A few months ago, UK lender Barclays Bank announced that it had discovered a compliance breach from 2019 in its US operations. The bank sells structured notes, pre-packaged investment products which typically include assets linked to interest and one or more derivatives.
The breach occurred due to a complex chain of events. The US Securities and Exchange Commission (SEC) requires banks to register the dollar amount of exchange traded structured notes it will sell in a year. This dollar amount is called a "shelf registration". If a bank wants to sell more notes than it planned, it has to go through a regulatory process to register the additional sales.
In previous years, Barclays has held well-known seasoned issuer (WKSI) status, a right granted by the SEC that allows banks to sell more than the registered shelf amount without additional cumbersome filing requirements. However, in 2017, Barclays lost WKSI status. In 2019, the bank registered to sell US$20.8 billion of exchange traded notes and structured notes, but it actually sold US$15.2 billion more than that. Without WKSI status, those extra sales breached SEC compliance.
Pending an ongoing investigation, it's likely Barclays will make a rescission offer to buy back the unregistered securities and possibly pay fines. The total cost of the breach could top US$600 mn. Barclays has also had to delay a stock buyback that would have benefited shareholders and the bank will deal with increased regulatory scrutiny going forward.
Weak internal compliance exposed
In its initial statement on the issue, Barclays announced an investigation into the problem and the "control environment related to such issuances". And a few weeks ago, in an SEC filing, Barclays confirmed that the "material weakness that has been identified relates to a failure to monitor issuances of structured notes and ETNs under BBPLC's US Shelf".
Barclays has determined that its internal controls over financial reporting were not effective and the auditor attestation by KPMG was not reliable for the time period in question. The statement also implies that internal compliance processes hadn't been comprehensively updated to reflect the 2017 loss of WKSI status and the associated change in regulatory requirements.
Bad news tends to reverberate through the financial community, and Barclays' costly breach reveals that no organisation is immune to compliance gaps. Barclays takes compliance seriously. And the CEO, CS Venkatakrishnan, is highly regarded in the financial services industry and has extensive risk management experience. Barclays' predicament serves as a reminder to all financial services companies to review and fortify their compliance management.
Managing compliance in a changing regulatory environment
Barclays, like all banks, faces constant regulatory changes, and if the internal compliance mechanisms don't keep up, breaches will occur. Banks need systems that dynamically track changes, such as when special status like WKSI is revoked or proposed rules become law.
It's important to stay in touch with upcoming changes, as well. For example, this year, the SEC is expected to impose mandatory disclosure rules for environmental, social, and governance (ESG) practices, particularly around climate change. For many companies, ESG disclosure represents an entirely new set of obligations. They'll need a flexible compliance framework to handle those effectively, and they should start assessing the impacts and risks associated with the new disclosures as soon as possible.
With respect to status changes such as the loss of WKSI, banks need to review internal controls to ensure that the company registers extra filings and takes other regulatory steps as needed. Depending on how the company is structured, the change could impact dozens of departments and obligation owners. And they need comprehensive reporting which maps specific process updates to new requirements, so auditors and regulators have evidence of compliance.
Avoiding failures due to outdated assumptions
Barclay's history includes a stream of status changes with respect to WKSI in which the bank won and lost status or were granted special waivers several times over the past years. From a compliance standpoint, they lost track of their status, which points to possible disjunction in their compliance operations.
All financial institutions should implement a single source of truth for regulatory and compliance data which ensures that changes to controls, attestations, and requirements propagate through the entire organisation. Individual obligation owners will be using the same source of data as executives and third-party auditors, so no one is working from outdated assumptions.
Finally, banks should regularly run a risk assessment of their own compliance framework. With incident data from past years, banks can determine how well controls are operating and shore up vulnerabilities. Special programs, such as WKSI, represent a risk because they're not guaranteed and shifts in status will impact compliance even though the underlying law hasn't changed. Companies like Barclay that are granted exceptions to any regulations need to have an action plan ready in case those exceptions are revoked.
Barclays will pay a heavy price for letting compliance lapse, but their example could help others avoid the same problems. All banks have the opportunity now to review and revise their compliance framework before a ‘material weakness' becomes a global news story.
We live in a world of rules. Compliance with those rules is critical, not only to protect your organisation from regulatory actions, fines and reputation damage but also because it's the right thing to do to protect our stakeholders from risk we bring to them. Download our free Compliance and Compliance Risk Management ebook to find out more.