PRA has fined 2 entities in the HSBC group £57m for long-lasting historic failure properly to implement its Depositor Protection Rules. The failings occurred in HSBC Bank plc (HBEU) between 2015 and 2022, and in HSBC UK Bank plc (HBUK) from 2018 – 2021. The failings resulted from incorrect identification of accounts held with the banks by other financial institutions for the purposes of Single Customer View (SCV) reporting, and lack of proper governance and accountability around the SCV reporting process. It meant that many accounts that were FSCS eligible were not marked as such, which in turn had a knock on effect on the banks’ resolution planning.
PRA found that both firms had breached its Fundamental Rules 2 and 6 by failing to conduct business with due skill, care and diligence and failing to organise and control their affairs responsibly and effectively and had also specific rules in the Depositor Protection part of its rulebook. It found HBEU had also breached Fundamental Rules 7 and 8 by failing to disclose to the PRA things of which it would reasonably expect notice and failing to be properly prepared for resolution.
PRA makes clear its understanding that the banks have fully remediated the past breaches now.
Although the fine is high, and PRA was critical of the lack of correspondence with it once the potential issue had been identified, it noted that the firms fully co-operated with the investigation, admitted the facts and failings and undertook significant remediation efforts.
PRA found that:
- both firms had failed to assign clear ownership of risks and responsibilities for the SCV process, which represented a failing under the SMCR requirements and a breach of FR6. The purpose of the Depositor Protection Rules is to support firms with their plans for resolution, by requiring them to be able to accurately identify deposits eligible for FSCS protection and to be able to provide regulators with this information. Firms’ ability to produce a report on how they produce their SCV is key to this. At various times, the HSBC banks often produced only draft reports, which had not been signed off (as PRA requires) by the governing body. PRA says this was because of long-standing misunderstanding within the banks about this requirement. However, in the case of HBEU, PRA found evidence of the bank’s knowledge of non-compliance. Failings in post ring-fencing governance and data management also contributed to this breach
- both firms had breached FR2 through failing to produce the SCV effectiveness reports that the Depositor Protection Rules required, having SCV systems that did not meet PRA’s requirements and making inaccurate attestations to PRA
- HBEU had been advised on the requirement to include within the SCV process a system that would mark beneficial accounts in a way that would allow for immediate identification for FSCS eligibility but had not implemented the advice
- when HBUK was established, many individuals with subject-matter expertise on the Depositor Protection Rules moved from HBEU to HBUK, leaving HBEU without appropriate internal expertise, so it had to rely on HBUK staff. Both banks made required attestations and statements that the changes to SCV systems resulting from the ring-fencing met PRA requirements but HBEU lacked the governance structure properly to do so. Although the bank did not know this at the time of the attestation, it would not have been able to provide the requisite SCV report within 24 hours had it been asked to do so
- in 2019, PRA had asked for information on an HBEU client. The request included asking for an explanation as to how that client’s accounts appeared for SCV purposes. The bank replied that the accounts were marked as “ineligible” but said it would check that this was correct. It investigated, and concluded (wrongly) that there were no issues with the marking of accounts. It did not communicate with PRA again until April 2021, when it flagged a potentially material emerging issue
- the HBEU Regulatory Affairs team had escalated PRA’s questions to several other teams, and this led to multiple strands of internal investigations within the bank. As part of these investigations, the bank found first that the relevant client deposit accounts were eligible for FSCS protection and secondly that there could be a wider issue on accounts which were eligible for FSCS protection not being properly marked as such. At that point, an informal working group was set up, which gradually discovered further incorrectly marked accounts, but no-one updated PRA or told FCA. The group disbanded in 2020 but work continued to identify potentially wrongly marked accounts. By January 2021 an internal email noted that both firms needed to determine the extent and materiality of the errors in SCV reporting, and suggested they should consider any regulatory notification and reporting requirements. A review suggested the amounts in question were not material for HBUK but were for HBEU. Ultimately, a report was not made to PRA until April 2021. Finally, in June 2021, the banks notified PRA of the breaches they had identified. PRA said HSEU only became aware of the issue after PRA’s 2019 request, and from then on was on notice of PRA’s interest, yet waited 15 months to inform it of the potentially emerging material issue. This breached FR7
- once the firms had understood the issues, they put in place revised governance processes, took action to fix the issues and invested in depositor protection compliance. HBEU completed a full-scale remediation programme in May 2023, while HBUK made targeted corrections.