In the UK, the concept of Treating Customers Fairly (“TCF”) has been well-aired for many years. However, since the financial crisis, where the focus of regulators and regulated firms switched to risk management, TCF has been sidelined as a stand-alone concept. The term that is now an enormous part of the vernacular of the financial sector is Conduct Risk. Traditionally, there have been three main risk classes: credit risk, market risk and operational risk, but the financial crisis forced the growing prominence of liquidity risk and also conduct risk, with the latter posing an enormous challenge to the sector. Across the world, the regulators of the largest financial markets have also focussed on the conduct of financial institutions, but in many emerging markets, conduct risk remains a foreign theory – for now.
- What is Conduct Risk?
- Why Should Firms Worry About Conduct Risk?
- The Challenge of Managing Conduct Risk
- Identify the Risks
- Define Conduct Risk Strategy and Appetite
- Develop the Conduct Risk Framework
- Effective and Meaningful Management Information
How Can CCL Help?
What is Conduct Risk?
Before we move on any further, it is important to try and define
conduct risk or at least contextualise the term. To date, regulators have not provided a specific definition of conduct risk, since the term is so wide. Conduct risk covers any activity that a financial institution and its employees may be engaged in, where that activity may have a detrimental impact on market participants (customers and counterparties) or market integrity. This has considerable overlap with operational risk but goes further to include legal risk and strategic risk.
Such a far-reaching risk class is therefore inherent in almost all activities of a financial institution, making control of this risk a real challenge.
Why Should Firms Worry About Conduct Risk?
In the past five to six years, regulators around the world have levied large fines linked to misconduct by financial services institutions and professionals. Since the financial crisis, the size of these fines has increased enormously. Figure 1 illustrates the size and nature of regulatory actions in a number of jurisdictions, as reported in the financial media.
In addition to the regulatory actions facing firms that breach conduct regulations, companies face reputational damage, which can harm a firm’s business for years beyond the event. We have seen in many cases, share prices dropping considerably upon an announcement of a conduct-related regulatory action, and in some cases, exclusion from certain financial markets. Further to this, customer and counterparty relationships can deteriorate, which can have an enormous financial impact for years to come. Business relationships are about trust, so failings in relation to conduct can damage the trust that customers or counterparties have in a financial institution.
Another outcome of poor conduct on the financial sector is the development of new and more intrusive and restrictive regulations on financial institutions. The cost and restrictions of these, sometimes reactive regulations, can have a significant impact on a company’s bottom line, particularly in developing and embedding systems and controls robust enough to comply with the regulations.
In emerging markets across the MENA region, conduct regulation has not yet developed to the depth and sophistication of some of the jurisdictions mentioned in Figure 1. That said, countries like India (Reserve Bank of India; Securities and Exchange Board of India), China (China Banking Regulatory Commission) and Korea (Financial Services Commission; Financial Supervisory Service) are already implementing tougher rules relating to conduct. It is, therefore, no surprise that many regulators across the MENA region are considering enhancing their own conduct regulations.
The Challenge of Managing Conduct Risk
Considering the increased regulatory focus, the very large fines, reputational damage and the often intangible features of conduct risk, effective management is both essential and immensely challenging. So where should a firm start in managing this risk class? Critically, conduct risk needs to find a place in the Enterprise Risk Management (“ERM”) framework for it to be effectively managed. There is some dichotomy in approach as to whether conduct risk is a subset of operational risk, or whether it stands alone as a risk class in its own right.
The key question is, however: “how do you embed conduct risk into your existing ERM framework?” The approach is very similar to managing any risk class through your ERM framework:
- Identify and measure the conduct risks that apply to the business
- Define a conduct risk strategy that is aligned to the business strategy;
- Develop conduct risk appetite statements and metrics pertinent to the conduct risk strategy;
- Design the systems and controls required to manage conduct risk across the three lines of defence; and
- Monitor the effectiveness of the conduct risk framework.
Identify the Risks
Firstly, like the approach taken to understand any risk class captured in the ERM framework, you need to define and identify the conduct risks that apply to your business model. These risks will vary depending on each firm. For example, a full-service bank, with millions of customer, counterparty and market touch points each year has a radically different conduct risk profile from a private equity investment firm, which has a smaller number of touchpoints.
Let’s look at some examples of crystallised risks, in order to understand the variety of conduct risks better.
Wholesale conduct risk
An example of conduct risk in the wholesale market is the recent London Interbank Offer Rate (“LIBOR”) scandal. The previous LIBOR indexing system had banks submit details of the rate of interest that they are willing to pay to borrow from other banks. This information underpins the value of hundreds of millions of dollars of derivative transactions as well as other financial instruments, and as such, manipulating LIBOR can result in profit for certain market participants and individuals, depending on the nature of their financial positions. The risk here was that traders at banks were allowed too much discretion with a lack of oversight in their LIBOR submissions, thus making the LIBOR benchmark unreliable, which consequently undermined the integrity of financial markets around the world. In addition, the banks involved suffered considerable reputational damage, and many of the traders involved were fined and/or jailed.
