CAB Payments Holdings plc
("CAB Payments", the "Group" or the "Company")
Annual Report 2023 and Associated Documents
CAB Payments announces that its Annual General Meeting will be held on Thursday 9 May 2024 at 2.00pm at The News Building, 3 London Bridge Street, London SE1 9SG.
In compliance with Listing Rule 9.6.1R, the following documents have today been submitted to the National Storage Mechanism and will shortly be available for inspection at https://data.fca.org.uk/#/nsm/nationalstoragemechanism
- Annual Report 2023
- Notice of 2024 Annual General Meeting
- Form of Proxy for 2024 Annual General Meeting
The Annual Report 2023 and Notice of 2024 Annual General Meeting are also available in the Investors section of the CAB Payments Holdings plc website at https://cabpayments.com/investors .
A condensed set of the financial statements for the year ended 31 December 2023 together with information on important events that occurred during that financial year and their impact on the financial statements were contained in the Preliminary Results announcement made on 26 March 2024. That information, together with the information set out in the appendices to this announcement, which is extracted from the Annual Report, constitute the material required by Disclosure Guidance & Transparency Rule 6.3.5R which is required to be communicated to the media in full unedited text through a Regulatory Information Service. This announcement is not a substitute for reading the Annual Report.
- ends -
Enquiries
Lesley Martin
Company Secretary
Appendices
Appendix A: Responsibility statement
In accordance with Provision 27 of the UK Corporate Governance Code, the Directors consider that the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides information necessary to enable shareholders to assess the Company's performance, business model and strategy.
Each of the Directors confirm that to the best of their knowledge:
a) the consolidated financial statements, prepared in accordance with UK-adopted international accounting standards give a true and fair view of the assets, liabilities, financial position and profit and loss of the Company and the undertakings included in the consolidation taken as a whole; and
b) the Annual Report (including the Strategic Report encompassed within the 'Overview', 'Strategic Report', 'Performance' and 'Governance' sections) includes a fair review of the development and performance of the business, and the position of the Company and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.
For and on behalf of the Board
Richard Hallett
Chief Financial Officer
25 March 2024
Appendix B: Principal risks and uncertainties
|
Current context |
Mitigants and other considerations |
1 Business Risk |
|
|
The risks to the Group arising from:
· The business model or strategy proving inappropriate due to macroeconomics, geopolitical, industry, regulatory or other factors · Adverse events and media coverage that could negatively impact the Group's name and reputation thereby impacting its ability to achieve its strategic objectives. |
· The Group's business model and operations rely on the continued relationships with a diversified network of counterparties and partners including liquidity providers, Nostros and clearing agents across a spectrum of currency markets. · The Group is highly reliant on established relationships with a small number of key banks for clearing USD, GBP and EUR. · The Group provides access to emerging markets, with a level of concentration to sub-Saharan Africa. Significant changes to our partner network or key markets (e.g. general access, regulatory, economic, or geopolitical conditions) would have a corresponding impact on the Group's business, operations, financial performance and reputation. · Potential events may include: - Adjustments in the nature of our partner networks impacting access to local liquidity or clearing services - Changes to local economies including market structure (e.g. regulatory/central bank monetary actions); - Economic or political events (e.g. changes in government) - Translation risk associated with significant strengthening in GBP relative to USD. |
· The Board and Management periodically review and update the strategic plan, budgets, targets, emerging opportunities and threats.
· The Board and management track and manage, through governance, a range of metrics and early warning indicators to highlight emerging risks to performance: these continue to be developed and enhanced.
· The Group has a dedicated Network and Partnerships Function, who develop and manage our key local relationships; actions continue to be taken to ensure these are adequately diversified including key currencies such as USD and GBP. This function also tracks and reports regulatory changes and geo-political issues in these markets.
· The Group has a strategic risk register which tracks the top risks and the corresponding actions planned and underway to mitigate these. This is reported periodically to the Risk Committee and Executive Risk Committee.
