The IFPR - enhancing regulated firms’ risk management practices

The IFPR - enhancing regulated firms’ risk management practices

The implementation of the IFPR was intended to provide a framework for regulated investment firms to adopt robust risk management practices by assessing the likelihood of potential harms occurring and reviewing and enhancing the controls in place to mitigate them. In contrast to previous regimes, the FCA wanted firms to look beyond solely mitigating potential harms to firms, but also to consider harms to customers and  the wider markets as a result of firms’ activities.

1.    Group ICARA Process

Key FCA Observations

The IFPR enables firms to operate a group ICARA process. The group ICARA process permits two or more regulated MIFIDPRU investment firms in an investment firm group (IFG) to have one ICARA document, because the risks in the business are managed on a group basis.

The FCA noted that firms are not applying the group ICARA approach correctly. In particular, there was limited justification for the allocation of group-level financial resources to each regulated entity within that group as well as any additional firm specific financial resources required as a result of the firm being part of a group. As a result, the threshold requirements, risk appetite, triggers for capital, liquid assets, and wind-down plans lacked specificity to each individual regulated MIFIDPRU Investment firm.

A further issue the FCA highlighted was the distinction between the group ICARA process and the consolidated ICARA processes. These are two different approaches to the ICARA process.

Key takeaways

The IFPR has a greater focus on the prudential soundness of individual regulated firms in a group compared to existing regimes, where consolidated prudential requirements had more prominence. The group ICARA process accommodates the fact that many IFGs will manage risks in multiple entities in say a group risk function. However, a group ICARA process doesn’t stop each regulated firm from having to comply with the overall financial adequacy rule on an individual basis, submitting separate MIF007 returns and maintaining separate wind-down plans. The FCA’s observations are reiterating that the key focus for them is the prudential soundness at an individual regulated firm level.

Undertaking a group ICARA does not imply fewer assessments to complete, but is a way for firms, where they already manage risks on a group basis, to retain their existing risk management structures for regulatory purposes.

Therefore, even under a group ICARA process, it is essential to identify, assess and quantify the harms within each regulated entity in the IFG. If firms choose the group ICARA process they need to be able to articulate and justify clearly the allocation of group-level financial resources and requirements to each regulated entity within the group as well as any additional firm specific financial resources required as a result of the firm being part of a group.

The interconnectedness of firms, business units, and functions within a group requires closer attention during the ICARA process and is a big area of scrutiny of the FCA. The intra-group risks may stem from overreliance on other group entities through funding, customers, critical infrastructure among others, which could in turn derail a regulated firm. Considering the concept of ‘interrelation of firms’ within a group can lead to the challenge of assumptions throughout the group, resulting in a more robust and aligned ICARA process that takes this into consideration when implementing the firms quantitative limits and risk appetite.

When it comes to the difference between group and consolidated ICARA processes, it is important to note that the consolidated ICARA is currently only a requirement if granted by the FCA and therefore the consolidated scope, if applied, will be guided by the FCA and will be specific to each group circumstance. Consolidated ICARA may be necessary for IFGs heavily reliant on multiple entities within their group in terms of capital and liquidity. In these instances, assessing prudential soundness on a consolidated basis becomes the more logical option.

2.    ICARA Process Assessments

Key FCA Observations

The FCA identified several areas where ICARA assessments were deficient in terms of both quantitative and qualitative components, including:

• Insufficient involvement of the Board and senior management in the ICARA process, resulting in an inability to challenge assumptions and articulate risks associated with the firm.
• Not adequately capturing risks or their interconnections, resulting in an incomplete understanding of harms and the reasoning behind the allocation of associated limits and triggers.
• Insufficient explanation for reductions in capital for various risk types, including those not captured by K-factor requirements (KFR).
• The threshold and trigger points for risk appetite were not adequately linked to a firm’s understanding of risks and wind-down plans, leading to confusion when thresholds were breached.

Key takeaways

To manage harms effectively, firms need a complete and comprehensive assessment process. This requires firms to be able to articulate a clear story as to how the ICARA process and its requirements has been embedded throughout the firm’s risk management processes.

