In their latest Supervisory Meeting the FCA and PRA presented some key statistics and outlined their ongoing approach to the S166 panel. Feedback was also given to firms on how to improve ongoing reviews for the year ahead. We bring you the highlights: 

The total number of S166s has decreased this year, but both regulators remain satisfied that S166s are being used appropriately alongside the rest of the ‘supervisory toolbox’. The FCA is also using more enforcement investigations to gather forensic evidence on specific topics.

As first outlined in its most recent Business Plan in April, the FCA advised that future S166s are likely to be aligned to the ‘five types of harm’ model as part of a wider roll out of the decision-making framework.

 

 

As first outlined in its most recent Business Plan in April, the FCA advised that future S166s are likely to be aligned to the ‘five types of harm’ model as part of a wider roll out of the decision-making framework.

 

 

Meanwhile, the PRA announced it is shifting away from its traditional themes of capital and liquidity to resilience, solution/wind down and governance.

Both regulators warned against ‘Shadow S166s’ – instances when firms with prior knowledge of impending investigations take pre-emptive action in an attempt to avoid being subject to an S166. This compromises the work undertaken in S166s and results in outcomes that don’t reflect reality and lack integrity.

 

Feedback from the regulators

The regulators had a range of feedback relating to costs, quality and communication for members of the panel.

Costs – As the regulators are accountable for the costs of S166s, members must ensure the costs incurred are proportionate to harm caused. The regulators also requested consultation for consent when member pricing changes.

Reports – Members were asked to improve the tone and quality of their executive summaries, ensuring all details of the report are included and that adequate QA was being undertaken for draft reports. Members were also asked not to ‘sit on the fence’ and be clear and objective in their findings.

Communication – Members were reminded of the importance of regular points of contact and updates, as well as feedback and challenges to supervisors – including contentious issues and technical enquiries. All conflicts of interest, resolved or not, also need to be reported to supervisors.

 

Cyber assurance

The second key theme of the meeting was cyber assurance, where the PRA led proceedings with the findings from their cyber assurance tools. As the regulators continue to work closely together, a distinct conduct specialism team focused solely on cyber assurance has been established by the FCA, headed by the highly esteemed Jackie Boyd. The PRA’s ‘cyber toolkit’ works alongside this team to test firms’ cyber resilience, based on their business models and maturity. These tools include:

  • Cyber triage questionnaire – firms submit the questionnaire with supporting evidence, allowing the PRA to benchmark firms and provide a view on their cyber readiness. It is also used for continued assurance.
  • Cyber workshops – two-day workshops where firms explain their approach to cyber challenges and demonstrate their practical understanding and application.
  • CBEST Star – this is the bespoke FCA/PRA assessment of a firm’s resilience.
  • CBEST – this is the regulators’ ‘sledgehammer’ and is used for mature firms with a robust cyber infrastructure behind them, in essence it is an ethical penetration test (pen-test) on live systems.

Key findings

  • Firms are overconfident in their ‘outer perimeter’ defences. Once a threat is in the perimeter, secondary lines of defence are often lacking, leaving firms vulnerable to phishing emails for example.
  • Firms focus on technology over people and processes. People are more susceptible to making mistakes that cause failures.
  • Poor management of firms’ digital footprints. Cyber security and controls need to progress at the same rate as the rest of the business.
  • Inadequate system security architecture. Often lacking in investment, security systems often grow slowly in line with other controls and become outdated.
  • Legacy infrastructure. A particular problem with older firms and acquisitions, where maintaining older systems becomes difficult due to incompatible surrounding infrastructure.

Both regulators are responding to these trends with a growing focus on cyber security and resilience within firms, acknowledging that cyber security encompasses technology, people and processes.

 

Procurement

Notably, the PRA referred to value for money as ‘the right outcomes at optimum cost.’ A number of tips were set out for bidding, as follows:

  • Separate technical details from commercial terms (do not include the day rate in a technical submission);
  • State the days agreed for each role;
  • Don’t use a standard template for CVs and make sure that relevant experience is highlighted. CVs get significant scrutiny so should be adapted to each role;
  • Make sure you provide the CVs of everyone involved in the project (these can be provided as an addendum where they don’t fit into the length requirements of the application);
  • Clearly and concisely state your assumptions and limitations; and
  • Demonstrate good project management, setting a scope, timelines and budget.

 

FCA supervision strategy

The FCA made it clear it aims to be pre-emptive rather than reactive by looking to address the root causes of failings or non-compliance. Its analysis reveals the main causes of harm in the market stem from issues within firms’ business models, strategies and culture.

Business models need to be scrutinised and tested to ensure their resilience, suitability and sustainability.

When assessing a firm, the regulator is looking to understand how culture determines a firm’s purpose, how its leaders shape the firm’s behaviour and whether lines of defence and decision making are aligned to the firm’s purpose.

As part of its supervision strategy, the FCA has allocated firms to around 30 portfolios, each with similar business models to help the regulator shape future thematic reviews.