Around the world, the finance industry is coming under ever-sharper scrutiny from regulators, a sceptical media and a suspicious public. The aftermath of the 2008 crash continues to reverberate through the industry, alongside scandals such as the misselling of payment protection insurance, sanctions busting and currency market manipulations, to name just a few.
Clearly, it will be some time before the industry’s reputation is repaired, but as financial firms and regulators discuss how best to move forward and avoid any repeat of past problems, one topic is coming to the fore: the notion of conduct risk. In a survey by Risk.net late last year, conduct risk was named as the second most serious problem facing the industry, with only cyber risk ahead of it. The Financial Conduct Authority (FCA), the Organisation for Economic Co-operation and Development and the Hong Kong Monetary Authority have released briefings, principles
around the theme, although in various guises.
While the problem may be widely recognised, defining it is much harder. Another survey of compliance and risk practitioners, carried out by Thomson Reuters, found that 81% of firms were unclear about what conduct risk is and how best to deal with it. There was no shortage of ideas as to what it might involve, though. When asked to name the components of conduct risk, people cited issues such as ethics, corporate governance, conflicts of interest, remuneration and sales practices.
Such a broad range of issues invites a broad definition. The FCA does not give an official definition but has referred to it in the context of “consumer detriment arising from the wrong products ending up in the wrong hands, and the detriment to society of people not being able to get access to the right products”. It also outlines what it considers to be drivers of conduct risk (see below) and advises firms to define the concept as it affects them.
Drivers of conduct risk, according to the FCA
Accountancy firm Grant Thornton suggests businesses should think of conduct risk in terms of what you do, and risk culture as the way you carry out those activities. More specifically, conduct risk, according to Grant Thornton, should be thought of as the material risks that a business faces as a result of its activities. The firm proposes a risk framework that considers executive behaviour, judgments and decisions, employee behaviour and customer outcomes.
It is an issue for every financial firm and one that reaches into every area of business activity, from the wording of a contract and the way IT updates are carried out, to the advice a bank gives to its customers. Getting it wrong can involve costs to an institution’s reputation but also to its bottom line if fines and compensation need to be paid. All this prompts the question of how a company can work out how much conduct risk it faces. Finding an answer is more art than science, but there are some ways to approach the task.
“Risk is generally regarded as a combination of two things: probability and impact,” says Ashley Kovas, an independent regulatory consultant and former Head of Compliance Policy at RBS. “What you need to do is sit down and ask yourself as a firm, what are the risks you’re running? What risks does your business model present to the customers you’re serving? On the back of that, you can start thinking about the impact. The probability comes down to how confident you are about the controls that you’ve got in place to deal with the risks. If the controls are rubbish then you’ve got a high risk.”
The broad nature of the issue means that dealing with conduct risk needs an equally expansive approach. Addressing it has to involve every part of a business, from the boardroom to the shop floor, with clear systems in place for training, auditing, reporting and taking action.
Risk culture checklist
Risk culture, says the FCA, is an essential ingredient in regulating conduct risk. When Clive Adamson was Director of Supervision at the FCA, he outlined the following list of things the regulator will consider when reviewing a firm’s risk culture:
• how a firm responds to, and deals with, regulatory issues
• what customers are actually experiencing when they buy a product or service from front-line staff
• how a firm runs its product approval process and the considerations around this
• the manner in which decisions are made or escalated
• the behaviour of that firm on certain markets
• remuneration structures.
It will also consider:
• how a board engages in the above issues, for example whether it probes high-return products or business lines
• whether it understands strategies for cross-selling products
• whether products are being sold to markets they are designed for.
“It needs to be an embracing process; you need ‘buy-in’ from the top right the way down,” says Kovas.
The Thomson Reuters survey suggests that some progress is being made, but that far more needs to be done. Although it finds that the majority of boards have been devoting more attention to conduct risk, 54% do not have a senior manager responsible for the issue, and only 36% have provided conduct risk training for all their staff.”
Getting the right training, reporting lines and management control in place are clearly important if a firm is to successfully avoid the risks involved. At times, it might require changing the culture of an organisation too, which is a long and difficult process. However, it does not necessarily require wholesale organisational change. Dr Ariane Chapelle, Operational Risk Advisor and Director of Chapelle Consulting, suggests that firms should think of the issue simply as one of conduct rather than conduct risk, and address it in the same way they deal with other risks.
“Conduct ultimately gives rise to adverse effects rather than being a risk category in its own right, and that has important consequences in the way it is organised and managed,” she says. “It may be appropriate to suggest treating conduct like reputation, as part of a general risk management framework.”
No quick fix
Even when problems have been discovered and solutions identified, the complex nature of international financial institutions mean that applying a remedy is not necessarily a straightforward or quick process – particularly for larger firms. A case in point is HSBC. In February, the bank said in its annual report that the monitor appointed to assess its anti-money laundering and sanctions compliance programme “did not certify as to HSBC’s implementation of and adherence to remedial measures”. The measures it refers to are part of a deferred prosecution agreement the bank signed with the US Department of Justice in 2012.
This is one of many such agreements the Department of Justice has struck with banks, but the US is far from alone in clamping down. Regulators around the world continue to sanction firms and individuals involved in what can be seen as conduct risk. Recent examples include a $30m fine that the Securities & Futures Commission in Hong Kong levied against JP Morgan in December last year for regulatory breaches, and the £1.2m fine issued by the FCA against wealth management firm W H Ireland in February this year for failing to ensure that it had proper systems and controls in place to prevent market abuse.
Other fines seem sure to follow as the industry continues to try and clean up its act. The FCA certainly seems intent on keeping the issue front and centre.
“Conduct infringements in the markets can, as we all know, ultimately deprive retail customers at the end of wholesale chains of enormous aggregate sums,” said Tracey McDermott, Acting Chief Executive of the FCA, in a speech in February. “It is an imperative, therefore, that we get this right.”
If the finance industry is to gain a reputation for being dependable and stable in the future, a cultural shift is exactly what needs to happen. The first step, though, is probably one of education as the industry gradually comes to terms with the concept of conduct risk.