PRA’s Dear CEO Letter Puts the Focus on Governance and Control


It’s been just about a year since the Bank of England’s Prudential Regulation Authority (PRA) issued the Dear CEO letter Thematic findings on the reliability of regulatory reporting, serving notice to firms that the agency has seen “a historic lack of focus, prioritisation, and investment in this area.”

It’s not a new problem but the letter has brought it into sharp relief. One year on, where are firms regarding the expectations around regulatory reporting and governance set out in the letter?

MCO’s Richard Pike and Paul Manson sat down with host Jawad Akhtar on VERMEG's FinTalk podcast Dear CEO: One Year On - Expected Progress and Next Steps for an insightful conversation about the implications of the Dear CEO letter and response – or lack thereof- that they’ve seen in the industry to date.

The Dear CEO letter clearly states that the agency expects “all firms to submit reliable and accurate regulatory returns and for the regulatory reporting process to receive no less rigour than financial reporting.” The letter also notes that the agency has been “disappointed to find significant deficiencies in a number of firms’ processes used to deliver accurate and reliable regulatory returns. It was clear that multiple firms did not treat the preparation of their regulatory returns with the same care and diligence that they apply to financial reporting shared with the market and counterparties. For some firms, there had been a historic lack of focus, prioritisation, and investment in this area.”

The letter highlights shortcomings and concerns in three areas:

Governance and Ownership

According to the letter, senior accountability and ownership is fundamental to the integrity of regulatory reporting and responsible executives should be empowered for effective oversight. When responsibilities are dispersed and not clearly defined, or pushed to lower levels of the organization, the agency has found poorly defined and fragmented processes that lack documentation and appropriate sign offs.

Richard Pike reinforces that it’s important to have the right level of governance. Governance should be around process and controls at the senior executive level.  Senior management should be aware of what’s going on in the organization, but it’s not an effective use of their time for them to be signing off on every individual report created across the organization. Learn more about Compliance Role and Responsibility Accountability.


A firm’s governance and regulatory reporting must be supported by “an effective and robust control framework” Failure to implement adequate controls ultimately leads to errors in reporting. Paul Manson notes that most firms have reporting and sign off policies in procedures in place. It’s a matter of formalizing and documenting them to get them to the better place required by the letter. Spreadsheets are not good at evidencing, and evidence is vital to proving regulatory compliance. Learn more about assessing the performance of controls.

An Oversight Framework to Keep Senior Executives in Control

 Data and Investment

The PRA found that many firms have not prioritised investment in regulatory reporting and that focus is often placed on implementing tactical fixes rather than strategic ones. As Paul points out, the rigor that’s been put on financial reporting just hasn’t been there for transaction reporting.  And getting the data for regulatory reporting along with quantifying responsibilities and ownership has been a complex process for a long, long time. It’s not a new problem, but the Dear CEO letter has brought it into sharp relief.  Learn more about gathering compliance data across the organization. 

Where are firms right now?

According to Richard, the letter makes it pretty clear that firms should be putting their regulatory reporting at the same level as their financial reporting, but he’s seen “a mixed bag” in regards to firm’s progress. For some firms it has really resonated and they are taking it seriously, others not so much.

To be compliant with the Dear CEO Letter, firms must put regulatory reporting on the same level as financial reporting throughout the organization. And not all firms are getting that. They haven’t yet raised the bar on transaction reporting and regulatory reporting compared to the way they do financial reporting.

Watch the on-demand webinar Taking the Broad View: Better Risk and Compliance through Holistic Oversight

 What do firms need to do?

 Most firms have long-standing financial reporting processes in place and employees with significant expertise in the area. On the podcast the speakers share that they have found that you can look at the financial reporting processes that the firm has in place and apply them to the regulatory reporting process. Richard notes that the same principles like data checks, developing key assumptions and insuring proper reviews also apply to regulatory reporting.

Richard reinforces that it’s important for firms to right-size their regulatory reporting. Smaller firms can take a relatively straightforward approach, but if you’re a larger firm that doing lots of different things you’ll need a more complex process. Growth by acquisition and an international presence will also require more complex systems and reporting.

As Jawad Akhtar points out, making the required changes to reporting and governance are not going to happen overnight. Richard calls out the need for developing a thorough understanding of your operating model and organizational needs before starting to look at systems to make sure that the solutions that you implement are truly fit for purpose. He also advises firms to automate whatever they can, and to remember that it’s not just about the system pulling data but also really thinking about how governance and controls can also be wrapped within the system.  And to be truly effective, multiple systems and teams must be able to work together effectively.

Download the white paper Why Less is More - Consolidate Compliance Technology to Reduce Cost and Risk

Paul hopes that the letter will galvanize firms to take action to avoid a Section 166 Skilled Persons Review. And to do that firms really need to be thinking about what they really need to focus on. Richard and Paul have seen that many firms have conducted a gap analysis in light of the letter. If a firm hasn’t done that yet, they should make it a priority to look at the points in the letter and do an assessment as to where they stand. Regulators would expect to see that at the very minimum. Firms should also be documenting the decisions and approach so they can clearly explain where they are in the process to an auditor or regulator, along with why they are there. 

Listen to the podcast Dear CEO: One Year On - Expected Progress and Next Steps



What has MCO done to help firms prepare?

 MCO recently acquired Governor software, with its focus on policies, risks and controls to integrate compliance governance into their platform. MCO’s Know Your Risk solution adds a governance and control lens around the compliance and reporting process.

MCO's Know Your Risk solution allows firms gain a holistic and aggregate view of their risk profile that helps compliance teams set regulatory priorities, identify gaps in policies and procedures and streamline operations.

Learn more about KYR's modular solution:

Ready to learn more about how MCO offers comprehensive regulatory governance and oversight of compliance obligations? Let’s schedule a conversation.

Check out a video that explains Know Your Risk in 90 seconds.