On 10 September 2024, the Prudential Regulation Authority (PRA) published a letter to Chief Risk Officers to share the thematic findings of a review, in which it asked the Internal Audit (IA) function of a selection of UK deposit taker (UKDT) non-systemic banks and building societies to undertake a review of their Credit Risk Management Framework (CRMF).

Background

The review was designed to provide assurance (both to the firms’ boards and the PRA) on the overall effectiveness of the control framework and in the specific areas of focus, which were the governance and control environment over credit and affordability assessments, approval processes and portfolio management.

The IA functions were asked to determine if current controls and practices are sufficient to mitigate the risks associated with these key areas of credit risk management. The PRA selected 33 UKDT non-systemic banks and building societies to take part in this exercise and to submit the IA report by 30 September 2023. Firms in scope represented 13% of non-systemic firms’ lending exposures; six were banks and the remainder building societies.

Summary of findings

The PRA’s review of the 236 IA findings shows the highest proportion of findings being rated as Yellow (53% moderate breaches of control procedures). A smaller proportion were rated Amber and Red (14% significant, and less than 1% materially significant, control weaknesses).

The letter notes that these findings reinforce the need for some firms to enhance their portfolio management controls and affordability assessments, with consideration of changes in the macro-economic environment to ensure that new lending is sustainable.

Areas needing improvement

Below were the areas found to need improvement in priority order (based on number of findings):

  • Affordability assessment: the need to improve the controls around the refresh of rules, buffers, judgements and/or data to reflect changes in macroeconomic or market trends more quickly.
  • Quality assurance (QA) and underwriting process: the need to enhance QA controls. For example, a need to design and implement the QA process or to enhance the frequency of the reviews performed.
  • Quality of management information (MI): suggested enhancements include having forward-looking MI, and adding supporting commentary to charts and trends. Auditors identified an absence of risk appetite metrics in the MI; inconsistency in the portfolio monitoring MI; and data reporting issues.
  • Credit risk appetite (CRA): the need to calibrate appropriately the CRA limits; to align the CRA with the latest business strategy and lending and collections policies; to create a CRA that can support the understanding of the asset quality of the lending book; and in the case of identified breaches, to have an escalation mechanism and process in place.
  • Lending policy: the need to enhance the governance and control processes around the lending policy. For example, to include a limit on the volume/proportion of exceptions relating to ‘out of policy’ loans; to make sure the policy reflects the latest business strategy or describe in detail existing processes in place. 
  • Collections: the need to have in place detailed contingency plans. The PRA flags, for example, that policies should include a clear resource management plan should customers in financial difficulty and/or arrears cases increase, and firms should have early warning indicators and/or a proactive contact strategy in place for higher risk/vulnerable customers.

Next steps

The PRA recommends that Chief Risk Officers use the points outlined in the letter as a reference when reviewing and assessing their own CRMF controls and potential areas that might need strengthening.