’ business. There is no 'one size fits all' approach that firms are expected to adopt. It will vary, for example, between large firms and small firms, firms operating in products or areas of high risk, and those offering products to customers where the firm assesses there is less financial crime risk.
• Senior management should take clear responsibility for managing financial crime risks and be actively engaged in addressing these risks.
• Firms should submit their business-wide risk assessment as part of the application and financial crime risks will be discussed in detail throughout the pre-application phase.
• Firms must have up to date policies and procedures that can be easily accessed and understood by all staff, and employ staff who have the skills and expertise to do their jobs effectively.
• Firms must ensure that their financial crime controls remain fit for purpose and keep pace with the growth of the business.
• Firms should be mindful and responsive to emerging financial crime risks eg fraud.

Common challenges

In relation to the financial crime risk systems and controls, we encourage firms to refer to the FCA’s Financial Crime Guide and Financial Crime Thematic Reviews guide (under Regulatory Guides), which gives examples of good and poor practice of:

• governance;
• structure;
• risk assessment;
• policies and procedures;
• recruitment, vetting, training, awareness and remuneration (pay); and
• quality of oversight.

Resource links

• Financial crime – This sets out FCA’s approach on financial crime and provides some good and poor examples.
• Fraud – This sets out FCA’s approach on fraud and provide some key issues relating to fraud.
• Proceeds of fraud – Detecting and preventing money mules – Sets out key findings from a review of payment account providers’ systems and controls against money mule accounts.

Financial-related climate risks

Key points

Why is this topic important?

Climate change affects our planet, our economy, and our financial system. As such, the risks from the physical effects of climate change and the transition to a net-zero economy are relevant to the Bank of England’s mission to maintain monetary and financial stability. In particular, these risks pose a threat to the stability of the wider financial system, and the safety and soundness of firms the PRA regulates.

We expect firms to take a strategic forward-looking approach to managing climate-related financial risks (‘climate risks’) and take appropriate actions to mitigate these risks. From January 2022 onwards, all authorised firms including those in mobilisation, are expected to meet the PRA’s supervisory expectations in relation to climate risks, as set out in SS3/19 (Enhancing banks’ and insurers’ approaches to managing the financial risks from climate change). To note, SS3/19 applies to UK incorporated banks and subsidiaries of international banks; third-country branches are not in scope, although we consider it good practice for branches to meet our expectations to the best of their ability. Furthermore, in October 2022, we sent a Dear CEO follow-up letter to all firms within scope to provide thematic feedback on firms’ management of climate risks, including observations of good practice. We continue to actively supervise firms against SS3/19 expectations.

For a firm to be authorised as a new bank, we need to be satisfied they have in place a strategic approach to managing climate risks (reflected across key documentation) and a clear plan detailing how they intend to further strengthen their approach, as they grow and evolve over time.

Expectations – how do they evolve throughout the authorisation process?

Pre-application

• As part of their pre-application engagement with us, firms should refer to SS3/19 and start thinking about how they will design their strategic approach, covering governance, risk management, scenario analysis, and disclosure. Firms should incorporate this thinking into their RBP and supporting documentation.

Application

• As part of a new bank application and prior to the point of authorisation, we expect firms to develop a strategic approach in relation to managing climate risks in line with SS3/19. Firms’ strategic approaches should be reflected across all key documentation, including (but not limited to) the RBP, ICAAP, risk appetite statement, risk management framework, and management responsibilities map. Firms’ approaches should be robust, forward-looking, and proportionate to the size, nature, and complexity of the firm’s business. We appreciate that firms’ approaches will mature as they grow and evolve over time. Nevertheless, it is important that firms adequately consider climate risks and develop a strategic approach from the outset to ensure they are well-prepared to manage these risks effectively.
• For firms using the mobilisation route, we expect these firms to:
  • demonstrate they have a sound understanding of the impact of climate risks on their business model;
  • to develop a high-level strategic approach by the time they enter mobilisation; and
  • to have a clear plan in place in terms of how they intend to strengthen and embed their strategic approach and continue to meet our SS3/19 expectations for the post-mobilisation business model by the time they exit mobilisation.

