Skip to content

Regulators Introduce New Spreadsheet Risk Management Regulations

Six years after it mistakenly wired nearly $900 million to a customer’s creditors in its role as their loan agent, a major U.S. bank finally won a ruling that would see the outstanding $500m returned from payees in a fiasco which started from a failure in spreadsheet risk management.

A previous judge on the case in 2021 described the lender’s mistake as ‘unprecedented in banking.’ Only it’s not. In 2012, a fellow U.S. bank lost $6bn and was fined a further $920m by regulators for a ‘trading error’ that originated from a misplaced spreadsheet input.

The U.S. bank may have won the case, but it still has to convince regulators that its risk controls are sound. In addition to the $400m fine it received from the OCC in 2020 for its mistake, it’s facing a January 31 deadline to file a restitution plan over its data governance failures to the Fed and FDIC.

Regulators in the U.S. and the U.K. appear unconvinced that banks are taking data governance seriously enough, particularly regarding spreadsheet risk.

Authorities globally have complained since 2018 that BCBS 239—the section of Basel III that addresses spreadsheet risk in two of its four pillars—was not being implemented properly.

As early as 2019, the U.K.’s FCA sent a ‘Dear CEO’ letter to the industry, which specifically highlighted banks’ failures in implementing BCBS 239, principally the lack of data automation and the potential risk posed by spreadsheet failures.

The U.K. financial watchdog followed up again in September 2021 with another ‘Dear CEO’ letter, this time highlighting a lack of robust controls over spreadsheets by firms under its supervision.

Now it appears that U.K. regulators are done sending letters and have instead switched to an enforcement-led approach of strengthening regulations, increasing oversight, and issuing more fines for banks’ spreadsheet failures.

In December 2022, a U.K. bank was slapped with a £10m fine for a spreadsheet input error. This followed a record-breaking £46.6m fine from the PRA issued to yet another U.K. bank in April 2022 for a similar mistake.

New Bank Spreadsheet Risk Management Regulations

The major U.S. lender’s January deadline for posting its revised resolution plan will no doubt focus senior bank executives’ attention globally on the issue of spreadsheet risk.

But its regulators have more on their minds than just the correct implementation of BCBS 239—new regulations targeting spreadsheets are also about to hit the books.

The U.K.’s PRA is consulting on CP6/22, Model risk management principles for banks, while the U.S. FRY14 reporting regulations will be strengthened in 2023 to require more accurate and timely P&L reporting, particularly in a ‘severely adverse scenario.’

Regulators’ concerns stem from worries over banks’ increasingly sophisticated use of models and a fear over how these models will fare in volatile markets.

The PRA said in the launch of the CP6/22 consultation that it anticipates firms’ use of models will continue to increase and become more complex, but that previous reviews had found numerous failures linked to data governance, particularly with respect to reporting requirements.

“The PRA has found evidence of poor model risk management reviewing firms’ applications for internal regulatory model permissions and when reviewing approaches to expected credit loss accounting under IFRS 9.”

What risks do spreadsheets pose?

Regulators are concerned over the risk posed to banks from spreadsheet errors for multiple reasons, and the FCA outlined several in its 2021 ‘Dear CEO’ letter.

“Spreadsheets carry an inherent risk of error because of their vulnerability to over-writing and therefore require appropriate documentation of key processes, risk and control assessments, judgments, and assumptions, as well as robust processes and control,” the FCA said.

The letter was prompted by a review of regulatory reporting which found that many firms were not formally registering working files as EUCs and others which had no program for ongoing reviews of the underlying logic.

The FCA letter said that this lack of controls makes it difficult to generate accurate returns, particularly at speed during periods of market volatility, and it was exactly this issue that led to two U.K. banks being fined by the PRA.

“Systems, controls and oversight fell significantly below the standards we expect of a systemically important bank,” the PRA said when it issued a U.K.-based lender a £46.6m fine.

These fines are set to continue. While the SEC’s Head of Enforcement told reporters at a November briefing that regulators weren’t expecting to issue more than the record $6.4bn of fine levied on U.S. financial institutions in 2022, he was clear that the focus on enforcement would continue as the agency expected “behaviors [to] change.”

The U.K. position appears similarly robust. According to an industry publication, a senior figure at the FCA told a recent industry conference that “fines are very powerful agents of change and a key focus” and “no stone will be left unturned” in the pursuit of non-compliant firms.

While there are numerous benefits to automating and integrating a bank’s spreadsheets, including bringing new products to market faster and scaling successful products more quickly, the most pressing issue in 2023 may very well be complying with regulations governing spreadsheet risk management. Failure to meet these standards could prove costly.

Contact Coherent to learn how to manage your spreadsheet risk.