The consideration of culture and conduct risk has become the new normal. The detail of culture and conduct risk expectations are not set out in a rulebook but have been articulated in speeches and are inherent in the approach to senior manager accountability regimes. Firms must continually demonstrate the qualitative culture and conduct-risk measures in place. One of the most powerful means of measurement is in the ramifications, particularly when it means a firm has chosen not to do something.
The question about whether firms had discarded potentially profitable business propositions due to culture and conduct risk concerns was originally asked in five annual surveys and associated reports on culture and conduct risk which concluded in 2018. For 2020, the question was once again asked for the cost of compliance report.
A third (34%) of respondents said they had turned down a potentially profitable business opportunity in the previous year because of culture and or conduct risk concerns. This was a slight rise on the 28% which reported discarding a potentially profitable business opportunity in the fifth annual culture and conduct risk report in 2018.
A firm choosing to avoid a potentially profitable activity is a powerful demonstration of culture and conduct risk policies working. Firms should document the reasoning behind all such decisions and aim to learn lessons, whether they were connected with the use of third parties, product design, undue complexity or other aspects of business activity.
There are distinct regional variations, with 46% of firms based in continental Europe and 41% of firms based in the Middle East reporting they had turned down potentially profitable business opportunities, compared with 19% in Canada and 24% in Australasia.
“The principles are the foundations of good conduct and should be an integral part of the operational process of planning or decision-making at all levels and as a way of overseeing and assessing whether the firm’s conduct remains appropriate. If firms and their senior management approach a business activity from the outset using the principles as a foundational guide, as part of the organization of activities and as a way of monitoring execution of activities, I am sure we would see considerably less unintended harm caused by misconduct. In short, what we need is less hindsight and more foresight.”
Mark Steward, executive director of enforcement and market oversight at the UK FCA, February 2020
The influence of culture and conduct risk on business decisions is also reflected in the resources devoted to considering such difficulties. The majority of respondents expect the cost of time and resource devoted to conduct risk issues either to stay the same or to increase in the coming year. Specifically, a fifth (17% of firms, 21% of G-SIFIs) expected a significant increase in the cost of time and resource devoted to conduct risk issues in the next 12 months — a result, perhaps, of the proliferation of accountability regimes and their link back into conduct.
From a regional perspective, more than two-thirds (69%) of firms in the UK expect cost of time and resource devoted to conduct risk to increase in the next 12 months, of which 25% expect this to increase significantly. This is in comparison to 61% of practitioners based in Continental Europe and the Middle East expecting cost of time and resource to increase for conduct risk.
What is the single biggest culture or conduct risk your firm is facing?
Lack of accountability in business areas, they do not exercise a prevention of culture
[South America, Asset Management]
The challenges posed by culture and conduct risk are illustrated by the range of responses to the question about the single biggest culture or conduct risk faced by firms. The top two risks cited were the need to create a unified compliance culture and balancing competitive and compliance pressures. This suggests many firms are still finding it a challenge to implement and embed such risks.
Culture, specifically being able to evidence change within the firm, is a theme which will loom large among board challenges during the year ahead. Practitioners said the single biggest culture or conduct risk facing their firm this year will be:
1. Creating a unified compliance culture.
2. Balancing competitive and compliance pressures.
3. Increasing regulatory requirements.
4. Evidencing good culture and conduct.
5. Embedding accountability.
What is the single biggest culture or conduct risk your firm is facing?
Source: Thomson Reuters Regulatory Intelligence – Cost of Compliance: New decade, new challenges, by Susannah Hammond and Mike Cowan
The creation of a unified compliance culture across a firm, particularly one with several business lines and geographies, is a large task. The impetus must come from the board and be continuously championed by all senior managers. Equally, the firm must have policies and procedures which are tailor-made for the business. The board will need regular reports on the efficacy of those policies and procedures. The firm’s stance on culture needs to be supported by a control infrastructure covering a comprehensive suite of preventive and detective controls, the three lines of defence and an appropriate risk-aware approach to reward, recognition and, where needed, discipline.
“While the bank’s leadership plays a significant role in changing culture by setting the ‘tone from the top’, I believe that you would agree with me that board-level oversight alone would be insufficient if banks want all their staff to understand and live up to the desired culture. Therefore, it is equally important that the banks’ leadership cascade the ‘tone from the top’ down to ensure that the bank’s desired culture, values and behavioral standards are understood and shared by different levels of staff, through effective and continual communications and training.”
Alan Au, executive director (banking conduct) at Hong Kong Monetary Authority, January 2020
Regulatory developments and reporting
In 2019, TRRI captured 56,624 regulatory alerts from more than 1,000 regulatory bodies, averaging 217 updates a day. This was a slight decrease on the previous year, which is perhaps unsurprising as the regulatory agenda for 2019 did not include large regulatory developments such as the Markets in Financial Instruments Directive II (MIFID II), GDPR and Capital Requirements Directive IV (CRD IV).
The regulatory agenda for 2019 dealt more with progressing, monitoring and reviewing changes that had been initiated in previous years. The Financial Stability Board (FSB) set an agenda that included:
The European Banking Authority has undertaken work on Basel III, cyber security, operational resilience, data strategy and improving capital and liquidity requirements. The UK Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have undertaken work on improving capital and liquidity regulations, moving away from Libor, progressing the quality of regulatory data and conduct risk issues in retail banking.
