Conduct risk continues to be a hot topic. There is a number of reasons for this: everybody’s being fined for it, there is a continuous stream of regulatory requirements demanding it and -probably most importantly – no-one knows exactly what it is.
The FSA provided a definition in 2011 in their Retail Conduct Risk Outlook, which described it as “the risk that firm behaviour will result in poor outcomes for customers”. Since then, the concept of conduct risk does not seem to have been progressed as a holistic concept. The FCA’s 2014 Risk Outlook, only talks about ‘conduct risks’ and provides a variety of general types, including “information asymmetry”, “conflicts of interest” and “culture”.
The problem is that, in the same report, firms are expected “to adopt a holistic approach to identifying and mitigating the conduct risk arising from their activities”. This is why people are confused. How do you put in place a framework when you don’t know what the risks are that you are trying to prevent? It’s all a bit like finding Bigfoot – you think he’s out there because of the big holes in the ground, but you don’t know what he looks like or how to find him.
It’s not just the UK that has this problem. “We and the industry have just begun approaching this and I’m not aware of any international project right now trying to define conduct risk” says Carolyn DuChene, Deputy Comptroller for Operational Risk at the OCC.
While the UK seems to be front-running in this area with the Banking Reform Act, accountability regime and LIBOR reforms, there is a huge number of forthcoming regulatory requirements, internationally, on specific aspects of conduct risk. In the EU, examples include MiFID II (client/product suitability) and MAD (market abuse). The German Retail Investor Protection Act (Kleinanlegerschutzgesetz) is noted for its product governance and marketing restrictions and Swiss regulation is also accelerating in this area. Meanwhile, the Consumer Finance Protection Bureau in the US has released 60 new rules in its 3 years of existence.
The fact is that standards in this space are necessary. There are many existing frameworks in place to manage conduct risks, e.g., ‘treating customers fairly’ (“A firm must pay due regard to the interests of its customers and treat them fairly” – PRIN 2.1.1) already applies in the UK. New requirements will need to slot into, or replace, these frameworks to avoid confusion.
Some practitioners view conduct risk as a logical extension of ‘reputational risk’. Many feel that it is a job for operational risk, the logic being that operational risk covers everything that isn’t financial risk (credit, liquidity etc.) and that they have a mandate from the BCBS to ensure “a code of conduct or an ethics policy”. But the recent review of the BCBS’ ‘Principles for the Sound Management of Operational Risk’ – the operational risk bible – does not even mention conduct risk. ‘Poor outcomes’ for a customer is a risk in any type of business (caveat emptor?). So, to what extent does it need to be managed?
The framework imposed on firms by the Basel regulations for operational risk is to take a quantitative (as well as qualitative) approach to its management. Firms are required to a) identify the risks that are relevant to their business, b) categorise and assess them in a standardised manner (i.e., a standard approach to measuring the probability of occurrence versus the potential impact of that occurrence), c) put in place controls to manage those risks d) monitor and report those controls’ effectiveness and e) repeat …
However, it is unclear whether a conduct risk framework should follow this approach or whether it needs to be managed completely differently. There are mixed messages coming from regulators. Tracey McDermott, Director of Enforcement and Financial Crime at the FCA, said in a recent speech “For too long, managing conduct risks has been seen as a function for compliance and not the responsibility of the business”.
And Maggie Craig, at the FCA, speaking on MiFID II’s variety of product governance rules, said “where the avoidance of risk to consumers is within a firm’s gift, it will need to be very clear why risk is being taken at all”.
Unsurprisingly, banks are currently implementing conduct risk controls in a number of different ways. In some places new conduct risk departments are being created to sit within operational risk, in others they are separate and independent. Some places have extended operational risk’s mandate, others give compliance the responsibility.
Obviously, changes this broad will have far-reaching implications for any global firm. Aligning similar rules, managing the iterative implementation timeline, ensuring suppliers are compliant and accounting for data management will be huge challenges.
Here’s hoping we can sort this out internationally.