Wholesale banks supervision

Database migration and ‘go-live’ events often caused data management incidents due to incomplete or ineffective testing. In one incident, a large volume of payment transactions were not fed to an AML monitoring tool after a database migration. The migration testing failed to identify a logic error and the controls’ insensitivity to transaction volume fluctuation meant the gap wasn’t identified for approximately 6 months.

In response, firms’ actions highlighted the importance of incorporating end-to-end functionality and downstream usage checks into migration and ‘go live’ testing, alongside post-implementation reviews.

Several incidents showed that firms couldn’t trace data flows and did not consistently verify data completeness during ingestion and processing. In one incident, the lack of data feed monitoring meant a screening gap went undetected for 10 months.

Firms should be able to trace data from origin to consumption and confirm completeness.

In response, we saw measures such as:

• Documenting data lineage from source to consumption.
• Implementing reconciliation reporting.
• Setting up automated alerts to identify stale, missing or incomplete data feeds.

A common cause of control failures is fragmented change management where changes to systems or rules were implemented without fully considering downstream impacts or engaging all relevant stakeholders. Incomplete testing, unclear ownership and management information gaps then allowed issues to persist.

Firms that fixed issues effectively addressed both the technical faults and the change management weaknesses. They updated system logic, implemented new controls, conducted lookbacks and formalised remediation actions with improved oversight and documentation.

This review will be of interest to wholesale banks and other firms in scope of the recordkeeping rules set out in SYSC 10A.

Off-channel communications are those that take place outside of monitored, recorded channels a firm has approved.

We reviewed 11 firms to assess their efforts to strengthen frameworks for managing off-channel communications.

We found that all firms in our sample had made improvements in the past 2 years.

Firms continue, however, to see breaches of their internal policies. They occurred across all staff grades with 41% involving individuals at the director grade or above.

Care needs to be taken when interpreting the breach data. For example, a breach of a firm’s internal policy may not represent a breach of FCA requirements. Consideration should also be given to the size of the organisation.

See our findings

Separate to the above work, we have observed examples of non-compliance with policies on the use of personal mobiles on the dealing floor. In one example, despite concerns being raised previously, a formal compliance inspection – as opposed to first line management – was required to address the non-compliance. As well as raising concerns around the firm’s ability to ensure all in-scope conversations are recorded, this potentially highlights a wider issue around first line culture when non-compliance is not acted upon.

We published findings on money laundering in financial markets, primarily focused on brokers but also relevant to wholesale banks. Deficiencies in financial crime controls remain a key driver of supervisory cases in wholesale banking.

This review will be of interest to banks and brokers who provide securities dealing and execution, as well as investors in securities, including asset managers.

Best execution refers to the obligation on firms to take all sufficient steps to get the best possible results for their clients when executing their orders.

We reviewed 8 wholesale banks dealing and executing UK cash equities.

We were encouraged to find stronger practices compared to our 2014 thematic review.  

Of the areas we assessed, banks generally had strong practices in assessing the scope of best execution. We also found no evidence that internalisation was damaging client outcomes.

Banks’ monitoring of best execution was able to identify good and poor outcomes. We also saw evidence of banks taking action to address examples of poor outcomes.

In contrast, the quality of management information (MI) to support senior management oversight was variable. We found some MI was comprehensive, but we also found examples of it being either too high level or overly complex.

While we observed some good practices in governance and oversight, this was also where we found the least progress made since the 2014 review. Specifically, we found the need for improvement in the challenge from the second line of defence. The banks who were the strongest in this area had empowered their compliance functions, supporting them with the right data and tools.

See our findings

This review will be of interest to banks and other firms where employees may receive gifts and entertainment.

A potential conflict can occur when a wholesale bank employee receives gifts or entertainment leading to preferential treatment for the donor, potentially at the expense of a client.

Typically, wholesale banks manage this conflict through policies, controls and limits around gifts and entertainment, including maintaining a register for employees to declare gifts and entertainment they have received (often above a certain value). This register allows a firm to check where the above conflict might arise.

This review examined gifts and entertainment given by brokers to wholesale banks to assess the operation of the above control.

What we did

We analysed gift and entertainment registers from a sample of wholesale banks and wholesale brokers covering a 4-month period. This allowed us to compare records of gifts and entertainment received versus given. We also reviewed policies and procedures associated with gifts and entertainment as well as breach logs.

