Corporate governance and tone from the top are identified as universal themes and essential components of conduct risk.
Managing and mitigating conduct risk continues to be one of the biggest regulatory priorities. How much progress has been made in the last year?
Conduct risk has become part of the new normal for regulated firms around the world. But, for all the continued discussions among regulators and senior executives, there are no easy solutions. While good customer outcomes and culture are often described, there is no single regulatory definition of conduct risk, which is why benchmarking is essential for firms.
With this in mind, Thomson Reuters third annual survey on how financial services firms are managing conduct risk helps to identify distinct industry-wide trends against which firms can benchmark their own progress. The Conduct Risk Report 2015/16 surveyed compliance and risk practitioners from more than 260 financial services firms across the world, including banks, brokers, asset managers and insurers.
Given the sharpening regulatory focus on Global Systemically Important Financial Institutions (G-SIFIs), Thomson Reuters specifically asked G-SIFIs to identify themselves to enable comparison between themselves and other, smaller firms.
A brief history
Conduct risk as a concept was born from a post-crisis realization by regulators that the actions of firms are no more than the individual and collective actions of those who run them, the authorized firms themselves being no more than inert legal shells. As a term, “conduct risk” was invented by the UK Financial Services Authority and carried forward by its successor, the Financial Conduct Authority (FCA). In a speech in July 2015, Tracey McDermott, acting chief executive of the FCA, seemed to equate conduct risk to “risks to clients, market integrity or fair competition”; in other words, risks to the conduct regulator’s own objectives. The FCA has, however, consistently refused to define the term.
The regulators’ conduct risk expectations for firms initially concerned having the necessary processes and the willingness to use them to identify risks affecting the firm. Increasingly, however, conduct risk needs to be seen in the context of other aspects of regulatory policy; in particular “culture” and “personal responsibility,” which link and overlap with conduct risk. During 2015, there was a shift of emphasis away from firms identifying and mitigating individual conduct risks toward establishing a more holistic means of dealing with the risks. This does not mean that firms should take their feet off the gas in identifying the risks. That remains a crucial element, even if the regulators speak increasingly about culture.
Much effort was expended post-crisis in getting firms to adopt their own definition and approach to conduct risks and then to identify, measure and offset them. For example, mis-selling is a particular conduct risk in a firm that gives financial advice, particularly in the retail market. Relevant firms have therefore been encouraged to look closely at their advisory processes and make all reasonable repairs toward ensuring that any advice given will meet the standards required. Product provider firms have similarly had to address the risks of poor product governance.
Components of conduct risk
The survey shows that firms are still finding the definition of conduct risk a challenge, with 64 percent operating with no separate working definition of conduct risk. The picture is distinctly better in the G-SIFI population where less than half (43 percent) of firms had not defined conduct risk. Despite the continued challenges, the figures are an improvement on 2014, where 81 percent of firms (74 percent of G-SIFIs) did not have a definition of conduct risk.
However, there appears to be international agreement about the main components, which are commonly described as:
- Culture, ethics and integrity
- Corporate governance and tone from top
- Conflicts of interest
There are regional variations, though corporate governance and tone from the top are identified as universal themes and essential components of conduct risk.
Individual accountability at the senior level
The perception of senior individual accountability for the delivery of conduct risk has sharpened. Regulators around the world have made it clear that they will seek to hold senior individuals to account for breaches, particularly those that result in customer detriment or damage market integrity.
In the survey, 70 percent thought that the regulatory focus on conduct risk would increase the personal liability of senior managers (80 percent in the G-SIFI population). In 2014, two-thirds (67 percent) said that conduct risk-derived personal liability would increase (75 percent for G-SIFIs).
Do you think that the regulatory focus on conduct risk will increase the personal liability of senior managers?
This year conduct risk is seen as a key driver of greater personal liability for senior individuals. In early March, the UK’s new senior managers regime for banks and insurers was brought into force by the Financial Conduct Authority. The new regulation strives to make it easier to hold senior managers personally responsible for misconduct that happens under their supervision.
Board-level focus on conduct risk remains high, with half (52 percent) reporting an increase in the last 12 months. This ties in with half (51 percent) of firms having a senior manager responsible for conduct risk. In line with this, there is no letup in the expected cost of time and resources devoted to conduct risk issues, with 63 percent of firms expecting an increase in the next year.
Why approaches are changing
There are signs of an early but growing maturity of approach to conduct risk. Although a third of firms (32 percent) report that their firm’s approach to conduct risk is in the development phase, 37 percent state that it is implemented, albeit requiring additional work and resources. G-SIFIs have done the most, with 41 percent saying their approach is implemented but still needs additional work and resources.
What are the key challenges to the organization when implementing conduct risk in the year ahead?
More firms, particularly G-SIFIs, have defined it, and slowly but surely the concept and practices associated with good conduct risk are becoming the new normal for firms. But the journey is not over. Even as conduct risk begins to move into the implementation and embedding phases of its development, care, vigilance and investment are needed if firms are to deliver on the requirement of consistently good customer outcomes.
And it is not just firms that need to be seen to be delivering on strong compliance. Regulators around the world have made clear that they will seek to hold senior individuals to account for breaches, particularly those that result in customer detriment or damage to market integrity.
These regulators are on notice of the need to devote sufficient resources to understanding and challenging firms about their conduct risks, as well as looking at aggregate risks across industry sectors and markets more generally. As firms continue to deal with the challenges of conduct risk, further guidance is emerging that can be leveraged across sectors and geographies. In the summer of 2015, the FCA, which has taken something of a lead on conduct matters, set out five “conduct questions” to assist firms in deciding whether they are doing enough:
- How do you identify the conduct risks inherent within your business?
Firms cannot hope to mitigate risks until they are identified. The FCA noted that the investigation into FX manipulation revealed many of the same issues as were found following the Libor case, suggesting that firms had not learned from past experience.
- Who is responsible for managing the conduct of your business?
Firms need to encourage employees to feel responsible for actually managing the conduct of the firm’s business.
- What support mechanisms do you have to enable people to improve the conduct of their business or function?
Firms need to create mechanisms that are specific to them. The mechanisms can exist in any form, for example, new product approval committees for product providers. Training and induction processes may be relevant to set out the firm’s expectations of its staff.
- How do the board and executive committees gain oversight of the conduct of the organization?
The information flow up the hierarchy of the organization is Boards need to take conduct implications into account in every decision they make. The board’s own decisions are as much a source of risk as decisions taken elsewhere in the firm.
- Are there any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions?
This is a catch-all question. The CEO is rarely a role model for employees, because the CEO is not able to interact meaningfully with every employee. Instead, the role models tend to be the more proximate “stars” of the firm: the top trader or the desk head.
Download the full Thomson Reuters Conduct Risk Report.