· The Group has a medium-term strategy in place to continue diversifying revenues across geographies, clients and products. |
2 Financial crime risk |
|
|
The risk associated with criminal activity in the form of money laundering, terrorist financing, bribery and corruption, sanctions, tax evasion and fraud. |
· One of the Group's core offerings is correspondent banking and payments services. This product is in high demand. It facilitates inclusion and allows corporates, individuals and our clients to conduct millions of transactions across the world on a daily basis. However, this type of product can be more vulnerable to money launderers, fraudsters, tax-evaders and sanctions breachers.
· The Group provides its services to clients based in global jurisdictions, including across Africa, the Americas and Caribbean, the Middle East, the USA, Canada and Europe.
· Transaction risk focuses on the nature and types of transactions processed and the inherent exposure it generates.
· Our increase in voluntary reports to competent authorities, driven mainly by the imposition of sanctions against Russia and Belarus during 2022 and 2023, and the resulting complexities of managing the sanctions risk, mean that NBFIs and MSBs are considered higher risk. They are more likely to offer services to underbanked communities, and to leverage new payment technologies which present new types of financial crime risks.
· There is generally a lower level of regulatory oversight and scrutiny of many NBFIs and MSBs. Trends of recent sanctions relating to deficiencies in controls of MSBs have been indicative of problems in mitigating financial crime risk in the sector. |
· To mitigate risks effectively, the Group has implemented strict onboarding and correspondent banking due diligence processes and procedures, as well as strong governance and client approval committees.
· A robust country risk framework mitigates the Group's exposure to high- risk countries. This framework includes complete prohibitions of some countries and detailed restrictions on others.
· Screening and monitoring controls enforce the framework, and the Group's employees have a strong awareness and understanding of the legal and regulatory environment in which they operate, including the relevant financial crime prevention provisions.
· On-going programme of investment in antifinancial crime technology and optimisation of system rule-sets. A new transaction monitoring system is being implemented in 2024 along with an upgrade to the transactions screening system.
· Regular training is delivered to ensure standards are continuously maintained.
· A dedicated Risk and Compliance Function provides oversight and undertakes thematic assurance activity to identify potential gaps and issues. |
3 Operational risk |
|
|
The risk of loss or other non-financial impact, resulting from inadequate or failed internal processes, people and systems, or from external events. |
· The Group is exposed to operational risk in executing its core business activities and seeks to manage this exposure in a cost-effective manner. · The Group is alert to the fact that operational risk has a broad remit, covering processes, people, systems and external events. It therefore has a risk appetite set at Level 2 risk types. The top level 2 risks at this level are: - Data management risk: The Group uses data (including personally identifiable data) in its activities to drive business outcomes. There is a risk of poor data quality and the requirements of UK General Data Protection Regulation and the Data Protection Act not being adhered to. - Execution, transaction processing and delivery risk: The Group relies on a combination of manual and automated processing to fulfil its obligations to its clients. Specific clients have bespoke processes that are performed by a select few. The Company as a listed entity needs to comply with the Listing Rules of the UK Listing Authority (the Listing Rules) for the first time. - Technology, information security and cyber risk: The Group relies extensively on the use of technology, including the inter-relationship between multiple third-party services, which is central to the processing and operating environment that services its clients. It is therefore imperative that the Group protects its clients, counterparty and employee data from theft, damage or destruction from cyber-attacks. The Group is acutely aware of the growing sophistication of cyber-attack threats across the industry. - Outsourcing, vendor management and third party risk: The Group is reliant on material vendors to support its technology infrastructure, architecture and certain applications. It is fully aware of the risks this reliance creates in delivering its products and services. The Group works closely with these suppliers to ensure the services they provide remain resilient. - People risk: Resource capacity and capability impact all risk-types, these are monitored frequently to ensure staffing levels reflect the size and complexity of the Group. - Operational resilience: The Group has identified its important business services and impact tolerance limits that form part of the Group's risk materiality assessment. This is in line with the PRA supervisory requirements (SS1/21). - Clients, products and business practices: The Group considers transformation and change risk within this Level 2 risk type. The Group offers three key products (see page 22) and there has been little change to them, or the underlying business practices. However, as the Group grows, the risks associated with transformation and change are becoming a priority. |
· The Group has an established Group Operational Risk Management Policy that details various tools that support the identification, assessment, management and reporting of operational risk, linked to the Group ERMF.
