The big risk everyone talks about in banking circles these days is “conduct risk.” Regulators harp on it, the new Senior Managers Regime in Britain aims to tame it, and lots of boards worry about it.

Now we just need to define exactly what it is.

The regulators talking about conduct risk do use some tough language about it. Tracey McDermott, director of supervision at the U.K. Financial Conduct Authority, recently stated: “We treat conduct risk like any other risk, and with a risk this big, you need to give us a very good reason why you are not taking proactive steps to manage it.”

Conduct risk can also be seen as the goal of the Senior Managers Regime, which went into effect for British banks earlier this year; the intent is to hardwire responsibility for good conduct into the firm’s governance, by holding senior executives accountable. The Prudential Regulation Authority in Britain and the New York Federal Reserve Bank are also working to raise awareness and focus on conduct risk.

The Bank of England and the Financial Conduct Authority recently published results of the Fair and Effective Markets Review (FEMR), which requires that broker-dealers should act in the best interest of all their clients. In the review, FEMR emphasizes the importance of “maintaining a principles-based approach to regulation instead of issuing highly prescriptive rules and measures around conduct risk.” In other words, as the markets evolve and expand, the regulators want to use a more flexible approach to manage rapidly changing risks.  

“Regulators understand that we cannot rely on the rule book to cover every single situation, and it is not practical to have a compliance officer watch over every bank employee’s shoulder,” said London-based Thomas Jacques, vice president at Greenwich associates, a provider of market intelligence and advisory services to the financial services industry. “The industry has been through a period of extensive change in the last few years; regulators have been busy updating the rules under which the industry operates.”

Indeed, conduct risk is an area that regulators have been eyeing closely. Germany’s banking regulator, BaFin, has stated that the country’s biggest banks would continue to face expensive misconduct cases.

In a recent interview with Bloomberg Business, Felix Hufeld, the head of BaFin, said that the pain of conduct risk has risen as financial institutions pay record fines for misconduct such as manipulating markets, allowing clients to break the law, and failing to disclose financial risks adequately. The expenses and associated increases in capital requirements have eroded banks’ capital buffers, which in turn hurts the banks’ profitability.

“Conduct risk frequently demands that a firm address the widest range of policies.”
Ray Nulty, Head of International Financial Services, Berkeley Research Group

Deutsche Bank, Germany’s biggest lender, has been slapped with more than €11 billion ($12.4 billion) of legal expenses, including reserves, since 2008. The bank ousted its co-CEOs in May amid ongoing grief about misconduct and regulatory issues. Shortly before their dismissal, BaFin sent a report from the director of its large banks division, Frauke Menke, to Deutsche Bank that seared its top executives for negligent oversight and for misleading regulators with inaccurate disclosures.

“Senior management of this business must face the allegations of having acted negligently in that, by creating the corresponding environment, it favored practices that exploited conflicts of interest and ignored organizational duties,” Menke said in the letter.

The recent focus on conduct risk marks a significant shift in mindset for most financial organizations. “Implementing a conduct risk framework presents the majority of firms with sometimes fundamental and often significantly broad challenges in both the scope and depth of the changes required,” says Ray Nulty, head of international financial services at Berkeley Research Group in Britain. “Conduct risk frequently demands that a firm address the widest range of policies, processes, people, technology, remuneration, and organizational changes to create a culture that is focused on delivering fair customer outcomes.”

Ira Steinbrecher, a policy analyst at BaFin, addressed the mounting challenges of an effective risk culture in a recent article, “Risk Culture: Requirements of Responsible Corporate Governance,” where he said that a healthy risk culture should be present in every organization regardless of the lack of a detailed framework. Steinbrecher said that companies should motivate employees to align their value system to a Code of Conduct.


The following is an excerpt from BaFin’s Ira Steinbrecher article, “Risk Culture: Requirements of Responsible Corporate Governance.”
“Tone from the top” refers to the behavior of the management board members. Members of the management board (Geschäftsleitung) have a role model function; their behavior should reflect the system of values they have defined, which is supposed to form the basis for the behavior of employees and the risk culture. They must develop a code of conduct which defines what sort of behavior is acceptable and what is not. The code of conduct should make clear that management expects ethically sound behavior from its employees, not just influenced by statutory requirements but to a considerable extent also by social expectations, and that management explicitly disapproves of illegal activities. Management board also has the task of ensuring that the system of values is communicated within the institution, paid attention to when assuming risks and linked to the risk management system and internal controls.
Apart from the behavior of the management board members, that of other senior staff is also important. They act as a link between management bodies and the various business units or departments and sub-departments. They therefore have the task of transporting the value system and risk culture and communicating them to these. Moreover, they should identify risks within their areas of responsibility, assess and monitor these and bear in mind the risk limits and the institution's value system while doing so.
Source: BaFin.

Also, firms need to be prepared for new provisions on the horizon as the demand for more accountability increases. “More extensive reporting requirements—which are intended to facilitate the establishment, promotion, and integration of a risk culture as well as adherence to it—are sensible and necessary to ensure effective controls by the management body and promote a sound risk culture, ” Steinbrecher said.

Revving Up Conduct Risk Awareness

Talk of conduct risk is not entirely new. Regulators (especially the FCA) have been pushing the concept because it is seen as a potential solution following the 2008 financial crisis. Many see it as parallel to all the regulatory changes that took place thereafter.

Nicolette Kost De Sevres, senior policy adviser at law firm DLA Piper, believes that Martin Wheatley (who stepped down as head of the FCA on Sept. 12) “planted the right seeds” with his aggressive push on conduct risk. He was one part of a two-prong approach the U.K. Financial Services Administration adopted, where it divided oversight into one agency with prudential authority over banking regulation, and the FCA monitoring conduct overall.  

Wheatley did make some progress, although he had a tough time taming conduct risk as well. In one public appearance after he had announced his departure from the FCA, he said he was “disappointed” to be moving on with “a sense of unfinished business.”

According to the Berkeley Research Group, fines levied by the FCA rose 50 percent from 2009 to 2014. Moreover, the pace of enforcement has accelerated as well: As of today, Berkeley counts more than 20 pending convictions for serious misconduct.

As a result, misconduct has been firmly established as a key risk banks should worry about. “The current enforcement data is from the LIBOR and Forex scandals, and it places conduct risk at the top of the agenda,” Nulty says.

In the United States, the New York Federal Reserve Bank has taken an early lead on conduct risk. A 2014 speech by bank President William Dudley talked about the need for internal surveys to not only benchmark conduct, but also identify conduct issues.

“Supervisors will need to see how these frameworks evolve, and more importantly, see evidence of how these efforts yield results in the form of more open and routine escalation of issues, consistent application of ‘should we’ versus ‘could we’ in business decisions, rigor in identifying and controlling of conduct risk, and how compliance breaches factor into compensation,” Dudley said.

This regulatory crackdown of conduct risk is expected to usher in a sea change. It is clear that the U.K. and U.S. watchdogs want to develop a coordinated global approach to bringing this subject global prominence.

“Regulators want to foster a healthy industry-wide culture, where all risk takers instinctively do what is right for the client and the industry,” Jacques says. “As the rules of engagement are increasingly finalized, regulators are able to focus on the key cultural aspects that will ensure this [conduct risk] framework operates in the best interests of clients, the financial services industry, and society at large.”