Rethinking compliance – New approaches to conduct risk and surveillance

Improper behaviour by employees of a financial institution that has the potential to contribute to market instability – known as conduct risk – can have severe financial, regulatory, legal and reputational ramifications. This Risk.net webinar, in association with NICE Actimize, explores how lockdown measures put in place to combat the Covid‑19 pandemic have transformed the conduct risk landscape

Conduct risk can be defined as any action by a financial institution stemming from improper judgement or behaviour by employees that can lead to customer detriment or contribute to market instability.

Mis-selling and rogue trading, for example, carry serious financial, regulatory, legal and reputational consequences for banks failing to keep a firm grasp of measuring and managing their conduct risk.

Conflicts of interest, weak monitoring and supervision, and products that are unco‑ordinated with overall business goals or unsuited to the customer’s needs all create conditions in which conduct risk thrives.

Conduct risk’s importance has been brought into renewed focus by new rule books in the post-financial crisis years, such as the UK’s new Senior Managers and Certification Regime. The Bank of England’s Financial Conduct Authority already has a pipeline of investigations for serious breaches of this new code of conduct.

“Conduct risk is a kind of ‘holy grail’ for regulators,” said Jason Merritt, director of business development at NICE Actimize. “They’ve focused on market abuse for a decade; they’ve looked at the efficiency and transparency of the markets through things like the revised Markets in Financial Instruments Directive (Mifid II). Ultimately, they want to get to a place where institutions’ management of conduct risk will drive all those programmes in itself.”  

For regulators, conduct risk represents an efficiency and, in some ways, a step closer to self-regulation. Regulators themselves have only a few hundred to a few thousand employees to provide oversight of thousands of firms employing millions of people, noted Al Silipigni, a conduct risk expert who has worked at several large banks.

“I think they believe that a lot of previous abuses would not have happened if there was a stronger conduct programme in place,” he said. 

“In the US, the Unfair, Deceptive or Abusive Acts or Practices regulations are the closest thing we have to a conduct risk law. The UK and the European Union have different requirements, but they also align closely with conduct,” he added.

For risk and compliance professionals, conduct risk also represents a new angle of risk management, taking a different slant on longer-established operational risk, governance and enterprise risk management approaches.

In some ways it is broader than any of those concepts.“Conduct risk overlaps op risk a great deal,” Silipigni said. “It usually includes things like strategic risk and reputational risk, which often are excluded from op risk.”

Tanya Weisleder, global head of conduct risk at Credit Suisse, added: “There’s a correlation to conduct risk in almost everything we do. We look at conduct risk as a risk that is horizontal across op risks we have throughout an institution.”

Conduct risk also represents a proactive approach to risk, by cutting out its root causes, rather than blocking and mopping up individual aspects of rule‑breaking.

“If you can identify somebody who is potentially riskier than somebody else, then maybe you can stop them carrying out fraud or market abuse in the first place,” said Merritt.

 

Who’s watching?

In many ways, lockdown measures put in place as a result of the Covid‑19 pandemic have put a spotlight on conduct risk because remote working – which has suddenly become the norm, at least temporarily – has rendered oversight of employees harder to monitor, and created conditions for potential workarounds or shortcutting of the usual systems and processes.

“For sales and trading, for instance, we’re obliged to monitor all electronic communications,” noted Silipigni. “On a trading floor, that’s easier to do when you don’t allow personal mobile devices on the floor, but when traders are working from home there’s less surveillance and less control over that.”

Financial pressure experienced by some employees during the pandemic period, together with relative lack of oversight during remote working, could encourage riskier behaviour. Merritt pointed to useful guidance issued by the Australian Securities and Investments Commission identifying “signs of improper behaviour”. 

“A lot of people – regulators and risk managers – are worried that the level of insider trading could go up significantly during the Covid‑19 pandemic,” Merritt said. “Suddenly, the potential for insider trading increases massively, because you have no-one overseeing what traders are doing at work. That temptation is obviously a major concern to the regulators.”

The longer-term economic effects of the pandemic mean more financial pressure on employees. When some members of staff are made redundant, other employees might fear the same, influencing their tendency to bend the rules while controls are laxer than usual.

“There’s a natural human instinct to say: ‘I need to increase my revenues’,” said Merritt. “‘I need to be the star performer in the team so that I don’t get laid off.’ That makes conduct even more important.”

The sudden shift during the Covid‑19 pandemic of many employees working remotely and needing additional benefits, such as day-care support, means there is an inevitability about increased fraud being perpetrated by employees, the panel admitted, in response to an audience question. “Rolling things out extremely quickly, there is always a risk you take,” said Weisleder.

Silipigni agreed: “Covid-19 is driving firms to do things much faster than previously, and with good intentions. Any time something is rolled out quickly, without a lot of due diligence, it represents a risk for the company. I’m sure that, when we do a post-mortem and look back retroactively, we will find areas that were managed inconsistently and need to be corrected.”

 

Metrics for misbehaviour

Measuring conduct risk and its consequences to remedy them is a tough task across the many departments of large financial institutions. As with most aspects of op risk, it rarely boils down to a firm number that makes credit risk or market risks so comfortable for bankers, to a degree.