Firms are not connecting their risk management components to the integrated ICARA approach. For example, an effective governance framework will integrate different risk management components, ensuring that reasonable justifications underlie the ICARA numbers. This framework allows senior management to challenge assumptions and results, including explanations of risk appetite thresholds, trigger points, and capital allocation.

Equally, firms need to have reasonable justifications underlying any assumptions made throughout the process. The analysis needs to be linked to the firm’s business model and supported by data, which is understood to a level expected by the FCA. Without having a clearly articulated and integrated approach, it can threaten the efficacy of those numbers and affects the possible effectiveness of the firms’ responses to harms. Firms cannot manage what they do not understand.

Firms can have difficulties with capital allocation, as they look to align their holdings under the new regime. To ensure consistency in alignment, thorough K-factor calculations are necessary for non-SNI firms. Understanding where risks materialise in the business is key to the correct classification of harms for the calculation of K-factor requirements. For harms not linked to a specific KFR, firms will need to assess their potential financial impact separately. These could result from any regulated activities in the business, not just MiFID business.

3.    Wind-down Plans

Key FCA Observations

For a firm to exit a market without disruption to customers and the broader financial system, effective wind-down plans are essential. However, the FCA's observations highlighted several areas of concern regarding wind-down plans; these include inadequate stress scenario analysis, insufficient consideration of intra-group risks and financial dependency, a lack of comprehensive analysis encompassing financial and non-financial strategies, trigger point actions, understanding of underlying modelling assumptions, and forecasts.

Key takeaways

To prevent potential harm to clients, the firms, and the wider market, it is imperative for firms to conduct the wind-down process in an orderly fashion. Prior to the FCA's introduction of the ICARA process, firms did not give wind-down plans adequate attention, resulting in incomplete and inadequate documentation and modelling. To ensure prudence in wind-down plans, firms should identify assess potential weaknesses and vulnerabilities in the organisation and employ detailed and well-justified models, such as stress tests. It is important for the wind-down plan to be modelled against the backdrop of a plausible idiosyncratic or market-wide event. Further, testing the assumptions underlying stress testing models with an overarching governance framework can ensure their accuracy and meet the level of understanding expected by the FCA. Conducting fire-drills of a firm’s wind-down plan, although not a requirement, is good practice to check the operability of the plan and the validity of assumptions made.

4.    Data Quality

Key FCA Observations

The FCA highlighted  inaccurate and incomplete data within firms’ IFPR  regulatory returns, including items that are supposed to be consistent with the ICARA documents. Expectations related to data accuracy are outlined in previous ‘Dear CEO’ letters on Transforming Data Collection[i] and Quality of Prudential Regulatory Returns[ii].

Key takeaways

Inaccurate data can lead to a distorted representation of a firm's financial position and health, resulting in a deficient within-firm comprehension of the business's overall health and identifying next steps business actions. The FCA is concerned that if firms cannot record and monitor their prudential position accurately and track it against IFPR triggers then firms are not suitably meeting core regulatory standards, Furthermore, accurate and complete returns are necessary for the FCA to make its own informed decisions as to the financial health of regulated firms and sectors.

To prevent potential fines and possible Section 166 reviews, firms must employ strong risk data governance and architecture, as well as data quality processes to enhance their returns process. Risk data governance formalises risk data roles and responsibilities, establishes policies and management processes, and evaluates risk data governance arrangements and culture. An effective risk data architecture employs effective technologies that automate setup environments and divide business objectives into autonomous micro-services. Risk data quality utilises robust quality controls throughout operating processes and the end-to-end data lifecycle, ensuring the accuracy of returns.

Conclusion

The FCA’s findings from its initial review of some firms’ ICARA processes and documents highlights that there are core areas for improvement to meet the FCA’s need for sound risk management practices. Firms need to ensure that they can clearly demonstrate the ICARA process and its requirements have been embedded into their risk management structures and introduce enhancements where there are existing deficiencies..

[i]https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-transforming-data-collection.pdf

[ii]https://www.fca.org.uk/publication/correspondence/dear-ceo-quality-of-returns.pdf