Prudential Regulation Authority Rulebook

3.1

The initial years following authorisation involve significant change and development, as banks test and refine their business models and develop the governance and controls to support their growth ambitions. In order to facilitate competition, at authorisation new banks do not have to meet all PRA expectations of established banks. However, this is acceptable only for a limited period. As banks grow and develop in the years following authorisation, the PRA’s expectations increase correspondingly. While there are no time limits, the PRA would typically expect banks to have a mature control environment within five years of authorisation.

3.2

New and growing banks do not always seem aware of the importance of keeping their control environment in line with the size or complexity of their business. The PRA has observed a theme of banks outgrowing their control environment and having to retrospectively invest in control functions. This is not an appropriate way to develop the business and in the long run can be more expensive, as banks then have to undertake extensive remediation activity. The governance and controls which are appropriate at authorisation are unlikely to remain appropriate as the bank grows, and consequently banks should expect to make significant investment in controls in their early years of operation.

3.3

It is important that new and growing banks understand all applicable rules, policies and regulatory expectations that come with being an authorised bank, and demonstrate this in the way they conduct their business and interact with regulators. The PRA provides support to prospective banks as they go through the pre-application process, but authorised banks must operate independently and have a mature and constructive relationship with their supervision team, in accordance with the PRA’s Fundamental Rules.

3.4

New and growing banks are often loss making initially and rely on regular capital injections to maintain their capital adequacy. The PRA understands this is often a feature of new businesses, but it is of course not sustainable over the longer term and creates a vulnerability to capital not being available when needed. Banks should focus on reaching profitability and the ability to achieve organic capital generation within a reasonable time period following authorisation, recognising that the longer they are unprofitable, the more uncertainty there is about whether investor sentiment will remain positive. By around three years post-authorisation, the PRA expects banks to have more clarity over their path to profitability. By five years post-authorisation, banks should either be profitable or have a credible strategy to achieve profitability, with definite capital support to achieve this. If the firm is of a size to require minimum requirement for own funds and eligible liabilities (MREL) at greater than minimum capital requirements within this planning horizon, it needs to factor in those requirements (see paragraph 4.4). The PRA, however, recognises that a number of factors, including the nature of the business model, could impact the path to profitability, and will apply flexibility in exceptional circumstances where the path to profitability is credible and there is sufficient financial resources in place in advance to manage the risks around that path. At least until profitability is achieved, the PRA expects firms to have a credible capital plan which will ensure new capital is injected in good time to avoid capital requirements plus buffers being entered. There will be no delay in transitioning to the PRA buffer on a stress test basis (see Chapter 4) if there is a delay in achieving profitability.

3.5

The PRA understands new and growing banks may make significant or frequent changes to their business plans to reflect their experience post-authorisation. Banks should keep the PRA informed of any material issues affecting their business plan, and inform the PRA in advance of making any significant change to it. Banks should ensure they fully assess the risks of any change to their business plan and have suitable controls in place. Banks should use their experience to produce more realistic business plans as they mature; the PRA expects banks to be able to produce more accurate forecasts by around two-three years post-authorisation and have realistic forecasts within five years of authorisation. Banks should ensure they factor investment in governance and controls into their financial projections.

3.6

The PRA is open to novel and untested business models, but expects to apply a higher degree of scrutiny to these banks to ensure governance and controls are appropriate and the bank understands the risks it is taking on.

3.7

Good governance is critical to delivering a sound and well-run business; poor governance has been a key factor in the major financial sector failures in recent years and is often a leading indicator of financial problems in firms. As such, the PRA promotes good governance across the financial sector and all firms it supervises. A strong and well-functioning board is central to good governance.

3.8

PRA rules require banks to have robust and comprehensive governance arrangements which reflect the nature, scale and complexity of the risks inherent in the bank’s business model and activities.⁵⁰ SS5/16 sets out the PRA’s expectations of boards of all authorised firms. For new and growing banks, the board has a pivotal role in ensuring the bank is able to grow in a sustainable way and that it has the ability to effect an orderly exit if required. Boards should:

• proactively identify and address potential weaknesses in the business model or control environment, demonstrating self-awareness and a willingness to tackle issues early on;
• ensure the bank has a forward looking approach to capital management, with clear triggers for when actions need to be taken to enable the bank to continue to meet total capital requirements (TCR) plus buffers;
• ensure the risks of rapid growth, or new ventures and products, are appropriately controlled before embarking on these; and
• provide independent oversight and challenge and oversee the development of risk management and controls.

3.9

Boards of new and growing banks will need to evolve as the business grows. At authorisation, banks should have a clear plan for how the board will develop, and should keep this plan updated as the business grows. Banks should regularly review the skills and composition of their boards to ensure they remain appropriate for the changing business. The PRA requires boards to have adequate collective knowledge, skills and experience, to understand the bank’s activities, including the main risks.⁵¹ In new and growing banks, the PRA expects boards to have adequate collective, relevant experience to understand the bank’s business model, key risks, and set its strategy. For instance, in a new retail bank, the PRA expects the board to have sufficient, collective retail banking experience.

