Conduct risk is one of the FCA’s priorities for 2019. The question of how to respond to an increasingly bold and interventionist approach was the theme at the heart of the roundtable hosted by The Lawyer and Gowling WLG and attended by a top-notch list of risk, compliance and governance professionals from financial institutions.
There was much to talk about, as conduct risk is not a specifically defined term by the FCA. It expects a tailored approach, and so firms must develop a definition and structure that suits their own business models. It is generally accepted that conduct risk means actions of a firm or individual that leads to harm on customers or market stability. A conduct code should include mitigating for things like poor governance, conflicts of interest, poor culture, cost-cutting drives, business growth plans and, crucially for this discussion, individual behaviours.
Around the table
- Luca Amasanti, senior risk manager, Fidelity International
- Stephen Balonwu, head of regulatory compliance, EFC Private Bank limited
- Stuart Brown, compliance manager, Metro Bank
- Christianne Carrick, compliance, Santander
- Jeffrey Cheah, head of compliance and MLRO, Hua Nan Commercial Bank
- Robert Fleming, head of conduct SME, Aviva
- Kate Fulker, head of European compliance, Vanguard Asset Management
- Julie Jack, head of anti-financial crime, TP ICAP
- Tsambika Jeffries, head of conduct risk and governance, Legal & General
- Sarah Long, executive director, JP Morgan
- Chris Mumford, compliance manager, Hampshire Trust Bank
- Lisa Price, managing legal counsel, RBS
- Nicola Sneddon, lawyer, Aldermore Bank
- Ros Smyth, chief compliance officer, Europe, Bank of Montreal
- Netsanet Solomon, conduct risk, compliance, Standard Chartered Bank
- Kate Valdar, general counsel, Allica
- Andrew Yarwood, deputy chief compliance officer, Funding Circle
- Catrin Griffiths, editor, The Lawyer
- Ian Mason, head of financial sevices regulation, Gowling WLG
- Jonathan Chamberlain, partner, Gowling WLG
- Sushil Kuner, senior associate, Gowling WLG
The FCA has made a point of stating that firms should be moving away from prioritising profits over ethics, ‘tick box’ and overly legalistic approaches to compliance and complying with only the letter (rather than the spirit) of regulations. Firms must say it, and say it with meaning.
On top of these, diversity has become a key supervisory issue for the FCA, as research by the FCA has shown that firms with mono-culture suffer more governance-related issues than that of their peers.
Five questions the FCA routinely asks are:
- What proactive steps do you take as a firm to identify the conduct risks inherent within your business?
- How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?
- What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?
- How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make?
- Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?
Among other things, the group discussed creating a robust conduct framework, who is responsible for conduct risk, what tools are available to the FCA to bring enforcement action on conduct risk and what steps firms are taking to meet the FCA challenge on conduct risk.
The broad church of products that companies and law firms offer, and a changing landscape due to things like tech and social media mean that it is difficult to create a one-size-fits-all conduct policy that is FCA compliant. The discussion highlighted that those in charge of implementing compliance programmes face the tricky business of combining the elements of good conduct and compliance and putting it into a picture that people understand.
Embedding culture and defining risk
One issue that continued to arise when discussing compliance was the theme of company culture, and how to embed good compliance as a norm at all levels of a company in conjunction with this.
“”Embedding is actually really difficult. We are talking not just about senior management, it applies to junior employees too,” Gowling WLG’s Ian Mason noted.
Others echoed this sentiment, saying that when trying to introduce certain aspects of compliance from the outset, even those at the top end of the company asked, “what do you mean by conduct risk?”. In order to embed values, those responsible for compliance must find a definition of conduct risk that makes sense to anyone on the street, as it can be a nebulous term.
Some attendees said that many people that are in the higher ranks of companies do not even think they need to change anything in the culture as they do not have any visible compliance problems at present. This begs the question: if people think there isn’t a problem or risk of non-compliance, how can you put a framework around that?
The point was also raised that companies need to build a culture where people feel safe to escalate risks and, as such, ‘cultural constitutions’ need to be mindful of where employees’ responsibilities fall within a company. Where people are aware of their responsibilities, appropriate whistle blowing functions can be put in place and everyone understands their responsibilities.
Even in places where there is a well-established whistle-blowing structure, the fact that a company has this as isn’t enough. People have to use it. If nobody uses it, it doesn’t necessarily mean there isn’t a problem; it is no good to have that as a ‘tick box’ exercise if the regulators then later come in and find issues. This is a good example of where a structural change has been made but not embedded.
The discussion moved on to how you can ensure this is being embedded. One attendee suggested that a way to embed a culture of compliance is by integrating values into annual performance assessments and incentivising good behaviours.
One attendee said: “Even with this in place, you have to lift up a few stones and have a good look to make sure it works.”
The challenge of MI
Another challenge identified in the roundtable was the difficulty of finding the right MI (management information) to produce the right result. The FCA categorises MI as things like a new business register, business persistency, training and competence records, file reviews, customer feedback and compliance records. Guidance on its website says: “MI is very important in analysing trends, helping you forecast the future and solving any problems you identify. Firms should use it to monitor customer treatment, expectations and outcomes.”
