We’ll be running a dedicated webinar, The Lion That Bit — SMCR in 2020, on 9th January at 08:30 UTC. Click the button at the end of this article to register.
What happened?
On Tuesday 26th November, the Bank of England’s Prudential Regulation Authority fined Citigroup’s three UK entities a total of nearly £44 million.
Without reading the PRA’s final notice in its entirety, it’s easy to assume that this fine is old news, or irrelevant for smaller institutions. First, because it was issued for breaches taking place between June 2014 and December 2018. Second, because Citi are G-SIB (a systemically important bank) and are therefore subject to the highest levels of regulatory scrutiny. Third, because a short glance at the summary might lead you to conclude Citi just got some numbers wrong, specifically the calculation of their returns and liquidity data. Why should we care, right?
Not so fast.
Yes, the regulatory data Citi’s UK branches were providing were found to be consistently inaccurate, but they were warned about this in 2016 and again in 2017. The reason the PRA is acting now is that the incorrect data is just a symptom of a wider failing: the inefficacy of Citi’s supervisory governance framework.
What can we learn?
This fine is not just a slap on the wrist for Citi, but is the first, substantial warning for all financial services firms that the sea-change we’ve seen in UK financial regulation since the Global Financial Crisis isn’t just lip service.
The default pre-crisis approach to financial regulation at many firms has been to view each new rule as a box-ticking exercise. With this hefty fine, the PRA is emphasising that, in the new world, financial services need to heed both “the letter and the spirit” of regulations.
At Citi, a complex web of committees was set up, meetings had, spreadsheets produced, which all indicate an attempt to put the new rules into action. Yet, the minutes of management meetings revealed that, when it came to how the company was operating, there was no real challenge of the status quo, no regular review of processes, and no demonstration of each individual leader’s understanding of their duty to do things the right way.
“Their oversight and governance in relation to regulatory reporting fell significantly below the standards expected.”
~ Bank of England’s Prudential Regulation Authority
The question that boards and management teams across financial services must ask themselves now is: are we paying the “spirit” enough attention?
As asset managers, insurers, and smaller firms come under scope in December this year, they will be held to the same high standards. It’s not enough to just tick the box; it is crucial that all financial institutions build a corporate culture which encourages its people to do the right thing. That’s the heart of good governance, and that’s what the regulator is looking for.
Why should you care?
In our view, Citi might be the first to feel the heat, but they’re not going to be the last. For all regulated firms, this final notice shows their existing supervisory governance frameworks may not be considered appropriate — despite ticking all the boxes on paper.
“The failure to provide accurate and timely regulatory data can indicate a range of weaknesses in a firm’s ability to manage its business prudently.”
~ Bank of England’s Prudential Regulation Authority
In our experience working across the sector, a best-practice framework should be based around five key pillars, “actively managed” and reviewed as per the regulator’s recommendations:

To reach the regulator’s expected standard, your organisation must not only put that framework in place but also embed and scale it from the very top to the bottom, and, crucially, ensure it demonstrably changes the way you do business.
Join the webinar
What lies ahead, are you exposed, and what steps can be taken to ensure you start the new year on the best possible basis?
Find out more about the likely ways SMCR will evolve in 2020, and how you can ensure compliance in both letter and spirit by joining our dedicated webinar, The Lion That Bit — SMCR in 2020, on 9th January at 08:30 UTC. Click the button below to register.