· The RCSAs are performed at a business unit level. All risks and controls are stored centrally within the Group's approved GRC system. The system has links to risks, controls, issues, assurance actions, Board metrics and other similar information, thus providing a holistic operational risk profile.
· Data management risk: The Group continues to monitor and mitigate data risk through governance structures. Data risk is assessed through the RCSA process at least once per calendar year.
· Execution, transaction processing and delivery risk: Processes are being documented, and automation considered, to ensure consistency and reduction of manual/bespoke processing. To comply with the Listing Rules, the Finance team has been strengthened with external subject matter experts, as required.
· Technology, information security and cyber risk: Protecting the Group's clients, counterparties, suppliers and employees remains a top priority. The Group is working on obtaining ISO 27001 and Cyber Essentials accreditation. The Group has recently completed a disaster recovery exercise and cyber simulation to continue to strengthen its operational resiliency efforts.
· Outsourcing, vendor management and third-party risk: The Group has enhanced its procurement and outsourcing framework and associated policies to align with the requirements of the outsourcing and third-party risk management supervisory statement (SS2/21).
· People risk: The Group deploys a number of attraction and retention strategies throughout the employee lifecycle, including hybrid-working and competitive employee benefits.
· Operational resilience: The Group continues to embed a robust operational resilience framework and enhance contingency plans for the failure of key systems, processes and services to ensure a timely recovery.
· Clients, products and business practices: The Group has developed a New Product and Significant Change Policy that brings together the Group's transformation and change agenda. Key transformation projects are discussed at the Operational Risk Committee and the Executive Risk Committee as required. |
4 Credit risk |
|
|
The risk of financial loss arising from a borrower's or counterparty's failure or inability to meet their financial obligations in accordance with contractual terms |
· Credit risk is inherently generated through the Group's banking and financing activities; i.e. for example, through trade finance products, working capital overdrafts, Nostro balances etc.
· Counterparty credit risk arises due to FX/Payment related trading and derivatives activities where counterparties may be unable or unwilling to meet their financial obligations, including collateral obligations, as they fall due.
· Treasury related activities also generate an element of credit risk through its day-to-day placement of funds i.e. money market funds, HQLA portfolio etc. |
· Credit Risk remains a key focus for the Group given the current macroeconomic environment.
· Risk appetite thresholds are constructed with regard to regulatory requirements and internal assessments included within the ICAAP.
· An established credit policy is in place with portfolio levels exposure limits and a maximum individual counterparty exposure limit framework. The Credit Risk Committee provides individual counterparty approvals and portfolio level oversight.
· Robust individual credit assessment and monitoring frameworks ensure that credit risk is managed and mitigated in line with credit management objectives and risk frameworks.
· Counterparty FX and derivatives transaction risk is mitigated via an ISDA master agreements and credit support annexes, where suitable.
|
5 Market risk |
|
|
The risk of losses occurring from adverse value movements of the Group's assets and liabilities; principally relating to FX and interest rates. |
· The Group's market risk exposure occurs primarily through FX volatility and IRRBB.
· The economic and financial market uncertainties remain elevated, driven by elevated inflation and tightening monetary policy. Disruptive adjustment to higher interest rate levels, deteriorating trade or geopolitical tensions could have implications for FX rates and the value of the Group's Nostro balances. Alternatively, a decline in interest rates may compress net interest margin across the business.
· Adverse changes in FX rates can impact capital ratios given elements of the risk-weighted assets exposures are denominated in foreign currencies.
· Failure to account for foreign currency movements could result in an adverse impact on the Group's regulatory capital and leverage ratios. |
· An assessment of market risk drivers is conducted as part of the ICAAP, and to assess BAU and stressed market risk.
· Market Risk exposure limits are staggered, to constrain typical market risk exposure. The Group primarily trades in the FX spot market and risk appetite limits are set and monitored at both an aggregate and currency level.
· Defensive positions are typically taken to the extent that markets exhibit increased market risk events, such as during national elections.
