Wyelands Bank was acquired in December 2016 by Sanjeev Gupta, the owner of the Gupta Family Group Alliance (GFG Alliance), a conglomerate specializing in the steel, aluminium and renewable energy industries.
Three years after the acquisition the bank’s business was primarily trade finance. This was the intended result of a plan to have the bank service business connected with the GFG Alliance.
The primary trade product was invoice discounting, which involved the purchase of debt owed by the buyer to the seller. The seller would be paid immediately, but at a discount, while the seller would collect the entire debt from the buyer on the invoice due date. The bank would therefore make a profit as a result of the transaction. According to the FRC decision the business was “largely funded by deposits from retail customers” and “[i]n many instances, the seller was a GFG Alliance member.”
The bank also had a number of asset-based lending products on its books, including block finance loans, special purpose vehicles, loans related to invoices, inventory loans and bridging loans. All of these loans were related in one way or another to GFG Alliance members.
Concentration risk
The bank’s audit committee reported in March 2019 that 84% of its business was “still being introduced by the GFG Alliance”. The concentration risk was obvious and there was concern at the PRA about the “sustainability of the business”. The PRA was also concerned at the possible undue influence over the bank by its owner, unrestrained by a hands-off board.
In a letter sent to the bank in July 2018 the PRA noted that:
- the bank’s risk appetites lacked granularity;
- its risk framework was not well defined; and
- its credit policies and procedures were not clearly articulated.
Crucially the PRA noted that at the time of its review the total amount of the bank’s loans “that were overdue exceeded 50%” of its capital base.
In June 2019 the bank was placed on the PRA’s watchlist because of its “reliance on GFG Alliance companies, a potential breach of large exposure rules, the sustainability of its business model and the nature and quality of its loan book.”
The PRA concerns remained unabated and on 22 July 2019 it ordered the bank to obtain a skilled person’s report to review the bank’s loans exposure.
PwC’s audit of the bank was in progress at this time and was signed on its behalf by one of its partners, a statutory auditor, on 26 July 2019.
In September and October 2019 the bank was prohibited by the regulators from transacting with members of the GFG Alliance. Then in March 2020 the regulator stopped the bank from entering into any new transactions and the bank’s board decided on a “solvent wind down.”
The FRC determined that while performing its audit PwC and its statutory auditor breached key regulatory requirements in the following areas:
| Breach | ISA | Breaches |
|---|---|---|
| Audit Risk assessment | 315 | Initial identification and assessment of risks: – Wider risks connected with related parties as a whole not considered – Inadequate consideration given to potential issues connected with the integrity or conduct of senior management or owners – Key developments relevant to the overall assessment of risk not considered – Complex customer arrangements disregarded during audit – Audit risks for loans not assessed and no plan developed to respond to the different risks associated with them The audit team also failed to revise the initial risk assessment in light of new information available |
| Audit of the banks compliance with laws and regulations | 200 220 250 | Regulatory correspondence and documents: – All relevant regulatory correspondence not obtained – The team did not exercise sufficient professional skepticism or react appropriately to the regulatory correspondence that was obtained |
| Audit of the bank’s related parties list and related party transactions | 200 220 500 550 | Risk assessment procedures to understand the type and purpose of related party transactions not performed Appropriate audit evidence verifying that related party relationships and transactions appropriately disclosed not obtained Failure to exercise adequate professional skepticism when the bank refused to disclose a quantitative measure of the proportion of GFG Alliance introduced business |
| Audit of the bank’s assessment of going concern | 230 570 | PRA concerns in the context of the business as a going concern not properly evaluated The bank’s own assessment to continue as a going concern not properly challenged and insufficient professional skepticism demonstrated This led directly to the auditor’s conclusion that there “was no material uncertainty” about the bank continuing as a going concern |
| Audit of the bank’s loans and advances | 200 220 500 505 | Adequate audit procedures to understand the bank’s lending business not carried out or documented Sufficient appropriate audit evidence to verify the existence of some of the loans on the bank’s books not obtained |
| Audit of the Bank’s provisions for expected credit loss (ECL) | 200 540 | The bank’s “debt stacking” assumptions applied by the bank not adequately evaluated The bank’s approach to ECL did not attract sufficient professional skepticism from the auditors |
The FRC called the auditor’s breaches “serious and numerous”. It concluded that the breaches ultimately stemmed from a single issue: “the failure of the audit team to properly understand the Bank’s lending and therefore the true extent of its actual and potential exposure to GFG Alliance members.” This was compounded by the failure to “appreciate and act” on the escalating concern by the PRA about the viability of the bank.
According to Claudia Mortimore, deputy executive counsel at the FRC: “The audit breaches in this case highlight the importance for auditors to have a full understanding of the audited entity and its business.” She went on to say that “this is particularly important where there has been a change of ownership and change in the nature and scale of activities.”
The consequences of the breaches were serious because they had the “potential to adversely affect a significant number of people” and “harm public confidence in the truth and fairness of financial statements in general.”
But the FRC also noted that they:
- were only limited to one year;
- were not intentional, deliberate, reckless or dishonest; and
- did not involve financial gain.
In response PwC also voluntarily carried out a root cause analysis identifying changes and improvements already implemented that “should reduce the likelihood of the breaches.”
Both the firm and its partner, the statutory auditor responsible for the audit, have been reprimanded by the FRC. A fine of £2,885,625 has been levied against the firm, reduced from £4.5m in recognition of its “exceptional cooperation” as well as “admissions and early disposal”.
The partner will pay a fine of £33,412 ($17,280), also discounted from £55,000 ($71,000).