Upon authorisation of a new bank and beyond

• We expect firms that have been authorised with restrictions (using mobilisation) to embed their strategic approach in relation to managing climate risks and be on track to meet our SS3/19 expectations by the time they exit mobilisation. We expect firms to further strengthen and refine their strategic approach over time.
• We expect firms that have been authorised without restrictions (including those that have exited mobilisation) to have in place a robust and well-embedded strategic approach in relation to managing climate risks. Firms should consider whether any further development and/or remediation is appropriate to bridge any gaps in terms of meeting our SS3/19 expectations. Firms should ensure they dedicate adequate resources and develop in-house skills and expertise to allow them to manage climate risks effectively.

Common challenges

We encourage firms to consider how they will ensure that their strategic approach in relation to managing climate risks sufficiently addresses the following key issues:

• Governance: We expect firms to put in place a clearly articulated strategic approach in relation to managing climate risks. We expect a firm’s Board to understand climate risks, including a longer-term view of the risks that can arise beyond standard business planning horizons and be well-equipped to address and oversee these risks within the context of the firm’s overall business strategy and risk appetite. We expect a firm’s Board to have clear responsibilities in terms of managing these risks, with clear monitoring and escalation procedures, and for the Board and its sub-committees to be provided with timely, accurate, and comprehensive Management Information. We also expect firms to allocate responsibility for identifying and managing climate risks to a relevant Senior Management Function holder and the allocation of proportionate resources, skills, and expertise. Firms should consider, early in the process, how to best formulate and articulate their strategic approach. Firms should also take steps to provide sufficient evidence that their Boards and key committees are actively taking climate considerations into account during discussions (eg, on the firm’s business strategy, risk profile, risk appetite and wider governance arrangements).
• Risk management: We expect firms to have a credible Board-approved risk appetite statement in relation to managing climate risks and to adequately account for climate risks in their risk management framework and other key documentation. Firms should focus, early in the process, on setting their climate risk appetite and demonstrating how they will assess their exposure and mitigate climate risks in practice. Firms should also put in place an appropriate range of quantitative and qualitative tools/metrics to measure and monitor their exposure to climate risks in line with their overall business strategy and risk appetite, and ensure their approach is adequately documented and integrated across key policies and reports. Firms should ensure they set out appropriate recognition and assessment of material exposures relating to climate risks in their ICAAP submissions. Firms should also seek to understand the potential current and future impacts of physical and transition risk factors on their customers, counterparties, organisations in which the firm invests or may invest.
• Scenario analysis: We expect firms to make use of credible scenario analysis and stress testing to inform their strategic planning and risk identification, and to accurately determine the impact of both short-term and long-term financial risks from climate change on their overall business strategy and risk profile. We expect firms’ scenario analysis to explore a range of relevant scenarios, and hence address a range of potential outcomes, relating to different climate transition paths. Firms should ensure they make appropriate use of climate scenario analysis (both in terms of breadth and depth) which is required to adequately inform their risk identification and risk management processes. Firms should also consider ways to remediate potential data limitations and enhance their quantitative modelling capabilities.
• Disclosure: We expect firms to develop and maintain a reasonable approach to the disclosure of its climate risks. This should be proportionate to the size, complexity, and business model of the firm. We also encourage firms to consider if they would benefit from the recommendations of the Task Force on Climate-related Financial Disclosures and wider initiatives on climate-related financial disclosures. Firms should also consider ways to enhance their integrated disclosure reporting capabilities.

Resource links

• SS3/19 Enhancing banks’ and insurers’ approaches to managing the financial risks from climate change – This sets out the risk factors through which financial risks from climate change arise, and sets out the PRA’s expectations in relation to the strategic approach taken by firms in terms of managing the financial risks from climate change.
• Dear CEO Letter (Oct 2022) – This sets out thematic feedback on the PRA’s supervision of climate risks and the Bank of England’s 2022 Climate Biennial Exploratory Scenario exercise.
• Climate change – This sets out recent publications, updates, and speeches by the Bank of England (including the PRA) in relation to climate change.