Corporate culture and conduct risk

In brief

Written by Regulatory Counsel Penelope Barclay and Partner Marc Kemp

In the last couple of editions of Unravelled, we have been exploring the increased interest of regulators, particularly in the UK and here in Australia, in corporate culture in the financial services industry, its impact on the integrity of the system, and what the regulators are doing to try to entrench a corporate culture that works for the benefit of consumers and investors.

In this article, we look at various aspects of the relationship between corporate culture and conduct risk.

Culture and conduct

In describing 'culture' in a regulatory context, the Financial Conduct Authority (the FCA) in the UK has said:

Culture is not something we can prescribe, nor would we want to – it is for firms to decide the type of culture they want.

But whatever a firm's corporate culture looks like, the fair treatment of customers and market integrity should be central – and it should not be undermined by people or business practices.¹

In ASIC's view, culture and conduct are bound up together:

From a regulator's perspective, ASIC is concerned about culture because it is a key driver of conduct within the financial industry. Bad conduct flourishes, proliferates and may even be rewarded in a bad culture. A good corporate culture uncovers and inhibits bad conduct, and rewards and encourages good conduct.

Given there is a strong connection between poor culture and poor conduct, we consider it to be a key risk area with respect to our role as a conduct regulator.

…In order to restore trust and confidence, it is unquestionable that we need a fundamental shift in the culture of the financial industry. Culture should not just be about maximising profits at all costs. It needs to change to one that focuses on achieving and rewarding good conduct and good outcomes for customers.

Good conduct means not just ensuring compliance with the law and not just avoiding the boundaries or grey areas of the law. It means focussing on and preferring the interests of consumers and investors in the long term. Most financial products and services that matter are intended to meet a long-term financial need, or at least to foster a long-term relationship.²

These statements indicate a move by regulators, since the events of the global financial crisis, to emphasise the importance of restoring trust and integrity to financial markets, and to recognise the relevance of how financial services organisations treat their customers, as ways of maintaining and improving the performance of the financial system. Previously, the emphasis had been on using more concrete and quantifiable methods, such as financial product and financial services disclosure, monitoring the resourcing of organisations (including ensuring the adequacy of their systems, staffing levels and financial backing), and improving the skills and experience of employees. Commercial outcomes, such as commercial certainty, reducing business costs, and the efficiency and development of the economy, had also, perhaps, been given more prominence by regulators than the interests of individual consumers.

What is conduct risk?

Although the FCA has been unwilling to provide a definitive statement on the meaning of conduct risk, ASIC has been more forthcoming, describing conduct risk as:

the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation's management or employees which can be caused by deliberate actions or may be inadvertent and caused by inadequacies in an organisation's practices, frameworks or education programs.³

This has been analysed by various industry commentators – eg Allens consultant⁴ John Morgan has noted the dual application of the definition:

conduct risk can apply to a whole range of cases, but it essentially comes down to the approach taken in in organisations to the way in which their executives and employees conduct their business and there are two sides to it. On the one hand, there is the question whether they conduct their business in compliance with the legal requirements, so there is a compliance element to it, but there is also the wider issue of conducting their business in an ethical and socially responsible fashion.

Given the current global regulatory climate, with its emphasis on trust, integrity and consumer welfare, it would probably not be advisable for organisations to confine their conduct risk analysis to a strictly legal interpretation. This poses obvious difficulties: financial services organisations need to comply not only with the law (which is particularly complicated in this area) but also with regulators' views of what is or is not 'the right thing to do'. While regulatory guides (such as those published by ASIC) may be helpful, they will not substitute for certainty.

However it is defined, a review of conduct risk needs to be integrated into an organisation's risk management program. Risk categorisation is a little problematic – it has been suggested that conduct risk is a new type of risk, but it seems most likely that it would be treated as a type of operational risk. Although the Basel definition of operational risk seems appropriate, defining the term as 'the risk of loss resulting from inadequate or failed internal processes, people or systems or from external event',⁵ it excludes strategic and reputational risk. We think that an organisation's operational risk management system would provide a starting point for conducting its conduct risk analysis.

