Dear Chief Risk Officers | Release Date: 10th September 2024
To read a shorter summary of this Dear Chief Risk Officers click here.
To access the original PRA document, click here.
Long Summary
On 10 September 2024, the Prudential Regulation Authority (PRA) addressed a letter to Chief Risk Officers of non-systemic UK Deposit Takers (UKDT), outlining the thematic findings of an Internal Audit (IA) review of the Credit Risk Management Framework (CRMF). This review was triggered by the heightened uncertainty in the macroeconomic environment, including the anticipated deterioration of credit portfolios. The aim was to evaluate the effectiveness of governance, credit assessment, approval processes, and portfolio management controls in mitigating credit risks.
The review involved a selection of 33 non-systemic banks and building societies, covering approximately 13% of non-systemic lending exposures. The PRA stressed the importance of this review in ensuring firms maintain a strong risk management framework, especially given the volatile economic conditions.
Scope of the Review
The PRA selected a cross-section of 33 non-systemic UK banks and building societies, which represented a significant portion of the sector’s lending exposure. Of these, six were banks, and the remaining institutions were building societies. Most of the reviewed institutions (81%) had a lending book of less than £1.5 billion, with 44% holding less than £0.5 billion.
External audit firms were responsible for conducting the majority (90%) of the Internal Audits (IA), with the aim of reviewing the effectiveness of controls within each institution’s CRMF. This included an evaluation of whether the controls in place were sufficient to manage key risks in credit assessment, affordability, and governance.
Key Observations
The review produced 236 IA findings, the majority of which were classified as “Yellow” (53%), indicating moderate breaches of control procedures. A smaller proportion (14%) were classified as “Amber” (significant breaches) and less than 1% as “Red” (materially significant control weaknesses). The findings revealed that approximately two-thirds of issues related to breaches of lending rules.
The review highlighted a need for continuous enhancement in portfolio management controls, particularly in the areas of affordability assessments and responses to changing macroeconomic conditions. The findings identified six primary areas for improvement:
Areas Needing Improvement
1. Affordability Assessment
The first key area identified was the need to improve controls around affordability assessments. Many firms had outdated rules, buffers, and judgement criteria that did not reflect the rapidly changing macroeconomic environment, including high inflation and rising interest rates. The review recommended regular updates to reflect Office of National Statistics (ONS) data and stress rates applied to lending decisions. Institutions were encouraged to adopt a more dynamic approach to adjusting affordability assessments based on current market conditions.
2. Quality Assurance (QA) and Underwriting Process
The review also found significant gaps in the quality assurance and underwriting processes. Many firms were only using one of the two Lines of Defence (LOD) to perform QA, with some firms needing to design or enhance their QA processes entirely. This often meant that the frequency and scope of reviews were insufficient. Additionally, many firms had not fully documented their QA processes in policy or operational manuals, leading to inconsistencies in risk management practices.
3. Quality of Management Information (MI)
The third area identified was the quality of management information (MI). Auditors suggested enhancements to the MI, such as incorporating forward-looking metrics and providing supporting commentary to explain trends and charts. Inconsistencies were also found in portfolio monitoring, and many firms lacked comprehensive risk appetite metrics within their MI. This prevented institutions from adequately monitoring and reporting the performance of their credit portfolios.
4. Credit Risk Appetite (CRA)
Another critical finding was the misalignment of credit risk appetite (CRA) limits with the firms’ business strategies and lending policies. Some institutions failed to calibrate their CRA appropriately, and discrepancies were found between Credit Risk MI, Credit Risk Appetite Statements, and Lending Policies. In some cases, CRA limits were missing from the MI entirely, which hindered effective monitoring. Firms were advised to ensure their CRA frameworks were sufficiently granular to provide a clear understanding of their lending books and asset quality.
5. Lending Policy
Governance and control processes around lending policies also required improvement. The review noted that many institutions lacked clear limits on exceptions to lending policies, such as ‘out of policy’ loans. Moreover, several firms had outdated policies that did not reflect the current business strategy, particularly following strategic changes. In some cases, important processes like the ‘out of policy’ exception process were in place but not documented, leading to potential risks in credit decision-making.
6. Collections
The final area identified for improvement was the collections process. Many firms did not have contingency plans in place to manage an increase in customers experiencing financial difficulties or arrears. The review recommended the introduction of Early Warning Indicators (EWIs) to detect potential deterioration in higher-risk or vulnerable customer segments. Additionally, firms were urged to adopt a proactive strategy for contacting vulnerable customers, especially in light of the current macroeconomic challenges and the cost of living crisis.
Recommendations and Next Steps
In light of the findings, the PRA has recommended several actions for firms to strengthen their CRMF controls. These include:
- Review and Update Affordability Assessments: Firms should ensure their affordability assessment criteria are regularly updated to reflect changes in the macroeconomic environment, including fluctuations in inflation, interest rates, and income trends.
- Enhance Quality Assurance and Underwriting Processes: Institutions need to design and implement robust QA processes across both Lines of Defence (LOD). This includes ensuring that these processes are well-documented in policies and operational manuals, with regular and thorough reviews.
- Improve Management Information (MI) Quality: Firms should work towards enhancing the quality and consistency of their MI, particularly by incorporating forward-looking metrics and ensuring that risk appetite metrics are included and monitored.
- Align Credit Risk Appetite (CRA) with Business Strategy: Institutions must calibrate their CRA limits appropriately, ensuring alignment with current business strategies and lending policies. Discrepancies between Credit Risk MI, Credit Risk Appetite Statements, and Lending Policies must be addressed.
- Strengthen Lending Policy Governance: Governance around lending policies should be strengthened, with clear limits on ‘out of policy’ loans. Policies should be regularly updated to reflect strategic changes and ensure processes are thoroughly documented.
- Prepare for Collections Contingencies: Firms should develop comprehensive contingency plans to manage a potential rise in customers in arrears or experiencing financial difficulty. This includes setting up Early Warning Indicators (EWIs) and implementing proactive strategies for engaging with vulnerable customers.
Key Takeaways and Actions for Affected Firms
The findings from the IA review reveal several critical areas for improvement in credit risk management across non-systemic UK Deposit Takers. Affected firms are advised to:
- Review and strengthen their CRMF controls, with a particular focus on affordability assessments, quality assurance, and management information.
- Ensure alignment between business strategy, credit risk appetite, and lending policies, especially in light of ongoing economic challenges.
- Develop robust contingency plans to manage potential increases in customer arrears and financial difficulties, with a proactive approach to identifying and supporting vulnerable customers.
By addressing these recommendations, firms will be better equipped to manage credit risks effectively in a volatile economic environment.