UK banks are dealing with capital requirements brought on by regulators following the 2008 financial crisis, whilst simultaneously juggling COVID-19 volatility.
These requirements must be dealt with while banks try to digitise, maintain balance sheets and innovate.
In a panel hosted by Automated-Intelligence and moderated by FinTech Futures, an information governance specialist at a UK retail bank shared his thoughts on why capital requirements can leave banks in somewhat of a quandary.
“Yes, capital adequacy is up about one and a half times what it was in 2008,” he says.
“So, if you can imagine how bad we were in 2008, add 30% [on top of that].
“Now the double-edged sword is that it takes away a lot of your capital for actually funding some of the improvements.”
He adds the Financial Conduct Authority (FCA) in the UK “perhaps needs to look at that”.
Regulators have tried to help banks to an extent during the pandemic. The Prudential Regulatory Authority (PRA) announced that it was modifying the UK Leverage Ratio to allow banks to exclude loans under the Bounce Back Loan Scheme (BBLS).
This means major banks don’t have to maintain the minimum leverage ratio of 3.25% for BBLS loans. In normal circumstances, at least 75% of this ratio is made up of common equity tier one capital.
Where could the funds go?
The information governance specialist says one of the biggest challenges at his bank is resilience in its outsourced supply chain.
The bank is currently going through a number of mergers and divestments. “We’ve got different data flying around and coming in. So the difficulty for the bank has been keeping all that data segregated, secure, in a digitally growing environment,” he observes.
“We’re trying to do all of this under the spectre of becoming a digitally driven bank and it’s probably the worst possible time for us.”
Whilst he calls out the “double-edged” nature of capital requirements, the banking exec also applauds regulators for their collaboration during the coronavirus crisis.
“Normally they give you a woolly statement regarding principles of compliance and they shoot you down when you don’t do it. But I think together through this, they’ve become a lot more collaborative.”
He adds: “The ICO [Information Commissioner’s Office] is an exception, I think. The ICO has been a bit of an aloof challenge for us over the last few months.”
The data retention paradox
One of the drawbacks to holding vast amounts of data is the cybersecurity risks which come with it. This is particularly pertinent as cybercrime has spiked during the COVID-19 crisis.
The former head of the US National Security Agency, Michael Rogers, says “the attack surface has just exploded” for banks.
And with added risk, comes a greater scrutiny on data retention. The banking exec on the panel points out that despite new data regulations, there’s still a lot of “over-retention of data within banking”.
“The funding to try and remediate that […] is being whittled away because of the extra reserves and capital due to the various PRA measures”.
Deborah Walker, Tesco Bank’s director for compliance and conduct risk, was also on the panel and agreed to be identified. She adds that banks experience something of a data paradox.
“As a financial services institution, we think about PPI [Payment Protection Insurance] and we think about the need to keep all of these records for remediation purposes.
“You just don’t know if there’s going to be another PPI coming along. Are the regulators going to come in and hammer you because you don’t have the information? Even though you’ve deleted the data information in line with your data retention records which are in line with the ICO.”
Walker adds that things may have seemed smooth for Tesco bank, but it often struggled to keep up the pace.
“There have been times over the last seven months [where] we’ve been like swans, like we’re gliding on the surface but frantically we’re flapping our feet behind the scenes to do manual processes.”
Holding individuals to account
Earlier this month, US bank Citi was slapped with a $400 million fine for “longstanding failure” to fix its data and risk management systems.
The unidentified banking exec thinks fines are partly effective, as they can often cause banks to have parts of their banking licence restricted, which in turn restricts their power to earn.
But he also thinks it runs deeper, and that banking culture won’t change until multiple individuals are held accountable.
“Until we start tackling individuals, we’re going to find it quite hard to get away from the culture of corporate recklessness,” he explains.
“I think we’ve all seen execs at the time actually leaving under mutual consent, having been culpable for that. So not only have they not been called out, they’ve been told to keep quiet and walk out the door.”
Walker agrees. She cites Tesco Bank’s data incident in 2016 which led to a £16.4 million fine.
“We put loads of things in place, but the senior manager regime itself, if that had been in place at the time, we would have been in a very different position.
“Because it would have been really clear who was actually accountable for that decision.”
Walker says that although senior managers might say they “don’t have time or don’t have resource”, equally they’re “adults who have personal liability and accountability”.
“If they don’t have the time to make a proper decision, they need to call that out.”