PRA issues second largest fine for historic failings: what can we learn from this week’s action?

On the day it confirmed a change to its penalty policy that many expect will lead to larger penalties, the PRA issued its second largest ever fine (£57.4 million), for breaches arising from HSBC’s improper implementation of requirements in the Depositor Protection Rules regarding Financial Services Compensation Scheme (FSCS) protection. The action is the first taken by the PRA involving a breach of the requirement under Fundamental Rule 8 to prepare for orderly resolution.

What happened?

The PRA found that, from the ring-fencing of its UK retail banking arm in 2015 until 2022, HSBC did not accurately identify deposits that were eligible for the FSCS, which ensures that deposits up to a certain amount are protected if a bank collapses. 

What breaches did the PRA find? 

The PRA has found breaches of PRA Fundamental Rules by one or both HSBC entities named in the notice between 2015 to 2022:

• Fundamental Rule 2: A firm must conduct its business with due skill, care and diligence.
  • The PRA found a lack of completed single customer view (SCV) effectiveness reports as required under the Depositor Protection Rules, inadequate single customer view (SCV) systems, and inadequate verification procedures and governance processes in place to prevent incorrect attestations.
• Fundamental Rule 6: A firm must organise and control its affairs responsibly and effectively. 
  • The final notice highlights the PRA’s continued focus on assigning clear ownership of risks and responsibilities between business lines and functions, including within Regulatory Compliance, and ensuring  a Senior Manager is allocated overall responsibility to oversee compliance with every aspect of the firm’s business, including compliance with the Depositor Protection Rules.
• Fundamental Rule 7: A firm must deal with its regulators in an open and co-operative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.
  • The concerns expressed in the notice emphasise the PRA’s sustained focus on cooperation and communication between industry participants and regulators. The notice suggests that an ongoing investigation into issues by a firm does not absolve firms from their responsibility of notifying the PRA (or other regulators) of the identified concerns. It is clear that the PRA expects to be informed quickly that an issue has potentially occurred and that firms should not wait for the conclusion of any internal investigation regarding the extent of any issue. 
• Fundamental Rule 8: A firm must prepare for resolution so, if the need arises, it can be resolved in an orderly manner with a minimum disruption of critical services.
  • This is the first time that the PRA has found a breach under this rule, which was prompted by HSBC incorrectly marking its deposits as ineligible for FSCS protection. Reflecting wider difficulties in the market regarding obtaining an accurate and fulsome SCV, HSBC did not produce finalised versions of SCV effectiveness annual reports, confirming their compliance with the Depositor Protection Rules. Thus, HSBC was held to not have been prepared appropriately for resolution.

The PRA also found breaches of Rules 11, 12, 14 and 50 of the Depositor Protection Part of the PRA Rulebook for failing to prepare for resolution.

What about the penalty?

The PRA did not require disgorgement as HSBC had accounted to the FSCS for underpayments to the FSCS arising from its inaccurate eligibility assessments. 

As with other recent notices, the PRA decided that revenue was not a suitable indicator of harm in this case and proposed a starting figure of £96.5 million by reference to its assessment of seriousness and impact rather than to any quantified metric. The figure was reduced by only 15%   as acknowledgement for HSBC’s cooperation and early admissions, its sharing of privileged documents, and the remedial actions undertaken. HSBC also received a 30% reduction on the fine for settling early.

What are the takeaways?

1. Establish Clear Ownership: Clearly define and assign ownership roles for compliance processes among Senior Managers and ensure that there is a Regulatory Compliance owner for each critical attestation process. Senior Managers should ensure they are fully informed of evidence relating to attestations before signing off on their accuracy. Oversight must be based on smooth flow of management information and clear escalation arrangements.
2. Enhance Governance Structures: Improve the governance and internal escalation framework to include defined responsibilities and adequate resources for Depositor Protection Rules implementation. This includes ensuring accurate SCV system and controls and clarity regarding responsibility for producing and approving SCV effectiveness reports. 
3. Streamline Attestation Processes: Create a more orderly and timely attestation process, with necessary checks in place well ahead of deadlines to avoid last-minute rushes. Ensure systems and controls are in place to correctly mark eligible and ineligible deposits, and that attestations made to regulators are based on thorough due diligence.
4. Regular Reporting and Auditing: Implement regular checks and internal audits of the FSCS reporting process to detect and rectify any inconsistencies or exclusions in a timely manner. 
5. Ongoing Investment in Compliance: Ensure that 2LOD Risk and Compliance functions are resourced appropriately and capable of identifying and addressing deficiencies in compliance. It's critical for banks to regularly invest in and update their 2LOD resources, procedures and systems.
6. Prompt Communication with Regulators: Establish protocols for prompt and transparent communication with regulators such as the PRA. Act swiftly on identified issues, notifying the PRA at an early stage, and taking immediate steps to remedy the problems without waiting for the conclusion of internal investigations.
7. Documentation and Record-Keeping: Maintain thorough documentation throughout all processes, including attestations and effectiveness reports, to support regulatory compliance and Senior Manager reasonable steps.
8. Training and Awareness: Ensure that all relevant staff are adequately trained and aware of the compliance requirements, particularly those concerning depositor protection and SCV files.

What’s next?

The PRA’s action reinforces key issues that the FCA and PRA have been concerned with in recent years, including the allocation of risk oversight between 1LOD and 2LOD, clarity in allocation of responsibility among Senior Managers, FR7/Principle 11 requirements regarding cooperation with regulators, resourcing and skill development within lines of defences, and accurate MI and regulatory reporting. This action should help firms and their Senior Managers in reviewing their arrangements in these areas to ensure they are working effectively. Second, as attestations to the regulators are being used more frequently (including in the context of PRA enforcement investigations under its new Early Account Scheme), it is important that firms are alive to the importance of properly scoping any commitments to the regulators and ensuring they have appropriate evidence in support.