Last year, the FCA sent a 'Dear CEO' letter about ICAAP. For those who don't know, the ICAAP is a process a firm follows to assess the risks it’s facing currently and in the foreseeable future and calculate an amount of capital it should hold as a buffer against those risks.
The letter was a warning that the exercise shouldn't be a quick totting up of sums without any real engagement in the process. It went only to IFPRU investment firms, though BIPRU firms also have to do ICAAPs. Payment and e-money institutions don't have to do an ICAAP but as those who are tackling their re-authorisation application know, PSD2 places strong emphasis on understanding and managing risks.
Nearly a year on from the letter, investment firms will have either completed an ICAAP or are putting the finishing touches to one and with payment and e-money institutions refreshing their risk registers ahead of the opening of the PSD2 gateway for new applications, now is a good time to remind ourselves why this time-consuming exercise can actually be invaluable (as well as an absolute necessity).
What is an ICAAP?
The short answer has been given above!
The long answer is that ICAAP stands for Internal Capital Adequacy Assessment Process. The requirement comes from the Capital Requirements Directive IV (CRD IV), which in turn represents the European implementation of Basel III. The purpose of Basel III is to enhance the capital adequacy of banks and investment firms through a comprehensive set of reform measures aimed at strengthening the regulation, supervision and risk management of the banking and financial services sector.
The ICAAP enables firms to assess the level of capital that adequately supports all relevant current and future risks in their business, and to demonstrate they have appropriate processes in place manage risk.
The FCA may then undertake a Supervisory Review and Evaluation Process (the SREP) on a firm’s ICAAP. Through this they determine whether the firm’s policies, processes, systems and controls are appropriate to support their risk and capital management requirements. The may give firms Individual Capital Guidance (ICG), detailing the amount and quality of capital that should be held at all times to meet the overall financial adequacy rule.
What does the ICAAP involve?
Firms have to undertake a process to quantify their risks and then assess the quality of their capital to establish whether their capital resources are adequate. The rules set out the type of risk to be assessed (for example, market risk, liquidity risk, concentration risk, pension obligation risk etc.) and the expected minimum standards, processes and mitigation to be considered for each.
Firms must also:
- regularly assess the amounts, types and distribution of the financial and capital resources;
- identify the situations in which they may not be able to meet their liabilities as they fall due;
- conduct stress and scenario testing (as well as reverse stress testing, in the case of significant IFRPU firms); and
- ensure the processes, strategies and systems are comprehensive and proportionate to the nature of the firm’s activities.
The ICAAP should be completed at least annually and must be presented in a stand-alone document that also details the firm’s business model, strategy and business plans.
A help or a hindrance?
It would be easy to see the ICAAP as a compliance exercise, to be completed annually, agreed by the Board, documented in company policies, signed off and filed away 'til the next year’s reminder arrives.
But the FCA’s letter was explicit that it shouldn’t be treated ‘purely as a compliance exercise’. Instead, firms should embed the ICAAP as a risk management tool within their governance and decision-making processes. And while payment and e-money institutions are not subject to the ICAAP regime as such, following the process will help them meet the expected risk management and good governance standards.
We've seen firms that really understand their risks gaining some commercial advantages for their effort.
- In reviewing operational and business risks, firms have identified ways to improve processes and make resource efficiencies and cost savings. For example, a firm assessed that the initial outlay to automate the KYC re-verification process was justified by the reduction in the medium to long term risk as well as efficiency savings. Another firm that reviewed its concentration risk of having only one dealer, compared service offerings across the market and was able to secure a second dealer at a lower cost as well as benefiting from being able to offer a better service to clients and reduce its risk exposure.
- The stress testing has helped firms game out their strategic options in the event of certain economic and political developments. The obvious example that most firms have at least begun to work through is the impact of various Brexit scenarios on their EU-wide client base, on exchange and interest rates, and resulting trade volumes. This is not only providing a useful assessment of business resilience under those circumstances, but is also sparking ideas that will evolve into business plans for different outcomes.
- For firms that have had their capital requirement increased by the FCA in the past, there is also the potential to persuade the FCA that the requirement can be reduced going forward if the firm is able to evidence that it can identify and manage its risks. The reverse is also possible, of course. Through better understanding your risks, you could come to the conclusion that your business is more exposed than you had thought. But information is power and at least you can then take action to cover the risks with PII, for example, or manage them in another way.
To get the most from the risk assessment process, firms have to embed an expectation that this is a normal part of day-to-day operations and processes so that when Jane or Johnny comes up with a good idea, they know it has to pass the risk test first before it will get anywhere.
Undoubtedly, the process of assessing risk and predicting cost will be an art that is refined over time. In the early days, it can feel very much like an uncomfortable ‘finger in the wind’ exercise. However, there are real benefits to be gained, not least the quantification of what getting it wrong will actually cost. This could prove invaluable to a hard-pressed Head of Compliance when justifying spend in a non-income generating area.
If you would like to discuss how your firm can better understand and manage your risk, contact me or one of my colleagues.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.