· Interest rate risk in the banking book is driven by client deposit-taking, investments in the liquid asset portfolio and funding activities. The Group executes hedging strategies to ensure a predominantly matched profile and thereby mitigate the majority of the IRRBB risks that result from these activities. |
6 Regulatory and compliance risk |
|
|
The risk arising from non-compliance with laws and regulations governing financial services institutions in the markets in which we operate. |
· As the Group continues to grow in terms of increasing size and complexity it brings with it a complex legislative and regulatory landscape thus increasing the risks of legal or regulatory sanctions, material financial loss and/or reputational damage in the markets in which we operate. |
· Horizon-scanning is conducted to monitor upcoming UK regulatory changes.
· Responding to any regulatory request promptly.
· Ensuring that we have adequate permissions to operate in certain markets.
· CAB Payments partners with local providers that are typically regulated entities or locally licensed.
· The Group consults third-party legal counsel for new territorial expansions to ensure compliance with local regulations. |
7 Capital adequacy risk |
|
|
The risk of the Group having insufficient quality or quantity of capital, to meet its regulatory capital requirements and internal thresholds to cover risk exposures and withstand a severe stress as identified as part of the ICAAP. |
· The Group's capital ratios can be affected by various business activities and the failure to meet prudential capital requirements, internal targets and/or to support the Group's strategic plans.
· The key risk drivers with capital implications are credit risk, market risk and operational risk, each of which is addressed within its relevant section. |
· The Group has robustly defined capital adequacy thresholds, constructed in reference to regulatory requirements and maintain capital ratios in excess of these.
· The Group produces an ICAAP at least once each calendar year. Challenge and oversight of the ICAAP occurs at the Asset & Liability Risk Committee and Risk Committee before approval by the Board.
· Day-to-day capital risk exposure is managed by the Treasury function with oversight from Asset & Liability Risk Committee and the Group Treasury Committee, who monitor and manage capital risk in line with the Group's capital management objectives, capital plan and risk frameworks.
· If the Group were to encounter a significant stress on capital resources, a Recovery Plan is maintained which includes options to ensure it can remain sufficiently capitalised to remain viable. Recovery Plan metrics are regularly monitored and reported against. The Group's Pillar 3 disclosures contain a comprehensive assessment of its capital requirements and resources and are published separately on the Group's website.
|
8 Liquidity and funding risk |
|
|
The risk the Group cannot meet its contractual or contingent obligations in a timely manner as they fall due. Funding risk is the risk that the Group cannot maintain access to a sufficient stable funding base to maintain its liquidity. |
· The Group's liquidity ratios (i.e. LCR and Net Stable Funding Ratio (NSFR) can be affected by various business activities, either idiosyncratic or market wide, that could impact prudential liquidity requirements and corresponding business activities, and investor or depositor confidence.
· The key liquidity risk drivers are depositor outflows, and intraday liquidity requirements. |
· Funding and liquidity risks are managed within a comprehensive risk framework in reference to regulatory requirements and internal thresholds to ensure there is no significant risk that liabilities cannot be met as they fall due.
· CAB produces an ILAAP at least once per calendar year. Challenge and oversight of the ILAAP occurs at the Asset & Liability Risk Committee and the Risk Committee before approval by the Board.
· The primary metrics used to monitor and assess the adequacy of liquidity are the Overall Liquidity Adequacy rule (OLAR), the LCR and NSFR.
· Day-to-day liquidity risk exposure is managed by the Treasury function with oversight from the Asset & Liability Risk Committee and the Group Treasury Committee.
· Treasury conducts regular and comprehensive liquidity stress testing, including reverse stress testing, to ensure that the liquidity position remains within the Board's appetite.
|
9 Conduct risk |
|
|
The risk that the conduct of the Group and its staff, towards clients (or in the markets in which it operates), leads to unfair or inappropriate client outcomes and results in reputational damage and/or financial loss. |
· Clients may suffer detriment due to actions, processes or products which originate from within the Group.
· Conduct risk can arise through:
- the design of products that do not meet client needs; - mishandling complaints where the Group has behaved inappropriately towards its clients; - inappropriate sales processes; and - behaviour that does not meet market or regulatory standards.
|
· Conduct risk is incorporated into the product approval process.
· Complaints are formally registered, investigated and responses provided.
· The Group has a Gifts and Hospitality Policy with an approval and logging process.
· All staff receive annual online training on conduct, ethics and culture. |