Financial Services

UK PRA warns firms of risks of working with deposit aggregators

Published on 4th December 2023

Regulator fires another warning shot across banks' bows in the form of a 'Dear CFO' letter

The UK Prudential Regulation Authority (PRA) recently published a "Dear chief financial officer (CFO)" letter setting out the steps deposit-takers should consider to mitigate risks from using deposit aggregators (DAs).

This is not the first time the Financial Conduct Authority (FCA) and PRA have highlighted potential risks with sourcing deposits via DAs. Back in April 2021, the regulators issued a joint "Dear CEO" letter on obtaining deposits via DAs in which they articulated their concerns. Since then, the PRA has sought to enhance its understanding of this business model by sending out a detailed information request to deposit-takers in April 2022.

As a result of insights gathered from the information request, the PRA has distilled its concerns into three main areas:

  • pay-out risk in relation to the Financial Services Compensation Scheme (FSCS);
  • liquidity risk; and
  • third-party risk.

This marks a real shift from the broader and wider-ranging risks set out in the 2021 Dear CEO letter. The Dear CFO letter provides examples of actions the PRA is expecting from deposit-takers when their deposit book heavily relies on deposits sourced through DAs.

Minimising friction in FSCS pay-outs

DAs operate under two key models. Under the direct model, their customers also become direct customers of the deposit-taker. This differs from the trust model, where the DA holds the deposit accounts on trust for customers who therefore do not become the deposit-taker's  direct customers. The trust model can create friction and adversely impact the speed and success of FSCS pay-outs in the event of a firm failure.

The PRA wants to ensure the FSCS can respond effectively to the failure of a deposit-taker that uses DAs. Firms should consider the following areas:

  • Verifying “absolute entitlement” to funds held on trust for underlying beneficiaries. This will ensure a similar level of protection to the direct model. Thorough and detailed legal reviews of all relevant contractual arrangements, including legal documents such as trust acknowledgement letters, will form a key part of this absolute entitlement verification exercise.
  • In a firm failure situation, the quality and management of data is key. Under the trust model, a DA must be in a position to provide the FSCS promptly with sufficient and accurate data on ultimate beneficiaries to facilitate swift pay-out. Deposit-takers  should sample test the ability of DAs to provide the relevant data in a timely manner, to enable the FSCS to make a fast pay-out, if required.
  • Sample testing "know your customer" (KYC) and anti-money laundering (AML) checks and regularly reviewing DAs’ KYC/AML policies and procedures will also assist in reducing friction for customer pay-outs in an insolvency event.
  • Proactively engaging with DAs to raise awareness of voluntary FSCS testing facilities for DAs.

Managing liquidity risk

The balance sheets of small to medium-sized deposit-takers have historically relied on  deposits from a DA. This presents a concentrated liquidity risk due to the sole commercial relationship between the DA and the deposit-taker. This is a point that was also specifically raised in the Dear CEO Letter in April 2021. To mitigate these risks, the PRA considers deposit-takers should:

  • factor potential correlation and concentration risk, in addition to the potential speed of outflows, into their management of liquidity risk and funding needs;
  • make appropriate assumptions around the correlation and concentration of funding in their internal stress testing to ensure compliance with the PRA’s overall liquidity adequacy rule; and
  • comply with the PRA’s Fundamental Rules 3, 4 and 5 to (i) act in a prudent manner; (ii) at all times maintain adequate financial resources; and (iii) have effective risk strategies and risk management systems. The PRA expects firms to have in place an effective limit framework to monitor and control the correlation and concentration risks associated with DA use.

Outsourcing and third-party risk management

Deposit-takers should manage their arrangements with service providers closely and prudently, consistent with the PRA’s expectations on outsourcing and third-party risk management. 

In particular, the PRA notes that its supervisory statement SS2/21 on outsourcing and third-party risk management is likely to be relevant to firms' relationships with DAs. Firms should, therefore, consider how the PRA’s expectations relate to the arrangements that they have with DAs.

Additionally, the PRA also flagged that the letter on innovations in the use of deposits, e-money and regulated stablecoins sent to firms in November 2023 will also be of relevance to deposit-takers that use DAs, although the regulator did not articulate the link between the two letters. This suggests there may be further developments in the near future.

What does the Dear CFO letter mean for deposit-takers?

The PRA requires CFOs to consider the recommended actions set out in the Dear CFO Letter in the context of the arrangements their firms currently have with DAs, or plan to have in the future.

The Dear CEO letter noted: "deposit aggregation is a relatively new and growing part of the industry and [the regulators] recognise the benefits the services bring to consumers. [The regulators] do not want to stifle competition or innovation, but [they] do want regulated firms to be aware of any potential risks as the industry develops. [They] are keen to work with firms to ensure that regulatory objectives are not compromised by the adoption of new business models".

Osborne Clarke comment

The Dear CFO letter has not come as a surprise, given the extensive work the FCA has undertaken in this area since the publication of its Dear CEO letter, including reviewing the information obtained as part of its information requests in 2022.

One thing is clear: deposit-takers will need to be seen to have taken the contents of the Dear CFO letter into account in their risk management activities. This means ensuring they can clearly evidence steps taken to mitigate risks across the three areas identified by the PRA. Whatever steps deposit-takers choose to take, senior management will need to be fully engaged and provide appropriate oversight at all times.

It therefore goes without saying that firms impacted by this Dear CFO letter should carefully review its contents and seriously consider taking the actions recommended by the PRA, or be ready to comprehensively explain why the recommendations do not apply to them. This is clearly an area of ongoing regulatory focus and, as far as the regulators are concerned, firms have now been warned.

If you would like help around any of the issues raised in the Dear CFO letter and their impact on your business, please contact our experts.

Share
Related articles
International Funds Focus Quarterly | April 2025
29/04/2025 3 mins
Supreme Court hears submissions in UK motor finance test case
17/04/2025 8 mins
How to navigate the UK regulatory landscape in financial services M&A
14/04/2025 5 mins
REGtape UK | Spring 2025
01/04/2025 3 mins
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up