Not new

The renewed interest in conduct risk is essentially just a change in regulator focus. Licensed financial services organisations in Australia have been required to have a comprehensive risk management system (RMS) in place since the Financial Services Reform legislation came into effect between 2002 and 2004. The RMS is required to:

Describ[e] the main risks your business will face focusing on risks that adversely affect consumers or market integrity [our emphasis] (this includes risks of non-compliance with the financial services laws). This must include details of:

1. the risks you have identified;
2. how they will arise;
3. their likelihood;
4. their potential impact;
5. measures you have in place to deal with these risks (i.e. to monitor, mitigate and manage the risks); and
6. the person responsible for managing each risk.⁶

Under Prudential Standard CPS 220 Risk Management, APRA-regulated entities are required to 'maintain a Board-approved risk management strategy that describes the key elements of the risk management framework that give effect to its approach to managing risk'.

Consequently, most financial services organisations in Australia will probably already have assessed to at least some degree, and put in place measures to manage, a number of the risks that are likely to be fall within the concept of 'conduct risk'. These would include market misconduct (such as insider trading and market manipulation), conflicts of interest and product design (including suitability for target markets, pricing and distributor incentives). However, it is likely that a major review of most RMSs will be required to incorporate the lessons learned from financial services-related litigation and regulator enforcement action that has taken place since the global financial crisis.

'Buying in'

Global regulators, including ASIC, largely agree that they cannot, simply through the introduction of rules and penalties, change the culture existing in the financial services industry and that, to be effective, change must come from within the individual firms themselves. Regulators also generally take the view that change needs to be initiated by the board and, in particular, by senior managers, who should set and clearly communicate the organisation's core values and whose behaviour must reflect those values.

To nudge investment firms towards taking responsibility for the establishment of a 'good culture', as discussed in last month's Unravelled, the FCA has introduced the Senior Managers and Certification Regime (SMCR), which compels individuals working in the UK's financial services firms – from the most senior managers through to entry-level staff – to be responsible and accountable for their actions.

For jurisdictions, such as Australia, where the regulator is taking a less directly interventionist approach, the question is how organisations can be convinced that it is to their benefit to modify entrenched cultural values and incentives, which have been profitable to date, to refocus on the long-term interests of investors and the benefits of market integrity. Here are a couple of possible approaches:

1. Cost considerations. ASIC has noted that between 2008 and 2012, the cost of poor conduct of the 10 most affected global banks was approximately US$250 billion; and that since 2011, the largest banks in the UK have paid almost 60 per cent of their profits in fines and repayments to customers.⁷

   Furthermore, in the case of banks, these costs will increase a bank's operational risk profile and its regulatory capital requirements: 'The "operational risk charge" which will take account of conduct risk, takes the management of legal risk from what was perhaps considered in the past to be a "soft issue" for financial services firms, firmly onto a quantitative, bottom line basis.⁸

2. Rational self-interest. The FCA considers that 'most firms now understand the value in getting it right and not simply the cost of getting it wrong, and the benefit of good conduct in terms of building customer trust and analyst confidence'.⁹ As ASIC Commissioner John Price noted in a recent speech:

   A positive culture, and the conduct that can stem from this culture, is fundamental to community trust and confidence. This, in turn, can have a positive impact on an organisation's growth and success and help distinguish itself from others.

   … Customers today have unprecedented access to technology, and they have greater ability than ever before to be fussy about whom they do business with and to 'vote with their feet'.¹⁰

3. There is a school of thought that the impact of rational self-interest could be extended by regulatory intervention and surveillance – eg firms that are observed to disincentivise their employees from complying with regulatory responsibilities could be penalised through the tempered and judicious use of regulatory mechanisms, such as the licensing regime.¹¹

Nonetheless, the modification of organisational culture is a long-term goal. Despite conscientious reviews of risk management programs, the implementation of new policies and procedures, specialised training and meaningful bottom-up validation, all designed to combat conduct risk, it may be some time before the effectiveness of these measures in bringing about cultural change will be clearly discernible in financial services organisations.