Thursday 24 April 2014

Risk Management Lessons: Reacting to a Regulatory Breach


My last post covered the breach by the Yorkshire BS (YBS) of the FCA mortgage rules related to the calculation of arrears charges. The FCA's announced this breach in February 2014 together with a brief outline of the lender’s reaction and the FCA decision not to take enforcement action

As a result, the FCA did not have to publish a detailed outline of the circumstances of the case.  It was therefore difficult to develop a practical sense of the steps that the YBS may have taken to mitigate the risk of FCA enforcement after the breach was discovered.  I thought there might be a similar enforcement case of ‘back-office’ related activities which enabled an inference of what actions may mitigate the risk of enforcement action when errors are discovered. 

I found a similar case from September 2013 regarding Clydesdale Bank (CB; enforcement notice is here).  The details of the CB breach itself are relatively simple: an unintentional error in the bank's IT system in 2005 meant that mortgage payments were incorrectly calculated when there was a change in interest rates.  This was discovered in April 2009.  The outcome of the case was a fine of £8.9m and the write-off of the amounts not charged to customers (about £22m). 

There are five main lessons for regulated entities about how to mitigate the risk of enforcement action in these circumstances. 

1.  The starting point for the "relevant period" of the breach that the FCA refers to as the basis for enforcement action is the point when the CB discovers the error (April 2009) and management has the possibility of taking remedial action. 

2.   Timely reaction to correct the error after it has been discovered and alert customers who may be relying on the firm’s communication while the issue is fully addressed.   CB took six month to fix the IT error.  There were no interim measures taken in respect of any new mortgages sold between April and September.

3.  A regulatory expectation that recovering a mortgage underpayment should not be targeted where the underpayment arises from an administrative error and the lender is fully to blame.  CB initially aimed to avoid this and recover up to £22m.  The YBS offered a generalised redress to customers.  

4.   The need to actively consider the Ombudsman precedents and guidance, where available and relevant.  This was available in the case of CB.  Further, the materiality of the expected shortfall from not recovering the underpayments has limited relevance from a regulatory perspective.

5.  Fair and clear customer communications about the issue and the potential customer outcomes. Where a phone discussion is required to assess a customer’s position, staff are briefed appropriately to proactively gather relevant data.  In the FCA’s view, this did not apply in the CB case.  The YBS avoided much of this by offering a generalised redress to customers.

And finally a puzzle.  Enforcement notices tend to outline how the issue was discovered.  This can be an aggravating factor where it is discovered by the regulator as in the case of the YBS.  Alternatively, where the firm discovers the breach, it represents a mitigating factor.  In the case of the CB, I could not find any reference to how the issue was discovered.  I am not inclined to view this as an oversight.  At the same time, I don’t really understand this outcome: either party would want to take credit for discovering the issue. 

I would be interested to hear your thoughts.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.

No comments:

Post a Comment