As conduct risk management programmes reach maturity, many banks, capital markets and insurance firms are now facing the challenge of “embedding” conduct in the business—with the goal of making a lasting impact on the business.
Most financial services firms are not ready to close down their conduct programme altogether. Work continues apace on improving conduct risk indicators; understanding the impact of digital; and engaging on cultural change, for example.
However, many tactical initiatives are now ready to be handed over to the business. For example, banks, capital markets and insurance firms that developed tools to manage conflicts of interest are now focused to make sure these tools are being used regularly by the business.
So what are the steps for embedding better conduct? There are two broad strategies: One is focused on aligning the programme activities with business owners, which I’ll cover in this post, and the other is on changing the business model and customer engagement, the focus of part two.
Step 1. Exit criteria and testing
To start, banks and financial services firms should know to what extent their change management initiatives have helped to mitigate risk. One suitable approach is conduct scenario testing.
- Financial firms can run simulations against past misconduct scenarios. For example, would current controls prevent mis-selling of investment products? How well would the firms detect collusion in commodities markets?
- Testing can also focus on future conduct risks, rather than precedents. For example, how well equipped are banks and their financial services peers to prevent digital conduct risks, or insider trading, bad advice or consider the needs of customer who own products which are held a long time before vesting?
Step 2. Transferring responsibility to the business
The front office is the first line of defence and should own its conduct.
- Giving new conduct controls to specific owners from the business, and obtaining sign-offs from the business on the new ways of working, are two key steps in transferring responsibility.
- Banks and financial services firms should also consider how the conduct programme will impact senior managers, given the new personal accountability regulations. Do senior managers really understand what the financial firm’s key Conduct Risks are, and how they are being managed? Does this feature in their “Statements of Responsibility” or Codes of Conduct?
Step 3. Transferring responsibility to compliance
Although many conduct programmes are executed or driven by compliance, their impact on day-to-day compliance processes are not always straightforward. For example, how will the compliance function know whether the aforementioned conflicts of interest tool is still being used in, say, 2018?
- Compliance functions should perform a ‘reality check’ over time to allow controls to be properly used. Monitoring and testing are key compliance activities. The schedule should include testing the key conduct-related controls.
- Assurance through audit or monitoring functions is also an approach adopted by some clients.
- Ongoing conduct maturity assessments.
Step 4. Right-sizing global conduct
For most banks and financial services firms it has proved nearly impossible to implement a conduct approach that is perfectly consistent across the globe. Local nuance matters.
- For example, one approach is to agree that some basic compliance behaviours (such as completing training on time) are good indicators of the wider behaviour of financial services employees. It is these basic compliance indicators that can be benchmarked globally for consistency and used as an indicator of the culture and level of risky behaviour. This should avoid the challenge of trying to assess more detailed metrics such as the length of sales call, which might not be directly comparable on a global basis, and there may be questions if call length relates to good conduct outcomes in a given geography.
- Other, more advanced banks and financial services firms assign local in-country champions; take great care to translate concepts into local languages adequately; and then perform varying degrees of assurance to assess consistency with global values and standards.
Step 5. Programme overload
Many banks and financial services firms operate simultaneous programmes covering conduct risk, culture change, ethics, compliance transformation and similar topics. As well, most are implementing related regulations such as Markets in Financial Instruments Directive (MiFID) II, the Market Abuse Regulation (MAR), Packaged Retail and Insurance-Based Investment Products (PRIIPs), and so on. Managing dependencies across regulatory and growth initiatives is an important part of embedding good conduct in the business. It can help avoid an unintentional reversal of the conduct implementation by other programmes in the future.
In addition to these steps, banks, capital markets and insurance firms should re-assess their product set, customer data, testing and back-book of existing customers if they are to successfully embed conduct. I will turn to these challenges in Part 2.
Will Brett, Anne Godbold and Victoria Hale contributed to this post.
- “FCA Business Plan 2016/2017,” Financial Conduct Authority, Access at: https://www.fca.org.uk/static/documents/corporate/business-plan-2016-17.pdf