Conduct risk – the risk of staff acting unprofessionally, unethically or illegally – has become a major concern for supervisors and banks, as Michael Imeson reports.

The huge penalties levied on banks in recent years for poor standards of behaviour, failures in operational controls, regulatory breaches and illegal activity has created a new term in the lexicography of risk management: conduct risk.

The inability of banks to manage this risk has resulted in severe cases of benchmark rigging, product mis-selling, sanctions busting, failures in anti-money laundering procedures, rogue trading, insider dealing and other transgressions. As a result, some banks have been ordered by criminal prosecutors, regulators and others in authority to pay hundreds of millions – often billions – of pounds, dollars or euros in fines and compensation.

“Regulators were already worried about risk culture because of the excessive risk taking pre-crisis, then we have had all these behavioural issues post-crisis,” says Patricia Jackson, head of financial regulatory advice, Europe, the Middle East, India and Africa, at EY. “It has really made the regulators concerned about the conduct of firms vis-à-vis their customers and the markets. Boards are concerned too because the fines and the reputational damage have been substantial.”

Global action

The Financial Stability Board’s Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework of Assessing Risk Culture, published in 2014, has done a lot to help banks understand and improve their risk culture, and guide supervisors on how they should be supervised.

One of the foundations of a sound risk culture, says the guidance, is that employees in all parts of an institution should “conduct business in a legal and ethical manner”. Effective risk governance is another foundation: the board of directors, the risk management department and the compliance function should have an important role to play in “conduct risk control”.

In addition, the Basel Committee is consulting on a revision to its corporate governance principles for banks. The consultation, which ends on January 9, 2015, has a strong focus on risk management. It includes proposals to strengthen the guidance on risk governance, including the risk management roles played by business units, risk management departments, and internal audit and control functions (the three lines of defence), as well as the importance of a sound risk culture.

One of the responsibilities of a bank’s board, says the Basel Committee, is to have a role in writing the bank’s risk appetite statement, which should include “qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices”.

Regulators have moved into the policy area and are telling banks that the three-lines-of-defence principle of risk management has not worked, says EY’s Ms Jackson, who is also editor of the just-published book Risk Culture and Effective Risk Governance. “In effect, it has been reduced to only one line of defence,” she says. “Only the risk function is controlling the risk, while the frontline – which should be the first line of defence – is just interested in revenue generation. Regulators are saying that the frontline has to own the risk.”

Ted Price, advisor, risk governance, for the Americas at EY, adds: “Supervisors are struggling with how to assess risk culture and conduct in financial institutions because it is out of their comfort zone. They are used to auditing things they can touch and feel, whereas culture is largely intangible. Supervisors are therefore putting together different kinds of assessment frameworks, and some have considered hiring psychologists.”

The European dimension

The European Banking Authority (EBA), in its June 2014 Risk Assessment of the European Banking System, noted that “detrimental business practices of EU banks continue to affect consumer confidence in banks and have an increasingly adverse impact on institutions involved”.

It added: “Inappropriate conduct such as mis-selling of banking and other products to consumers, failures with regard to rate benchmark setting processes, and alleged manipulation of markets for credit default swaps has already been mentioned in previous reports. However, the scope of alleged inappropriate practices is widening, and the magnitude of previously identified detrimental practices, for example related to foreign exchange trading business, is increasing.”

The EBA said that individual banks had paid out in the form of compensation, redress, litigation and similar payments aggregate amounts of more than €1bn in the previous year. “Such rising conduct costs in some cases substantially affect profitability of institutions concerned”, it says. As a result, there is “a need to keep conduct risks high on the supervisory agenda”.

In conclusion, the EBA recommended that risk cultures should be adjusted and that banks should “better integrate conduct of business concerns in their governance and risk management arrangements”. Current arrangements, it said, frequently fail to identify conduct of business concerns as “there often is no internal institutional definition of conduct risks, and most risk models applied in institutions fail to capture conduct risks”.

The EBA also includes conduct risk in its draft guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) under the Capital Requirements Directive IV. The final guidelines will be issued shortly, for national supervisors to follow from January 1, 2016.

The UK experience

The UK's Banking Reform Act 2013 not only introduced structural changes to the country's banking sector but took action to improve bankers’ behaviour. The measures taken included a criminal sanction for reckless misconduct if it leads to bank failure, a more stringent approval regime for senior bankers run by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), and the creation of the Banking Standards Review Council (BSRC).

The PRA and FCA are currently reviewing the responses to a joint consultation paper – CP14/13 Strengthening accountability in banking: a new regulatory framework for individuals – which will replace the Approved Persons Regime (APR) with something much stricter.

“The behaviour and culture within banks played a major role in the 2008-09 financial crisis and in conduct scandals such as payment protection insurance mis-selling and the attempted manipulation of Libor,” says the paper. The new framework will “mark a fundamental change in the regulators’ ability to hold individuals to account”.

The APR will be replaced with:

• A Senior Managers Regime, which will “clarify the lines of responsibility at the top of banks”, force banks regularly to vet their senior managers for “fitness and propriety” and impose tougher penalties.

• A Certification Regime, which will apply to a wider range of staff than under the APR, will require banks to assess the fitness and propriety of staff who are “in positions where the decisions they make could pose significant harm to the bank or any of its customers”.

• A new set of conduct rules – applying to all bank employees except those in exempt positions such as security guards or canteen staff – which lay down expected standards of behaviour.

The Banking Standards Review Council

The regulatory push is being complemented by industry initiatives, chief of which is the creation of the BSRC to promote high standards of behaviour and competence across the UK banking sector – standards that cannot be enforced by regulation alone.

Strictly speaking, the BSRC is not a true industry initiative because it is was recommended by the Parliamentary Commission on Banking Standards, after which the UK government told the UK’s six biggest banks and the biggest building society, Nationwide, to set it up.

The banks appointed Sir Richard Lambert, former director-general of the Confederation of British Industry, to get the ball rolling. In May 2014 he published a report stating exactly how the board should be organised and what it should do. The report said that the council should contribute “to a continuous improvement in the conduct and culture of banks and building societies doing business in the UK”.

Dame Colette Bowe was appointed the BSRC’s chairman in November 2014 by a selection panel chaired by the Bank of England governor Mark Carney and which included the Archbishop of Westminster. Executive managers are now being recruited. In the first half of 2015 it should be able to report on the state of banking standards and good practice.

Teaching good behaviour

The Centre for Commercial Law Studies at Queen Mary University of London has recently set up an Institute for Regulation and Ethics and is carrying out research into conduct risk.

“More should be done at corporate governance level to make sure that the directions from the top actually reach the ‘foot soldiers’ below,” says Dr Costanza Russo, the Institute’s deputy director. “Banks have realised that complying with rules is no longer enough. Some are sending very clear messages that aggressive selling is not an accepted practice, and most of them have sent their employees back to school to attend ethics and compliance training programmes. However, conduct will not improve unless the culture changes too.”

EY’s Ms Jackson agrees that ethics courses are important. But banks must still have hard frameworks in place to ensure accountability, to set the risk appetite and to improve risk transparency.

“If you go down the ethics training route, it has to be explicit case-study based training, so that when issues come up people know exactly what to do,” says Ms Jackson. “You have to make sure that everyone in the organisation lives by those values – they can’t always put profit first.”


All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Top 1000 2023

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter