Conduct Risk: What It Is and Why It Matters

By Jane WalsheJane Walshe
Conduct Risk

‘The  lessons of the last few years illustrate clearly that firms need to take proactive steps to improve conduct. Without a firm foundation in identifying the conduct risks inherent in your businesses, it will be hard to manage conduct, let alone show us and others that it is being managed. We know that most firms now understand the value in getting it right and not simply the cost of getting it wrong, and the benefit of good conduct in terms of building customer trust and analyst confidence. However, there is a long way to go, and it will not happen by regulatory osmosis. Firms and individuals need to take responsibility for their own actions.’

Tracy McDermott,  acting CEO of the FCA,  July 2015, Wholesale Conduct Risk

What is conduct risk?

The global financial crisis led regulators to carefully examine root causes of market failure. Contributory issues were identified, relating to market structure, the pricing of risk and availability of credit, and inadequate capital reserves held by financial institutions.

An additional and significant root cause upon which a spotlight has fallen since the crisis relates to a concept less tangible than credit, market or liquidity risk, namely that of conduct risk, or more specifically, poor identification, mitigation and management of conduct risk. The term has not been formally defined by regulators, but in the UK guidance in the form of thematic work and speeches has elucidated what it is. The supra-national standard setting body the Financial Stability Board has also published widely on risk culture and governance.

Poor behaviour in retail financial services, as evidenced by various mis-selling scandals, as well as poor behaviour in the wholesale sphere, with the manipulation of Libor and Forex, caused regulators to recognise that how a firm, through its staff, conducts itself and the culture within which it operates are of equal importance to its effective operation as adherence to a set of rules.  This recognition that rules alone were not sufficient to ensure the right outcomes for customers, consumers and the markets marked the beginning of conduct risk as a concept – to catch issues around behaviour, tone and ethical standards that were not adequately addressed elsewhere.

A global approach

Although conduct risk as a concept originated in the UK, it has now been adopted more widely across the globe. In Australia, ASIC has been inspired by the UK approach and now expects the firms it regulates to have fully developed conduct risk policies.  In the Middle East, the DFSA has done extensive work on senior management behaviors and related issues, and in the USA, the SEC seeks to ensure consumer interests are front and centre of firms’ thinking.

Identification of conduct risk

It falls upon a firm itself to identify the conduct risks to which it is exposed, and no two firms will have the same conduct risk profile.  There are commonalities, nevertheless, key among which are having the right ‘tone from the top’, incentivizing staff to behave in an ethical, fair and compliant way towards clients and customers, and on markets and making staff accountable for their actions. The FCA has said that it will assess a firm’s culture, and by implication it’s management of conduct risk by looking at a range of different measures, such as:

·        how a firm responds to, and deals with, regulatory issues;
·        what customers are actually experiencing when they buy a product or service from front-line staff;
·        how a firm runs its product approval process and the considerations around these;
·        the manner in which decisions are made or escalated;
·        the behaviour of that firm on certain markets; and
·        the remuneration structures.

The way in which a board engages in these issues will also be of critical importance.  A board should be looking to probe high return products or business lines, to fully understand strategies for cross-selling products, how fast growth is obtained and whether products are being sold to markets they are designed for.

The FCA also explained its approach to the interlinked concepts of culture, governance and conduct risk in a March 2015 Thematic Review, into  governance over mortgage lending strategies (TR 2015/4).  The conclusions have application beyond mortgage lenders and can be read as an indication of the FCA’s general thinking in these areas.


We expect firms to have a culture that places customers, market integrity and competition at the heart of their business. Culture is evidenced through the way firms conduct their business, what they expect of their staff and their attitude towards customers. Firms must evidence such culture exists and is applied from the top and throughout all layers of the firm. 


The governance of firms is the process of decision-making and the process by which decisions are implemented by senior management and Boards. We expect Boards to be able to clearly explain the conduct risks within
their own strategies, understand their own management information and how it influences good customer outcomes. 

Conduct risk 

We see conduct risk as the risk that firm behaviour will result in poor outcomes for customers. A firm’s conduct risk profile will be unique to it; and there is no one-size-fits-all framework that can assess it. We expect firms to be looking at their own business models and strategic plans to see if they are identifying, mitigating and monitoring the consumer risks arising from them. They need to be considering customer outcomes equally alongside commercial objectives.


Further pointers on how to identify and manage conduct risk were provided by Tracy McDermott, then Director of Supervision, investment, wholesale and specialists (now acting CEO), in a speech delivered in July 2015.

Ms McDermott  identified five conduct questions firms should be asking themselves:

1. How are the conduct risks inherent within the business identified?

A firm must ask the right questions of the business, conduct root cause analysis when problems are identified and learn from past mistakes.

2. Who is responsible for managing the conduct of the business?

The FCA expects firms be asking themselves how they are encouraging their employees to be and feel responsible for actually managing the conduct of their business.  Essential within this is encouraging the first line of defence, the business itself, to manage conduct risk. McDermott said that they understand their business better than anyone else; they know where the risks are and they should – if correctly incentivised – have the greatest interest in long term, sustainable good business practices. They need to understand that is part of their job and be helped to do it well.