The FCA gets MI from different strands of a business in an attempt to identify individual accountability – so it asks questions like: was that person aware of what was happening, and should they have been? It goes into the granularity of MI patterns.
“Instead of just identifying whether misconduct happened, the FCA are now tasked with identifying the root causes of misconduct. So they dig much deeper and look at things like MI, and they also look at how things got missed, in an attempt to identify individual accountability,” Gowling WLG’s Sushil Kuner pointed out.
“In one case related to this, a team found an issue within the company, but as it was filtered up the chain to senior managers it got lost; results and findings were being amalgamated into higher level figures for senior management which was hiding the issues at play,” she continued.
This showed that for MI to be really ‘meaningful’ and useful in the way the FCA expects, it needs to be received and communicated in the appropriate way.
Following on from these issues, a key challenge that plagues compliance functions within organisations is how a company can make people feel personally responsible for conduct risks. When the firm or company is being judged ethically from the outside as a whole, then that implies that each individual that makes up the company also holds that responsibility, including people in the lower echelons. Employees must know that compliance is their responsibility and not just that of the compliance team.
Another tension in this regard is that compliance functions are trying to address people that already think they have adequate process in place (a similar issue to that mentioned earlier about company culture), and are already doing the best for their clients. Managing people that don’t think they are a risk means they often aren’t receptive to change.
“We need to be thinking about making everyone a risk manager, whatever level you are at in the organisation,” said one attendee.
The FCA is increasingly taking a more holistic approach to tackling non-compliance and investigating cases earlier on than they would have done in the past. The introduction of SMCR is making it easier to identify who is responsible in the first place, and then the focus is on steps that individuals took to absolve themselves from liability. Broadly termed principles such as ‘treating customers fairly’ (TCF) mean that the FCA has more of a remit to open investigations into individuals at an earlier stage.
This has a knock-on effect for individuals as it increases the run time for an investigation, which used to take about a year end-to-end. Investigations now run for about two to three years because of the increased number of cases the FCA is taking on.
This has different implications for firms being investigated, which often opt to settle. However, settling isn’t an option for individuals and it can be personally quite damaging to take on compliance risk.
Regulators’ views are shifting on what companies’ responsibilities are, and the FCA is increasingly taking an interventionist approach on actions that can be seen as non-financial misconduct. Because of this shift, compliance means something different from what it did five or 10 years ago. There was a consensus around the table that there is now more of a focus on correcting things like sexual harassment and inclusion alongside things that are seen as financial misconduct. As one attendee said: “A lot of the issues faced aren’t things you can touch and feel, and so they have become increasingly hard to measure.”
Additionally, people’s work lives and social lives are increasingly bleeding into each other, with platforms such as LinkedIn and Facebook enabling this. As people’s personal lives become more visible companies are changing the way they deal with compliance inside and outside of work. It begs the question: what can be considered private? Companies are now introducing training on things like acceptable conduct on WhatsApp as well as on social media networks such as Twitter and Facebook.
This also filters into the question of reputational risk. One attendee made the point that it is easy to google someone you meet from a company and make a decision on whether to bank with that firm from what they have posted online. Employees are therefore just as responsible for their behaviour outside of work as they are while in work.
“The FCA don’t want to be seen as the morality police; they want to understand what is having an impact on your workforce,” commented Kuner.
A piquant example discussed with regards to monitoring morality outside of work, was the lawyer who hit the news earlier this year for evading train fares. One participant asked: “The question is, if you’re the firm that employs that person and allows that person to continue when you know that’s their behaviour outside work, what do you think they’ll do in work? It’s not just about reputational risk, it’s about a moral code too.”
“It’s very easy to withdraw from the trust account and very difficult to put it back in,” said another attendee.
Regulators are trying to broaden what is considered to be misconduct, and in this respect, companies must be careful about punishments. “What will stand up in court if we are overcautious about it?”
This shift has made companies think about introducing tailored training. One attendee said the training they now offer changes yearly and has different content for each department, using real life examples of things that have actually happened within the company so it is relevant and relatable.
International outlook: how does the guidance of the FCA translate?
Throughout the discussion, there was talk of the challenges faced by companies working across borders in multiple jurisdictions, and how compliance can be a tricky thing to translate.
Whether or not an international bank adopts the FCA line on conduct internationally regardless of local law is, indeed, a complicated line to navigate and also ties into the problems faced with embedding culture and ensuring all staff feel responsible for conduct risks.
“Is the culture top down, or is it a set of lateral values?” asked Catrin Griffiths.
“Trying to explain conduct risk to my colleagues at head office is one of the bigger challenges I face,” says one attendee from an internationally headquartered bank. We had a visit from the FCA and they asked us what our conduct risk is, which was a bit of a shock for managers. We’ve had a lot of dialogue with head office about why it’s so important and I’m trying to make a robust framework informed by the FCA that takes into account views from lots of different places,” explains one attendee.