“There’s not a single metric for proactively identifying and remediating conduct risk,” said Silipigni. “We take an entire business view around our metric dashboards. We look at a number of metrics and triangulate them to see if there’s movement outside of our risk appetite or negative trends.” 

He acknowledged the inherent ‘roughness’ to any key risk indicators or key performance indicators around conduct risk, putting more emphasis on qualitative measures as well as general vigilance.

“There’s a lot of noise in the data,” Silipigni said. “Our metrics will become distorted given the volatility in the market, with businesses – even clients – facing financial difficulties and not engaging with bankers as usual because of their own business issues.”

Attributing causality for conduct risk represents a problem, he highlighted, with a temptation to blame Covid‑19 for negative conduct risk trends, such as customer complaints or alert volumes, similarly to employees potentially being tempted to use the pandemic as an excuse for slippage in their own standards or behaviour.

“It’s important that we pull out what is driven by Covid‑19 and what is really the underlying business model, the product or the process, to determine which is actually driven by which,” Silipigni added.

 

On the front lines

While conduct risk continues to rely on metrics and embedded controls and thresholds, Silipigni said he thought there should be increased
focus on engaging with the actual risk-takers in the business, to understand the drivers behind the numbers.

He put great emphasis on simplifying products, procedures and processes on the front lines. Complex product designs and byzantine procedures are hard to monitor, Silipigni argued.

“I’d advocate a major focus on the products in your business, making sure customer need is embedded within the product construct, and understanding all the ancillary costs to products,” he said.

Complaints volume or time spent on training staff could outweigh the value of a complex and troublesome product that might seem a good earner, he suggested, involving some tough but necessary conversations with the business.

“If you’re de-risking your organisation, it’s not unreasonable to say, ‘even a product that appears profitable at the front end may have so many added risks to it that it may make sense to actually eliminate it’,” Silipigni said.

In a similar vein, maturity assessments are a useful tool for reappraising whether processes continue to contribute to success, he underlined. “Maturity assessments are ongoing, as opposed to point-in-time risk assessments.”

Weisleder warned that executing such plans and maintaining them as a continuous process through tools such as maturity assessments is “easier said than done”.

Silipigni favoured a pragmatist’s approach: “Pick your battles, because getting investment and engagement is always going to be hard. Looking at your whole spectrum, determine where there’s high risk and where you need to push most.”

Supporting numbers and metrics can then be brought to bear to show the business the ancillary costs associated with a product that they cannot see, he explained.

“Businesses need to understand, and it’s part of our job to educate them on the entire cost of a product,” he said. “I don’t think conduct should be the ‘land of no’, but rather to highlight what the risks are – and sometimes, when it comes to simplifying products, you can make the argument for cost efficiency, which can play well with the front line.”

 

Carrot and stick

Weisleder described a conduct assessment system for employees built over the past three years that evaluates employee breaches, and then evaluates the risks they pose.

“We use that as a key metric, marker and tool for us to learn about the environment, from low-severity policy reminders, up through to egregious misbehaviour that’s resulted in termination for some employees,” she said.

However, she underlined the need for proper incentives to promote the right behaviour, as well as the necessity of penalising breaches that result in conduct risk for the company. The system involves promoting a speak-up culture to encourage positive behaviours.

“You don’t want to just have the stick, there should also be some sort of carrot,” she said. “We’ve been working on reinforcing and encouraging those positive behaviours.”

She used the example of an employee accidentally sending out a client’s confidential information – something surveillance systems should pick up – but a conduct risk-orientated approach might also encourage employees to flag themselves.

“When somebody makes a mistake, having them raise their hand and positively escalate that without fear is something that we’re looking to address and promote this year, rather than just penalising them for a breach of company policy,” Weisleder said.

By using a spread of tools together, a high-quality picture can be produced. Alerts can flag potential market abuse and conflicts of interest; surveillance tools can track which traders are working late hours, building up a position or breaching risk limits; and employees should be encouraged to sound the alert themselves.

Merritt suggested using a combination of such proactive and reactive tools to provide the best conduct risk solution. “You can perhaps identify the riskiest person in that team,” he added.

With the right tools in place, Weisleder thinks this is a good time for conduct risk management, with banks in recent years making good progress in their understanding towards a more mature approach.

“It’s an exciting time for conduct risk, and we continue to charge forward,” she said. “There is still work to do – particularly in the education space – working with the front line to move past talking about conduct risk and through execution on the areas discussed, such as simplifying products and processes.”

“One of the things people should keep in mind is that conduct risk is really about outcomes rather than detailed rules, like many other regulations. Anything you can do within your firm to build sustainable business practices, to encourage appropriate behaviour, to recognise and reward appropriate behaviour, and to avoid harmful outcomes to customers and the marketplace is, in effect, driving your conduct risk programme,” continued Weisleder.

Conduct risk has much in common with previous ‘treating customers fairly’ regulatory initiatives, Weisleder suggested. “Sometimes people get confused and think ‘fair’ outcomes mean that every trade needs to generate great returns. That’s not the case – it just needs to be transparent. Individuals have to know the risk, and be able to handle and take on that risk.”

Sponsored content