The FSA’s internal report into the Northern Rock crisis has revealed a startling catalogue of regulatory failures, including basic mistakes such as not recording key meetings.
The report by its internal audit division, covering supervision of the bank between January 1, 2005 and August 9, 2007, when the crisis became apparent, uncovers huge failings on the part of individual supervisors and the regulatory structure.
The FSA’s supervisory approach to Northern Rock was based on a risk assessment endorsed by its Arrow panel, which assesses a firm’s strategy, capital and liquidity position and nature of funding, in February 2006.
The internal audit division found that formal records of key meetings were not made, so it was unable to assess analysis of the bank prepared by FSA staff for the Arrow panel alongside contributions from Northern Rock executives and external auditors. This went against standard Arrow practice.
There was also no formal requirement on supervisory teams to include any developed analysis, including comparisons with other banks, in material provided to the Arrow panel.
The report notes that such a requirement might have thrown light on key aspects of Northern Rock’s business model, including its high target for asset growth and high reliance on wholesale funding compared with its peers.
As a result of the Arrow panel assessment, no risk mitigation programme was put in place and the period between formal Arrow risk assessments was lengthened to 36 months from the 24 months proposed by the supervisory team.
Out of 38 firms in the major retail and wholesale divisions, Northern Rock was the only one not to have a risk mitigation programme in place during the assessment period.
As of August 2007, 63 per cent of major firms had risk assessment visits every 18 to 24 months, 26 per cent every 25 to 30 months and only 11 per cent – four firms including Northern Rock – every 36 months.
As a risk mitigation programme was not put in place, the FSA’s “close and continuous” supervision system for the bank became more important.
However, the report found that the FSA’s supervisory team had an “incomplete understanding” of C&C supervision.
The report says: “They did not evidence that they understood that it entailed the regular reassessment of the firm’s business risk profile and control risks as new issues arose.”
After the Arrow panel meeting in February 2006, there was only one set of C&C meetings with the bank during the period reviewed by the internal audit. These took place on April 30, 2007. The internal audit found agendas for the five meetings. However, there was a typed record for only part of one of them, so the audit could not ascertain what was discussed.
The average number of C&C meetings for firms in the FSA’s major retail groups division was 74 for the period audited, rising to 143 for the five biggest retail banks. Northern Rock had only eight meetings in this period.
The report also found that although the FSA expanded its Basel supervisory work in 2006 and 2007, including 10 visits to Northern Rock, the business risks discovered in these visits do not appear to have been factored into the FSA’s supervision strategy for the bank.
It says the rapid growth of Northern Rock’s lending book during the period covered meant that a number of other business risks emerged. None of these risks were recorded in the FSA’s internal management database, which triggers further action, and no changes were made to its Arrow risk rating.
The report says there was insufficient engagement by the heads of department responsible for Northern Rock, due partly to a lack of continuity and significant demands on their time including covering manager turnover.
It says the heads of department were “not proactive in ensuring there was a robust process that meant they built up a complete picture of issues or (in the absence of a requirement) in holding a periodic comprehensive stocktake of each firm in their portfolios”.
The report concludes: “We cannot provide assurance that the prevailing framework for assessing risk was appropriately applied in relation to Northern Rock, so that the supervisory strategy was in line with the firm’s risk profile.”