What we found

Most entries on registers involved entertainment rather than gifts.

A higher number of instances of entertainment recorded as being given by brokers to wholesale banks, compared to a lower number of instances of entertainment recorded as received by wholesale banks from brokers. This was a consistent pattern.

For example, one wholesale bank had a policy requiring all broker-provided entertainment to be declared regardless of value, yet our analysis found discrepancies:

• For the relevant period, the bank recorded around 150 instances of entertainment received from brokers.
• But brokers in our scope reported around 500 instances of entertainment being given to the bank.
• Many of these were low value.
• Brokers provided 93 instances of entertainment over £100 with only 9 of these being declared by the bank.
• The highest value entertainment we saw brokers providing was between £300-400 although given our conservative assumptions in analysing the data, the true value could be higher.
• We observed groups of employees being given the same entertainment but none recording it.
• We identified individuals receiving more than one instance of entertainment but not declaring any of them. The highest number we identified was 19 separate instances of entertainment received by one individual from the same broker. None were declared.
• This firm had issued 39 policy reminders through this period.

Key questions for firms to consider

• Are firms confident in the clarity of their policies and procedures for gifts and entertainment given and received?
• Why are groups of employees failing to record entertainment received? What does this indicate?
• Crucially, where there are breaches known to firms, senior management may want to consider whether they are concentrated in a particular area and also to judge whether undeclared entertainment has given rise to negative outcomes for clients or markets.

A conflicts of interest register is a record firms use to document conflicts of interest that can arise in the course of their business.

We examined conflicts of interest registers and breach data relating to conflicts of interests across 7 wholesale banks.

In most, we saw scenarios being added to reflect changes in business scope, eg expansion into new markets/products. One firm had not added any new business-related scenario for 3 years. In such circumstances, senior management may wish to challenge whether this reflects the firm’s business activities.

Breach data primarily involved internal policy violations put in place to manage conflicts of interest, such as committing to transactions before obtaining full conflicts clearance. One firm stood out in being the only one not to have recorded any such breaches over a 3-year period. In such circumstances, firms may wish to challenge whether their controls are as strong as the data suggests.

This review will be of interest to wholesale banks.

We reviewed 6 wholesale banks to assess transaction governance.

We did not find widespread weaknesses, although some banks had more robust processes than others. Stronger frameworks gave senior management greater confidence in identifying and managing risks effectively.

See our findings

Title Transfer Collateral Arrangements (TTCA)

Some firms misuse TTCAs by:

• Holding all client funds or assets under a TTCA without an actual client obligation.
• Failing to monitor customer obligations properly.
• Holding money or assets under TTCA without appropriate agreements in place.

Change management

Frequent corporate transactions and technological advancements have increased the pipeline of change activity. We have seen a significant rise in CASS breaches due to:

• Insufficient CASS consideration at the scope and planning stage.
• Lack of testing, impact analysis, and ongoing scrutiny throughout the programme lifecycle, including post implementation reviews.
• Weak oversight and challenge of change programmes at third-party administrators.

Interest on client money

Our enhanced scrutiny has uncovered more CASS breaches related to delays in allocating client money interest. Firms must ensure their approach aligns with client money rules, the client's best interests’ rule (COBS 2.1), and the Consumer Duty.

IT control framework

An increased number of CASS breaches in firms’ annual reasonable assurance reports highlight IT control failures. A strong operational environment, which is required to comply with CASS, depends on a secure IT framework. We have seen firms suffer system hacks, outages, and loss of access to their books and records – emphasising the need for robust IT controls.

Reconciliations

Aside from using external data to populate internal records, common CASS reconciliation failures include:

• Missing or unclear break narratives, making discrepancies hard to trace.
• Excluding accounts with zero balances from reconciliations.
• Misunderstanding internal client money reconciliation rules and margin transaction requirements.

Robust client asset arrangements help firms build confidence and trust with clients, providing them with clear information about how their money is handled, and reducing the risk of misuse and loss if the firm becomes insolvent.

Our work shows that while arrangements across the industry have improved, certain issues persist.

We published a follow-up letter to share insights from our ongoing engagement with banks active in the sustainability-linked loans (SLL) market.

Read more about our SLL work.

Findings from our culture and non-financial misconduct survey – examining how firms, including wholesale banks, detect and handle misconduct.

These insights have informed further supervisory work on firm engagement with the results.