EVENT: PRA Staff Brief Arab banks on expectations and developments
Date: 27th November, 2018 Time: 02:30 pm - 04:30 pm
We typically host meetings between London-based Arab banks and representatives of the UK banking regulators every six months. On 27 November, it was the turn of the Prudential Regulation Authority (PRA). The PRA sent six executives from their Overseas Banks division and a specialist on Cyber and Operational Resilience. Twenty eight Arab bank executives attended, from 18 institutions, including eleven CEOs/General Managers.
The briefing lasted for about an hour and a quarter, after which participants were able to mix informally with the PRA executives over tea and snacks.
The meeting was held under the Chatham House Rule. Our editor has prepared a summary of the main points that were discussed:
Cyber and operational resilience
1. The PRA issued a discussion paper last summer which included three key concepts:
- Banks should assume that ‘something will happen.’ They should not focus solely on securing their perimeter. There should be an assumption that bad actors will be able to get inside the perimeter – how quickly and effectively will the bank be able to react when that happens?
- Banks should consider the taxonomy of services that they provide to customers and to the economy and think about how they will be able to continue providing those services in the context of cyber/other operational disruption.
- Banks should consider the impact that cyber/other operational disruption could cause – at what point would a bank’s franchise be affected, or its ability to provide services to the economy be compromised?
2. The PRA wants banks to focus on resilience
The threat of a power failure is real, but it is a ‘static’ threat – it does not change. However, cyber threats are continually changing – they are ‘adaptive threats’, and a bank’s defensive strategy has to adapt and evolve accordingly.
3. The PRA said that its inspectors had identified some common weakness in banks' cyber resilience, many of which were very basic:
- Changing passwords regularly and ensuring password complexity, and preventing inappropriate password sharing
- Applying ‘patches’ when they are available
- Overconfidence in perimeter defences (see above)
- Ensuring that if the perimeter is breached, bad actors cannot then export data in a usable form ('What happens once a bad actor is inside the perimeter?"
- Banks should know their ‘data footprint’
- Banks should be aware of their social media presence
- Banks should recognise the importance of people and human behaviour in maintaining cyber security (ie not place too much faith in codes, passwords etc)
The PRA is planning both for a negotiated withdrawal and for a non-negotiated withdrawal (‘hard Brexit’). When the UK leaves the EU, EU firms who currently work in the UK under passporting arrangements will become third country firms. The PRA is hoping to avoid a ‘cliff edge’ effect in the event of a ‘hard Brexit’ by putting in place temporary arrangements. The PRA is currently addressing this issue in respect of about 160 banks and insurers.
Governance and Senior Managers and Certification Regime
Comments made by the PRA staff included:
- Poor governance is often a leading indicator of other problems such as risk management, capital and even liquidity.
- The PRA has been looking at SMP applications in isolation but they recognise that they need to consider them also in relation to the management group – does an appointment contribute to the overall management group that is appropriate for this institution?
- There were concerns that SMR would affect recruitment: deputies not wanting to go for top jobs due to increased regulatory burden, and potential Independent Non-Executive Directors (INeds) declining appointment. In fact, the PRA is not seeing this problem emerging.
- Time-limited appointments and conditional appointments are proving successful. Time-limited appointments can be used when someone steps into a role for 6-12 months pending a more permanent appointment to that post. Conditional approvals may be given when the PRA would like a person to attend a training course, or show that they can implement a large project, because they do not at that time have a track record strong enough to assure the PRA.
- Two years ago, the PRA sent a ‘Dear CEO’ letter on the importance of diversity and inclusion. They will be following up on this in forthcoming meetings. The PRA wants to see diversity of experience and of skills so as to avoid groupthink. Important to have bankers on bank’s Boards, but also value in having people from other professional areas.
Financial Risks from Climate Change
In September 2018, the BoE published a paper, Transition in thinking: The impact of climate change on the UK banking sector. It identified two ‘risk factors’: physical risks that arise from weather-related events, such as heatwaves or storms; and transition risks that arise from the process of adjustment towards a low carbon economy. (An example of the latter could be the declining value of a property portfolio, if the properties are not energy efficient and are therefore subject to higher taxes.)
Based on this paper, and interactions with banks and insurers, the BoE has issued a Consultation Paper seeking views on a draft Supervisory Statement. The consultation closes on 15 January 2019. A link to the consultation (and the paper) is here.
Home State Supervisory Engagements
Two weeks ago, PRA staff met with counterparts in Kuwait, Qatar and the UAE. They hope to build more regular contact with such regional supervisors.
An SPV has now been set up. This is a major step forward. The PRA hopes to have the facility running by the end of 2019 or in early 2020. It will be available to banks that cannot use the Sterling Monetary Framework. (So, conventional banks with significant Shari’ah-compliant operations will not be able to use it since they are able to use the SMF.)
The PRA said that the FCA has more regulatory treatment than the PRA in this area, and it does not seem likely that there will be new initiatives from them. The Financial Policy Committee sometimes issues statements on buy-to-let. An ABA member commented that the regulators should recognise differences in the quality of buy-to-let portfolios – for example if a very wealthy individual has a portfolio, the risk to the bank that the portfolio might decline in value could be minimal, in view of the underlying wealth of the owner.
More in Events
Our Annual General Meeting was held on 22 November. The annual accounts show that the the Association is in strong financial health, with corporate memberships at record levels.
PWC hosted a meeting of ABA member banks to consider ways in which they could work together to strengthen their operational resilience.
We hosted a meeting between the Financial Conduct Authority and Arab banks in London.
Our Summer Party was the last in a busy series of series of mid-year events.