Enforcement watch: The Prudential Regulation Authority issues second largest fine against HSBC of £57million
By Sonya Zywko, Alan Hughes, Gemma Tilly
1 Feb 2024 | 3 minute readThe Prudential Regulation Authority (PRA) announced it has fined HSBC Bank plc (HBEU) and HSBC UK Bank plc (HBUK) (together the Banks) £57,417,500 for historic breaches in relation to the implementation of Depositor Protection Rules (the Rules), including incorrectly marking deposits as ineligible for protection under the Financial Services Compensation Scheme (FSCS).
Background
Certain deposits up to a value of £85,000 (or up to £170,000 for joint accounts) are protected by the FSCS in the event of a bank's failure, provided those accounts are marked as eligible or potentially eligible. In the PRA's view, the breaches were serious because the FSCS relies on the accuracy of this information in order to pay out to eligible deposit holders within seven days of a bank's failure, thereby reducing systemic risk that the bank's failure may precipitate a wider loss of confidence. The PRA concluded that the shortcomings materially undermined HBEU's readiness for resolution in the event that some form of orderly wind down is required.
Certain of the issues arose following a restructuring in order to implement ring-fencing arrangements in July 2018 which split operations between ring-fenced HBUK and HBEU, which was not ring-fenced. The PRA noted that a lack of knowledge and subject matter expertise regarding application of the Rules within HBEU following the restructuring was a contributing factor.
This is the second largest fine imposed by the PRA and the first fine for a breach of Fundamental Rule 8. The PRA could have issued a fine of up to £96.5m to reflect the seriousness of the breaches (including the length of their duration) had it not been for discounts applied amounting to a total of 45% (including an early settlement discount of 30%) in light of mitigating factors such as:
(i) HBEU & HBUK's full cooperation throughout the investigation.
(ii) The fact that the breaches of the Rules have been fully remediated.
(iii) The Banks' early admission of breaches.
Summary of findings
Failings of the Banks included breaches of Fundamental Rule 2 (due skill and care), Fundamental Rule 6 (effective organisation and controls) and certain Rules in relation to:
- Failing to assign clear ownership for the processes required under the Rules.
- Failing to ensure that a senior manager was allocated responsibility for these processes as required under the Senior Managers and Certification Regime (SMCR) and the integrity of the information required under the Rules.
In addition to the above, further failings attributed to HBEU concerning breaches of Fundamental Rule 7 (obligation to be open and cooperative with regulators), Fundamental Rule 8 (readiness for resolution) and certain Rules:
- Incorrectly marking 99% of its eligible beneficiary deposits as 'ineligible' for FSCS protection.
- Providing an incorrect attestation to the PRA confirming its systems satisfied certain requirements of the Rules.
- Failing to produce finalised versions of annual reports required to be signed by its board of directors that confirmed compliance with the requirements of the Rules for multiple years.
What does it mean for banks?
The PRA highlighted that the failings in this case "go to the heart of the PRA's safety and soundness objective". It serves as a reminder to:
- Ensure there is clear allocation of responsibility, particularly where there has been a restructuring and to consider whether there are any gaps such as subject matter expertise in the revised structure.
- Ensure there is a verification process supporting any attestation to the PRA or FCA.
- Establish a clear governance structure for internal investigations and take other governance steps, such as ensuring terms of reference are put in place for any committee or working group, minute taking and senior individual accountability.
- Ensure that where an issue is identified during an internal audit review and/or any supervisory intervention, there are clearly defined action points and ongoing monitoring of progress against these. The fact that the issue first came to light due to a PRA supervisory enquiry could be an aggravating factor, as it was in this case.
- Keep existing issues under review and consider whether a new notification or update to the PRA is required as matters develop. The same principle applies in relation to notifications to the FCA. In particular, once a firm forms the view that an issue may be material, there is an expectation that a notification or update should be made. The PRA has made it clear in its decision that firms cannot wait for the conclusion of any internal investigation before making a notification.
For more insight on the impact of the PRA's findings, please get in touch with Sonya Zywko or Alan Hughes.