Clifford Chance

On 4th April 2023, the Prudential Regulation Authority ("PRA") censured Wyelands Bank Plc ("Wyelands") for wide-ranging significant regulatory failings relating to large exposure limits, capital reporting, governance and risk controls.

Wyelands became a member of the Gupta Family Group Alliance ("GFG") in December 2016. Between 21 December 2016 and 28 May 2020, Wyelands entered several complex structured finance transactions exceeding the PRAs large exposure limits. Wyelands did not identify the issue or report that it had exceeded its 25% large exposure limit to the PRA. On investigation, it was apparent that Wyelands’ business was almost entirely reliant on GFG for introductions which constituted a material portion of the firm's loan book occurring against a background of increasing pressure being exerted on GFG companies.

Failings

Wyelands was found to have breached a number of PRA Fundamental Rules ("FRs") as well as various more specific rules:

FR 3 as a result of failing to demonstrate sound judgement and exercise sufficient caution before entering into structured finance transactions.

• FR 5 as a result of defective risk management strategies and systems to identify, assess and manage the risks presented by its business model, in particular, connected parties and related parties' risk in relation to Large Exposures.
• FR 6 as a result of various governance and oversight, capital, record keeping and other failures. These included the failure to retain WhatsApp messages regularly exchanged between some of the firm's senior executives, directors and external parties about the firm's actual or potential transactions, its business and its strategy.
• The PRA also concluded that Wyelands had breached the Own Initiative Requirements ("OIREQ") imposed on it by the PRA in late 2019 that prevented Wyelands from transacting with and making further payments to GFG-introduced parties. The PRA accepted that Wyelands had not intended to breach the OIREQ.

Penalty

This is the first time the PRA has taken action against a firm for breaches of large exposure limits and found a breach of PRA Fundamental Rule 3 (requiring a firm to act in a prudent manner). The seriousness of the breaches justified a fine of £8,515,000. However, as Wyelands has entered wind down, the PRA accepted that has very limited financial resources and fining Wyelands would not advance its general objective to promote the safety and soundness of firms.

Lessons for other regulated firms

While Wyelands' failings emerged from a very particular set of facts and financial arrangements, there are clear regulatory learnings for all firms supervised by the PRA.

1. Accurate regulatory reporting is a key concern to the PRA: The PRA's enforcement action is yet another example of the PRA's focus on its rules and expectations about the provision of information to the PRA. The PRA views the provision of accurate information as vital to its ability to supervise banks and oversee the stability of the UK financial system.
2. Appropriate document retention: The enforcement action is further evidence of the continued focus on records retention, in particular involving WhatsApp data, which has exercised various regulators, both in the UK and abroad and the need for firms to have in place appropriate document collection and retention mechanisms. It is notable that the PRA called out the fact that the failure to retain data went beyond specific transaction data, noting that some senior executives, directors and third parties "regularly exchanged messages in respect of the Firm's actual or potential transactions, its business and its strategy using the instant messaging application, WhatsApp, on both Firm issued and personal mobile phones".
3. Heightened risk should result in increased focus on risk management: In its press release accompanying the Final Notice, the PRA's Deputy Governor for Prudential Regulation and CEO stated that the PRA's expectations in respect of risk management and governance are "especially important where a firm engages in complex transactions or where a significant proposition of its business is introduced by its wider group".
4. Embedding risk management policies and controls is just as important as establishing them: Having put in place an Engagement Policy setting out how it would deal with GFG-introduced business, in a number of instances this was not followed, with the result that connected companies were not identified leading to breaches of the Large Exposures regime. The PRA was noted that Wyelands had failed to address risks that were evident on the face of its own business plan.
5. Clarifying the responsibilities of the three lines of defence remains an active concern: The PRA found that Wyelands' "three lines of defence" risk management model did not operate clearly in practice, with a blurring of responsibilities and reporting between the First and Second Line that compromised effective risk management. The Compliance team's role in the risk management framework was unduly narrow such that it did not have any substantive involvement in connected parties' analysis despite this posing a heightened regulatory risk given Wyelands' business model.