On 12 April 2017, the Central Bank announced the publication of the results of its thematic inspection of regulatory reporting by international banks. The international banks selected for the inspection were all categorised as "less significant" institutions for the purposes of the Single Supervisory Mechanism, and were in-scope based on their risk assessment ratings, the perceived importance of their regulatory returns, and any issues already identified in respect of their regulatory reporting.
The Central Bank carried out the inspection to assess the degree to which it could rely on the accuracy and integrity of the regulatory returns submitted by those banks. Not all types of regulatory return were covered by the inspection, with the Central Bank focusing on specific areas, including the reporting of large exposures and the liquidity coverage ratio (LCR).
The Central Bank uses regulatory returns as part of its assessment of a bank's risk profile, to check whether a bank is complying with its regulatory requirements, and to assess a bank's financial position.
The regulatory reporting obligations stem from the Capital Requirements Directive (Directive 2013/36/EU) which requires banks to have "internal control mechanisms, including sound administration and accounting procedures...that...promote sound and effective risk management". Those mechanisms and procedures must be both comprehensive and proportionate. The European Banking Authority's Guidelines on Internal Governance (currently being revised) also impose requirements in relation to staffing and internal controls, and the Capital Requirements Regulation (Regulation (EU) No 575/2013), together with related Level 2 measures, imposes requirements in respect of the calculation of LCRs and large exposures.
KEY AREAS OF FOCUS
As part of the inspection, the Central Bank looked at:
» the structure of each bank's regulatory reporting function;
» each bank's internal processes and systems for populating and generating regulatory returns; and
» whether the processes for data quality verification, reconciliation and validation used within those banks prior to the submission of regulatory returns was appropriate.
The Central Bank's Head of Banking Supervision, Fiona MacMahon, commented that some of findings of the inspection indicated practices that were "...not acceptable and have resulted in regulatory breaches in certain instances."
The most significant findings related to inadequate IT, insufficient staffing, excessive levels of manual intervention, weak controls, insufficient oversight by the internal audit function, a lack of documentation, issues with data quality, significant misclassifications and considerable misreporting.
The inspection found that there was a lack of comprehensive procedural documents, and that independent reviews of the regulatory reporting process were not being carried out within the in-scope banks to check that reporting was in line with any procedures that were in place. In light of that, the Central Bank requires that:
» banks establish comprehensive, documented, procedures for regulatory reporting which must, at a minimum, cover the items listed in Finding 1 of the results of the themed inspection;
» those procedures must be approved by an appropriate management forum; and
» those procedures must be reviewed at least once per year.
From the perspectives of both staffing and IT, the inspection found that the regulatory reporting function is inadequately resourced, with a significant amount of manual intervention involved in the reporting process. The accuracy of regulatory returns was adversely affected by the lack of a centralised data depositary in a number of banks, and the Central Bank emphasised that the scale of manual intervention needs to be reduced. Staff involved in the regulatory reporting function need to clearly understand the relevant bank's regulatory reporting obligations, the methodologies used to calculate the bank's regulatory requirements, and the bank's internal processes for managing regulatory change.
Varying data quality issues were identified in all of the in-scope banks, together with a lack of a formal process for data attestation between the regulatory reporting functions and other business areas, leading to inaccurate data.
Issues were identified with the internal audit function in certain banks. End-to-end audit reviews of the regulatory reporting process in those banks failed to cover key areas and, in several banks, periodic prescribed audits did not take place.
Material misreporting of the LCR was identified in certain banks.
» Large exposures
In several banks, the reporting process for large exposures was not documented, and reporting errors occurred due to both manual intervention and system limitations.
Issues were also identified with the calculation of credit risk weighted assets and the operational risk capital charge.
All in-scope banks have been written to by the Central Bank, and have been provided with remediation plans and timeframes within which the issues identified during the inspection must be remedied.
On a positive note, the Central Bank noted that, in the course of its inspection, steps had been taken in specific cases to improve automation of the regulatory reporting process, to develop comprehensive procedural documents, to increase staffing for the regulatory reporting function and to pro-actively manage issues identified by the Central Bank's inspection team.
The Central Bank has encouraged all banks operating in Ireland to examine the results of the inspection, to evaluate their own regulatory reporting in light of those results, and to consider whether any action needs to be taken.
Whilst the thematic inspection was focused only on banks, a wide range of other financial institutions have ongoing reporting obligations to the Central Bank (including, in some cases, obligations derived from the Capital Requirements Directive). Therefore, the findings of the thematic inspection should be of interest to most firms, particularly the Central Bank's focus on processes and procedures and adequate resourcing.