The Importance of Internal Controls within Financial Institutions
A report from the National Audit Office (NAO) uncovered 28 “major” compliance breaches at the Bank of England, highlighting the importance of internal controls and governance in finance. These were compounded by 628 “minor” infractions in the 12 months to August 2023, which for context, can include sending the wrong person an email.
The report is unlikely to do much for the reputation of a financial institution that suffered similar breaches in 2017 and 2019 and highlights the significance of being proactive towards risk management. What are the implications of these breaches, the steps to take to address them and broader lessons for enhanced internal controls and compliance?
Understanding the compliance breaches
The findings from the NAO uncovered numerous breaches ranging from misdirected emails to far more serious incidents which could involve undisclosed conflicts of interest at a senior level. The common theme across the board are lapses in regulatory adherence and an organisation where operational risk wasn’t appropriately monitored.
The NAO noted that since earlier infractions, the Bank of England had “made good progress” improving its compliance practices, including training and workshops to create a risk-aware culture. However, in a survey of the Bank’s employees, only 59% felt they could raise issues openly without a fear of “negative consequences”. It’s also worth noting that a 2022 survey of compliance professionals found nearly 60% felt burnt out. The two named causes being an inability to control outcomes and the pressure to not make a single mistake.
Lessons from past infractions
Echoes can be felt from the 2017 breach which saw Deputy Governor, Charlotte Hogg resign after it came to light that her brother worked for Barclays and was not reported as a conflict of interest. Good governance comes from the top to create a culture of compliance throughout an organisation.
The institution has made a committed effort to improve internal controls since a 2019 article in The Times. It was revealed that several Hedge Funds had gained access to audio streams from the Bank of England’s press conferences before they were public.
The NAO noted the Bank had “developed a new, more substantive overall approach to managing non-financial risks, which are risks to the Bank’s operations or reputation that would not directly affect its balance sheet”. To give the Bank of England credit, most breaches were self-reported by staff which attests to that. With that been said, the infractions in the report represented an increase from the year previous.
The reaction
The Chair of the Court of the Bank of England, David Roberts, was quoted as saying: “We welcome the National Audit Office’s report on the Bank’s management of legal, ethical and staff compliance risks. The Bank is committed to promoting the highest standards of integrity and ethics and will carefully consider the NAO’s recommendations.”
This was backed up by Meg Hillier, Chair of the Public Accounts Committee: “The Bank of England relies on public trust and its reputation for integrity to carry out its role. However, past incidents at the Bank and other public bodies have shown how failure to demonstrate integrity can harm an organisation’s credibility and reputation.”
These responses point to self-awareness within the institution that enhancing internal controls is a perpetual process. Simply doing enough to pass won’t suffice as companies will soon be required to sign-off annually on the effectiveness of their companies’ internal controls and governance, in accordance with the updated UK Corporate Governance Code.
Putting internal controls centre stage in banking
The report was followed by the news that Revolut are boosting their internal controls as they continue their bid to secure a banking license from the Bank of England’s Prudential Regulation Authority.
Revolut’s Chief Executive, Francesca Carlesi, has made strengthening internal controls a top priority for the company. “To become a bank is a very big responsibility so we want to be sure that once we become a bank we are ready to be one…We don’t want just to be the best player in the industry, we want to be the safest place where you manage your money, and becoming a bank gives all our stakeholders and our customers that additional safety.”
The prominence of safety and trust could well get regulators onside after Revolut suffered their own internal control issue in its 2021 accounts. Their external auditors, BDO, couldn’t satisfy themselves on the “completeness and occurrence” of a portion of Revolut income due to the design of their IT systems. This has now been rectified and given the all-clear by BDO.
Cytec Commentary
“Both the compliance breaches at the Bank of England and the prioritisation of internal controls by Revolut stress the importance compliance measures play regarding institutional integrity and public trust. Assessing past mistakes and encouraging transparency results in reduced compliance risk and stronger frameworks for internal controls. With rising regulatory requirements and expectations for accountability, proactively enhancing internal controls is vital for organisations to be seen as paragons in ethical standards both inside their industry and externally.”
Shervin Binesh, Cytec Solutions