In Australia, APRA’s four main priorities for 2019 were to maintain system resilience, improve outcomes for superannuation members, transform governance, culture, remuneration and accountability and improve cyber resilience across the financial system. APRA reported that 2019 was a “year of reviews” with the Royal Commission report on Misconduct in the Banking, Superannuation and Financial Services Industry, released in February, and the APRA Capability Review, released in July.
The survey showed that the amount of time compliance teams spend tracking and analysing regulatory developments has remained consistent on average in the last few years. The average compliance team spends one to three hours a week tracking and analysing regulatory developments.
The share of teams spending more than 10 hours tracking and analysing regulatory developments in an average week has fallen sharply from 2014 (24%), to 9% in 2020. Those spending eight to 10 hours rose from 14% to 22% during the same period, while the four to seven-hour category has remained relatively stable (2020: 26%).
Between one and three hours a week seems too short a time for a compliance department to identify and agree actions with the business, given the volumes of regulations being progressed. There is evidence elsewhere in this survey that regtech solutions are increasingly being used, and this could make it easier to identify and communicate new regulations.
The figures may also indicate that senior managers in the first line are undertaking more of the analysis, with compliance teams identifying changes and passing them on to the first line to analyze before monitoring actions that are required for the firm to become compliant. This would also fit in to the evolution of the various regimes to make senior managers more accountable for the parts of the business for which they have responsibility, including risks and regulations.
The most common form of regulatory reporting is through regulatory returns. The completion and submission of regulatory returns has been the subject of some scrutiny in recent years. For example, in 2018, a UK FCA “Dear CEO” letter on the quality of prudential returns urged CEOs of investment firms to review their regulatory reporting practices to ensure they were fit-for-purpose, complied with the relevant reporting provisions and produced materially accurate data.
The appropriateness of regulatory returns was highlighted in the independent review of the prudential supervision of the Co-operative Bank Plc. In 2019 the PRA imposed a combined financial penalty of £44 million on Citigroup Global Markets Ltd, Citibank N.A.’s London branch and Citibank Europe Plc’s UK branch for failings in relation to their internal controls and governance arrangements underpinning compliance with PRA regulatory reporting requirements. This was the first time the PRA had imposed such a fine.
At the end of October 2019 the PRA issued a “Dear CEO” letter confirming that it “ … expects firms to submit complete, timely and accurate regulatory returns. These expectations have not changed; the integrity of regulatory reporting is the foundation of effective supervision.”
The PRA said it would commission reports on financial institutions to look primarily at those returns required under the common reporting framework. In March 2020, however, the PRA said, due to COVID-19, it was reprioritising these reviews until later in the year.
Elsewhere, the Central Bank of Ireland (CBI) fined Wells Fargo Bank International 5.88 million euros for serious failings in its regulatory reporting capability and compliance. The CBI also fined the Bank of Montreal Ireland Plc 1.25 million euros for breaching a condition of its banking license. The CBI found the bank had failed to submit three operational risk returns, or to establish and maintain effective processes and internal controls to ensure compliance with the regulatory reporting condition.
The Monetary Authority of Singapore’s new reporting standards under the notices on submission of statistics and returns for commercial banks and merchant banks, known as Notices 610 and 1003 respectively, raise the bar substantially for regulatory reporting.
Governance and controls for regulatory returns
Firms should consider the following when deciding on measures to offset risks regarding regulatory returns:
Clear and accountable ownership – Under the UK Senior Managers and Certification Regime (SMCR) the production and integrity of a firm’s financial information and its regulatory reporting is a prescribed responsibility. This means that the responsibility for the accuracy, coverage and timely submission of regulatory returns should be allocated to an appropriate senior manager. This does not mean that this individual should complete all returns. There may be scope for delegating completion to another department or individual, but someone with accountability for the process should be established. In jurisdictions where regulatory reporting is not a prescribed responsibility it could still be good practice to have a named senior manager with designated oversight.
Control framework – The owner of regulatory returns needs a control framework that ensures returns are completed on time and are accurate. The compliance department should provide assurance that all regulatory requirements have been allocated. This could be achieved by a mapping exercise that matches regulatory rules, returns and deadlines against internal processes, people and dates. The individual areas of the business that create the data must provide assurance that it is accurate and correct. The control here could be regular testing of the systems used to establish that outputs are correct, or independent checking of the statistics used and self-attestation that figures were accurate. The owner also needs assurance that deadlines have been met adequately (perhaps by a diary system that flags deadlines but also allows those responsible for acknowledging completion of returns).
Monitoring by quality assurance (QA), risk and compliance or internal audit – A QA function should review each return before submission to provide assurance that the data are accurate and meaningful. Firms should also regularly review the processes that support completion of regulatory returns. This would include any formulae used to generate statistics.
Consistency – There may be timing differences between the completion of regulatory returns and other pieces of internal management information. As far as possible iIt is important that, the data used are the same and tell the same story.
Reporting – A report on submission, issues and conclusions from regulatory returns should be submitted on a regular basis to the committee responsible for operational risk and any other relevant committees. Regulatory returns should be a valuable source of information that can be used to begin investigations, not just seen as a chore that has been imposed on firms.
Training and competency – Ensure individuals producing the data have the necessary training and understand their jobs and the reasons for them.
Contingency arrangements – Procedures should also be put in place to cater for any problems that prevent the completion of returns; for example, system back-ups or alternative ways of gathering the required information.
Communication lines – Documented lines of communication need to be put in place both internally for approval and awareness, and if required with the regulator to inform them of late submission.