The PRA Imposes Record Fine for Serious Risk Management and Governance Failures
In a co-ordinated global regulatory action, which included the Swiss Financial Market Supervisory Authority (FINMA), the U.S. Federal Reserve and the U.K.’s Prudential Regulation Authority (PRA), Credit Suisse, now a subsidiary of UBS, has been fined a total of $388 million over their dealings with the collapsed firm Archegos Capital Management.
For the PRA’s part their proportion of the fine was £87 million, the largest ever imposed on a firm, and the first time that its enforcement investigation team had established breaches of four of its eight Fundamental Rules and Principles for Businesses.
The story behind the breaches was that Credit Suisse’s UK regulated Firms entered into equity total return swaps (TRS) with Archegos. All such TRS positions were remotely booked into the Firms in the UK via other entities in the Credit Suisse group and when Archegos defaulted in March 2021, around $5.1 billion of losses were booked to the UK Firms, resulting in substantial financial and reputational damage such that Credit Suisse was ultimately acquired by UBS Group AG earlier this year.
In their News Release, the PRA said that the Firms’ risk management oversight and practices fell well below the regulatory standards required and that the failings were found to be symptomatic of an unsound risk culture within the business line that failed to balance considerations of risk against commercial reward appropriately. Broadly, this resulted in a failure by the Firms to address the risk arising from Archegos’ portfolio, a confusion of responsibilities and failures to adequately respond when limit breaches were exceeded. The Firms had failed to learn from past similar experiences and had insufficiently addressed concerns previously raised by the PRA.
As a result, the Firms breached Fundamental Rules 2, 3, 5 and 6 of the PRA Rulebook. Fundamental Rule 2 requires that a firm conducts its business with due skill, care and diligence. Fundamental Rule 3 requires that a firm must act in a prudent manner. Fundamental Rule 5 requires that a firm must have effective risk strategies and risk management systems.
Fundamental Rule 6 requires that a firm must organise and control its affairs responsibly and effectively. This all resulted in the Firms failing to:
· Instil a culture within the investment banking division that appropriately balanced the considerations of risk against commercial reward;
· Evaluate and take due account of the risks to the Firms, and the Credit Suisse group, arising from their exposures in relation to Archegos’ portfolio;
· Appropriately escalate the risks within Archegos’ portfolio with the result that there was inadequate oversight in the UK of risk remotely booked into the Firms;
· Take sufficient steps to implement an effective risk mitigation strategy in respect of Archegos’ portfolio, including a failure to take reasonable steps to reduce risk when it would have been prudent to do so; and
· Have a governance framework that adequately scrutinised or discussed the risks posed to the Firms by Archegos’ portfolio.
Sam Woods, Deputy Governor for Prudential Regulation and CEO of the PRA, added:
"Credit Suisse’s failures to manage risks effectively were extremely serious and created a major threat to the
safety and soundness of the firm.
The seriousness and widespread nature of those failures has led to [the] fine, which is the largest ever imposed by the PRA."
FINMA, who are unable to levy fines, also ordered corrective measures in the wake of the Archegos affair, including changes to the bank’s compensation culture that take more account of risk appetite, adding, for employees with particular risk exposure, a control function which must assess and record the risks being taken before the bonus is determined.
This is a salutary lesson for Firms of all sizes not to allow the age-old problem of the First Lines of Defence (the business lines) to act independently from or dominate the Second and Third Lines (the control lines) and for Boards to ensure that they have in place and adequately scrutinise effective risk management and governance strategies and systems.
FMCR’s team has extensive practical experience of all aspects of risk management and would be very willing to conduct a ‘health check’ for any Firm that feels it needs assistance or reassurance.
For an initial discussion please contact us on contact@fmcr.com.