Retail banking conduct risk
The Payment Protection Insurance (“PPI”) scandal in the UK is an example of crystallised conduct risk in the retail banking sector. Millions of customers with credit cards, loans or mortgages were sold PPI along with their lending products. PPI was hugely profitable, yielded very low insurance pay outs, did not actually cover many policy holders, and in some cases, customers did not even know that they had the policies, even though they paid large premiums. The mis-selling of this product changed the face of conduct regulation in the UK, with new rules introduced, along with fines and redress in the region of £35 billion across just a handful of institutions.
Investment management conduct risk
There are a number of conduct risks facing asset management firms. One of which is ensuring that customers are aware of the risks that the asset manager may take on their behalf. Some large banks have been fined for failing to clearly explain the risks that managers will take with their customers’ money, or by not following strict investment parameters agreed with customers in advance.
Commercial banking conduct risk
Similar to retail banks, many customers of commercial banks would not be regarded as sophisticated customers. One of the key services of a commercial bank is lending to small to medium sized enterprises, giving them liquidity and working capital. Conduct risks have emerged in some jurisdictions where commercial bankers underwrite a business loan, agree terms, but at the last minute add a condition of sanction to proceed with the loan, which is for the customer to take out an interest rate hedging products to manage future interest rate fluctuations. The issue here is that these hedging contracts are essentially derivative products written on a separate International Swaps and Derivatives Association (“ISDA”) Master Agreement. Apart from failing to understand the complexity of the derivatives, customers didn’t realise that the derivative contract runs separately to the loan agreement, often with significant breakage fees. Where customers paid a loan off early, they were left with large derivative fees to manage an interest rate risk that was no longer there. Also, where global interest rates dropped dramatically after the financial crisis, many of these customers could not participate in lower interest rates, due to their standalone ISDA agreement.
Define Conduct Risk Strategy and Appetite
Many firms have mission statements, value statements and codes of conduct, which are designed to define the system of beliefs that underpin an organisation’s culture. We know from the series of conduct scandals in recent years that these statements and codes are often just words upon paper, and do not really capture the culture of an organisation. In order to inculcate these values into the culture of financial institutions, the Board of Directors must develop a conduct risk strategy and appetite, supported by a governance and control structure to ensure that the values are embodied by all employees.
The conduct risk strategy should be closely aligned with the business strategy of the organisation, taking into consideration the existing and target customers, existing and new products or services, distribution solutions for interacting with customers, counterparties and the marketplace, as well as the competencies required to deliver the strategy. The conduct risk strategy should also define what good conduct looks like and should be synonymous with the mission, value statements, and code of conduct, with the aim to deliver agreed outcomes across the business.
Depending on the nature, scale and complexity of a firm, conduct risk appetite will differ considerably. In essence, conduct risk appetite statements should be based on core issues such as suitability of products and understanding of customer needs and knowledge; providing value to customers; avoiding customer detriment; and ensuring fair outcomes for external stakeholders. The granularity of the risk appetite statement is idiosyncratic. In the UK, for example, many firms have developed risk appetite statements across four core focal points: culture, product governance, sales/distribution process, and post-sales service. Each statement must be accompanied by a series of quantitative and qualitative Key Risk Indicators (“KRIs”) to identify potential issues before they arise as well as delayed indicators that arise after the risk has begun to crystallise. For example, a KRI that identifies potential issues before they arise could be sales numbers that exceed targets. A KRI for delayed indicators could be linked to complaints or cancellations following a sale.
Develop the Conduct Risk Framework
As stated earlier, the conduct risk framework should form part of a firm’s ERM framework. In addition to having a defined strategy, definition of risk and risk appetite statements, there needs to be specific controls and processes within the framework to help manage risk. Furthermore, there must be a strong governance overlay that assigns clear lines of responsibility and accountability across all three lines of defence. For example, second line assurance resources should not be involved in first line activities that could impede independence. The entire framework should then be supported by clear management information, disseminated and escalated to the right level of the organisation, with responsive mechanisms to tackle any areas of concern.