3.10

Banks should maintain succession plans for all board members, recognising that the individuals who have the skills to launch and build the business in its early years may not be best suited to lead the business as it grows. Banks are required to maintain a management responsibilities map⁵² which should be used to support succession planning.

3.11

The PRA places weight on boards having sufficient independence, which helps ensure they can provide effective challenge to the business. Although the optimal board composition is assessed on a case-by-case basis bearing in mind the complexity, organisational structure, and size of the firm. Established good practice is for new banks to have two independent non-executive directors, and the PRA’s strong preference is for banks to have independent non-executive chairs at this point. As they grow, established good practice is for banks to have a minimum of three independent non-executive directors, including the chair, within three years of authorisation. Depending on the size and complexity of the business, it may be appropriate for the bank to meet good practice of having a majority independent board within five years of authorisation.

3.12

Banks should implement appropriate measures to identify, monitor and manage potential conflicts of interest or other challenges that can arise at the board. For instance, certain directors may be at greater risk of having conflicts of interest, because they are either significant shareholders themselves, are appointed or nominated by a significant shareholder or are founders of the bank. These individuals can be highly influential and may have incentives to influence certain decisions to align with their own interests, or to pursue rapid growth and increased risk taking. This can lead to poorer outcomes for the bank.

3.13

As members of the management body, all non-executive directors, whether independent or not, have a binding obligation to act with honesty, integrity and independence of mind⁵³ and are required under Rules 2.1-2.3 and 3.4 in the Conduct Rules Part of the Rulebook to act with integrity, due skill, care and diligence and to be open and co-operative with regulators⁵⁴. Independence of mind is a pattern of behaviour, shown in particular during discussions and decision making at the board. All members of the board should be able to make their own sound, objective and independent decisions and judgements.⁵⁵ Banks should consider the appropriate number of non-executive directors who are significant shareholders or who are appointed or nominated by a significant shareholder.

3.14

Where the chief executive (SMF1) of a bank is also one of its founders, the board should implement appropriate checks, balances, and measures to identify, monitor, and manage any potential conflicts of interest.

3.15

For all firms it supervises, the PRA expects to see a fit for purpose risk management framework, which is demonstrably used across the business to guide and control all of the firm’s activities. Many firms adopt a three lines of defence model and within this the PRA would expect to see first line risk ownership, with effective oversight and challenge provided by an independent second and third line. This helps to ensure risks are articulated, understood and managed or mitigated appropriately.

3.16

Firms should articulate and maintain a culture of risk awareness. PRA expectations in respect of governance including firms’ approach to risk culture are set out in SS5/16. Firms should also be aware of the requirements set out in the Risk Control, General Organisational Requirements, and the Remuneration Part of the PRA Rulebook.

3.17

The control environment in new and growing banks is usually untested at the point of authorisation and often lags behind their business ambitions. Banks should ensure they regularly assess whether their controls remain fit for purpose in the context of changes to the business, and whether there is a clear framework for risk identification, management and mitigation. This should take into consideration: the adequacy of technical knowledge across all lines of defence; the ability of the second and third lines to provide independent challenge; whether stress testing and downside risk analysis have sufficient prominence in decision making and key management documents; and whether the business can produce accurate data and management information.

3.18

By around three years post-authorisation, the PRA expects that banks will still be testing and refining their risk management framework, but that it is fit for purpose. Banks should prioritise developing controls for their most material risks. The PRA expects banks to have a mature control environment by five years post-authorisation, which includes a fully embedded risk management framework linked to a stable business model, which provides a forward looking view across all risk types. By this stage, the Internal Liquidity Adequacy Assessment Process (ILAAP), Internal Capital Adequacy Assessment Process (ICAAP), recovery plan and other significant regulatory and business documents should be robust documents which are an integral part of the firm’s business processes and decision making, with evidence of input and challenge from across the business.

3.19

Different business models have different risk profiles and as such the PRA’s expectations of a bank’s control environment will vary depending on the extent and type of business and the risk to which that bank is exposed. Banks should ensure their risk management framework is tailored to the institution’s risk profile and that it takes into account the PRA’s rules and expectations, including those relating to liquidity, operational risk and outsourcing.

3.20

New and growing banks frequently tend to rely more extensively on outsourcing and third-party products and services given the benefits they can bring in terms of lower barriers to entry, cost savings, and in some cases increased operational resilience. The PRA’s existing requirements and expectations on outsourcing and related areas such as business continuity, as well as SS2/21 ‘Outsourcing and third party risk management’,⁵⁶ are therefore of particular relevance to new and growing banks.

3.21

In particular, any banks whose business model relies extensively on outsourced service providers and other third-parties should demonstrate, at the point of authorisation and on an ongoing basis thereafter, that they will retain an appropriate governance and internal control framework and adequate non-financial resources, and will not operate as ‘empty shells’. In addition, where a bank relies extensively on outsourcing and other third-party arrangements, the PRA will place increased emphasis on ensuring that its risk management function has appropriate and sufficient skilled resources to manage the risks in these arrangements, and that effective governance arrangements are in place to ensure appropriate oversight.