BofE warns banks to heed lessons learned in 2022

The Bank of England’s (BofE) Prudential Regulation Authority (PRA) has written to financial institutions operating in the UK asking them to pay attention to the lessons learned from significant risk events that occurred in 2022. 

In several letters addressed to bank CEOs, the PRA lists its priorities for the year ahead, raising concerns about how banks reacted to the impact of major events in 2022 such as the Russian invasion of Ukraine and turmoil in British Government bond markets. 

“A common thread through each of our priorities is the paramount importance to all firms of effective governance and oversight, reflective of both the nature and scale of firms’ business activities, and any changes driven by internal or external factors,” says the PRA. “Individuals within the senior managers regime will be accountable for their firm’s addressing of the priorities set out in this letter.”

The PRA says it highlighted deficiencies in banks’ risk management last year after the default of Archegos Capital Management – but the industry failed to take sufficient action. 

“We specifically asked firms to consider concentrated and leveraged exposures and to improve counterparty risk management. During 2022, the market reaction to Russia’s invasion of Ukraine, and volatility in the nickel and long-dated Gilt markets, reinforced the importance of a robust risk culture and sound risk management practices at firms. However, despite regular messaging from the PRA on the subject, these events demonstrated that firms continue to unintentionally accrue large and concentrated exposures to single counterparties, without fully understanding the risks that could arise.”

In a separate letter to insurers, the PRA warned of “immature” management of exposure to cyber threats, saying it would work with the industry to improve this area of risk management. 

The regulator also re-highlighted its focus on operational resilience, and said it would be assessing firms against recently implemented rules designed to protect key business services. “By now, firms are expected to have identified and mapped their Important Business Services (IBS), set impact tolerances for these, and commenced a programme of scenario testing. We have been reviewing firm self-assessments and engaging with individual firms and the sector more generally on our findings.”