As is the case with ERM frameworks, the majority of the controls and processes exist across the first line of defence. The first line of defence could include some of following aspects of the conduct risk framework:
- Policies and procedures, including specific risk policies, sales processes, product guidelines and complaints procedures;
- First line governance arrangements that include management and sales committees, apportionment of responsibility and clear escalation channels to ensure appropriate oversight and accountability;
- Effective systems that record and store information critical for the firm’s understanding and communication of conduct risks;
- Periodic review of KRIs relevant to business units with agreed escalation paths for anomalous events;
- Outcomes testing by members of the first line to provide near real-time advice and assurance to the business that conduct risks are being effectively managed; and
- Training and competence regime that promotes a sound understanding of risk, and helps engender a risk averse culture of good conduct in line with the conduct risk strategy.
The role of the second line of defence should be independent of the first line activity. With regards to conduct risk, we would expect to see second line assurance activity carried out by the Risk and Compliance functions. Assurance across the second line of defence could include the following:
- Review of adequacy and relevance of risk appetite statements;
- Review of adequacy of risk governance arrangements, including policies, management information, escalation and management responses;
- Consideration of the appropriateness of remuneration structures, whether they drive the right employee behaviours, and whether there is a correlation between remuneration, sales statistics, cancellations and complaints;
- Reviews of product design process, and whether the agreed process was followed, including approval, launch and post-launch processes;
- Review of the treatment of existing customers vs new customers, considering any differential identified and any link to personal or departmental targets;
- Review of contract terms for clarity and fairness, considering relevant regulatory actions that may have taken place;
- Review of training and competence across the leadership team and distribution channels;
- Review of timely and accurate recording of risk information, events and near misses; and
- Qualitative reviews of culture across specific business units or geographies.
Finally, the third line of defence should provide independent assurance that internal controls across the conduct risk framework are effective, robust and fit for purpose. Internal Audit could consider reviewing any of the above-mentioned areas and more, but their review will typically focus on the controls surrounding the above, including the effectiveness of the second line of defence in reviewing, improving and embedding conduct risk management.
Effective and Meaningful Management Information
The key to ensuring that the conduct risk framework is working and that senior management understands the firm’s performance against the conduct risk strategy and the conduct risk appetites is by creating effective and timely management information (“MI”). As with all MI, it needs to be tailored to the audience in order to be effective. For example, a Board has a multitude of issues to consider in addition to risk, thus the conduct risk MI that is provided to the Board needs to be very high level, giving a single page overview flagging any failures in the conduct risk framework that has or could lead to external stakeholder detriment.
If we take a step down through the governance structure, a Board may have a sub Risk Committee, whose sole purpose is to consider risks across the business. This committee will have more granular MI that goes further into assessing performance against agreed metrics, considering the performance of the first, second and third lines across the risk framework as agreed, looking at high-level trends across the business that could indicate emerging conduct risks.
Further down the governance chain, the MI needs to be more granular and operational in its content. MI could be presented by business unit, by product, by region or demographic, or in fact in any way that a firm deems relevant to the nature of the risk. All of this MI should, however, be linked to the conduct risk strategy, and should feed into the bigger picture for senior management. Operational MI should also include trend analysis as a directional indicator for concern areas.
Timeliness of MI depends on the nature of the audience and the frequency in which the audience should or will receive reports. For example, a Board will require quarterly MI (providing that they meet quarterly), whereas a Risk Committee may require bi-monthly reports. Operational units may require reports as often as daily, though it is common for Operations Committees to receive monthly reporting.
Conduct risk is typically measured in outcomes i.e. what would be a good outcome for a customer, counterparty, or the market as a whole? As such, conduct risk reporting must be outcomes-focused in order to ensure that recipients receive sufficient information to assess whether external stakeholder is currently receiving the right outcomes, or whether there are any indicators that point to potential threats to delivering the right outcomes. Most MI reports quantitative data, but in the world of conduct risk, there should be plenty of qualitative data available. For example, customer feedback following the launch of a new product or surveys on interaction with a Wealth Manager. Qualitative data and analysis can tell a firm a great deal more about conduct than simple statistics.
Although conduct risk is a relatively new term and risk class, it is already well established in certain jurisdictions. The world of financial regulation has historically developed from Europe, North America, and a few other countries around the world. One thing for certain is that conduct risk will be adopted by regulators across the world, including the MENA region. Some regulators have already started down this path, for the reason that it makes your own marketplace a safer environment in which to invest and interact. It is therefore important to be ahead of this curve, and begin thinking about what conduct risks your business faces, and what can be done to start managing that exposure before conduct failings lead to regulatory actions, reputational damage and financial loss.
What can CCL do to help?
- Help identify the conduct risks in your business
- Advise senior management on how to control these risks
- Advice on the design of effective governance structure
- Create committee terms of reference
- Advise on the appropriate allocation of responsibility
across the three lines of defence
- Update compliance documentation to manage conduct risk
- Create monitoring programmes that test for stakeholder outcomes
- Review and report on conduct risk frameworks
- Carry out independent outcomes testing