3. What support mechanisms does the business have to enable people to improve the conduct of their business or function?

Examples of effective support mechanisms may be where new product and new business approval committees are robust and appropriately represented by the control functions, or by a firm having training and induction programmes that lay out a it’s expectations of its staff.  Further, management information should be provided to those in supervisory roles that is useful, timely and genuinely helps them supervise their staff. McDermott went on to say:

Ultimately this is also about creating what we sometimes call a culture of appropriate escalation, where people can speak up when they observe poor behaviour or are unsure about what to do. Too often people are unwilling to do this, or are penalised if they do’.

4. How do the board and executive committees gain oversight of the conduct of the organisation?

At a basic level, this is about what information the board and executive see, and how they take it into account in the decision-making.   McDermott acknowledged that although progress has been made in getting conduct issues onto board agendas, there is still some way to go in getting them to take conduct implications into account in every strategic decision and recognise that their decisions can have just as big an impact on the way business is conducted as the behaviour and decisions of those who report to them.

5. Finally, do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions.

Ms McDermott pointed out as an example the fact that most employees of any firm will never – or rarely – see the CEO. Their role models are not board members but might be the top trader or the desk head. If they see a colleague rewarded and promoted, even if their behaviour is not consistent with the values of the firm, this does not send a clear message that such behaviour is not tolerated.

Conduct risk, behaviour and and culture- the developing picture

A number of initiatives are coming to fruition over the next year or so, as regulators seek to embed effective approaches to key elements of conduct risk throughout the industry. The advent of the Senior Managers’ and Certified Persons regime in the UK (effective 7 March 2016) will have a significant impact on UK deposit takers, and to a lesser extent Solvency II insurance firms.

The application of the SMR is being extended to those working in the fixed income, currency and commodities markets (FICC) including asset managers, as a result of a recommendation made by the Fair and Effective Markets Review, published in June 2015.  Additional UK industry led guidelines will also be forthcoming from the newly created FICC Markets Standards Board (‘FMSB’). The FMSB states its purpose as being

“to define and sustain good practice standards for wholesale FICC markets and raise standards of behaviour, competence and awareness across those markets and among participants, thereby contributing to the fairness and effectiveness of these markets”.

In a speech accompanying the publication of the Fair and Effective Markets Review, Bank of England Governor Mark Carney said:

‘The importance and complexity of their task is illustrated by the multiple root causes of the misconduct in FICC markets. Specifically, the Review identifies:

– Market structures which presented specific opportunities for abuse, such as poor benchmark design, and which more generally were vulnerable to conflicts of interest, collusion, and thin markets;

– Standards of acceptable market practice that were usually poorly understood, often ignored and always lacked teeth;

– Firms’ systems of internal governance and control that were incapable of asserting the interests of firms – let alone the wider market – over those of close-knit trading staff;

– Individual incentives that were skewed, with pay packages stressing short-term returns over long-term value and good conduct;

– And personal accountability that was lacking, with a culture of impunity developing in parts of the market.

All these factors contributed to an ethical drift. Unethical behaviour went unchecked, proliferated and eventually became the norm.”

These comments illustrate how diverse the concept of conduct risk can be, encompassing low levels of personal accountability, skewed incentives and cultural issues around trader behaviour and camaraderie trumping the interests of clients and the market.

The point is that the behaviours identified in the FICC markets occurred in spite of myriad regulatory rules applying to them.  The failings show that rules in an ethical vacuum are ineffective. The regulatory drive now is to stop the ethical drift, by a mixture of new rules (the SMR as mentioned above), voluntary industry standards and codes, as well as requiring firms themselves to create systems and controls to mitigate conduct risk, and all that this entails.

The Banking Standards Board (BSB) is another UK non-statutory body that intends to work with banks and building societies to support their work on achieving cultural change and actively mitigating conduct risk.  In a June 2015 speech, BSB chair Dame Colette Bowe said:

‘. it is for the boards of banks to take responsibility for how the business delivers within this regulatory framework.  And it is, more subtly, the responsibility of the board to influence the culture of the whole business – the famous “tone from the top” – AND to take responsibility for making sure that this is both understood and acted on in all parts of the business, from the committed top, through the middle and right across the front line.  Moving from “tone at the top” through “action in the middle”.   By the middle, I mean those hard to reach parts, which are found in any business, not just banking, where messages get lost, communication falters, and “tone from the top” can seem utterly remote from what people are actually doing.’

The FCA has also published Guidance for Performance Management, for firms with staff who deal directly with retail customers, which makes clear that ‘tone at the till’ is also important.  Therefore, firms now need to address conduct risks relating to personal behaviour, accountability and responsibility at all levels of their organization:  the top, the middle, and the front line.

What is now clear is that increased personal accountability, a key element of conduct risk,  is set to become a reality across the whole of financial services, in due course.  It is likely that other jurisdictions will watch the implementation of the SMR in the UK with interest and may seek to adopt elements of it in to their own regimes, as they have done with conduct risk.  The BSB has noted that the US regulators are watching their work with interest.

Embedding the management of conduct risk into the firms operation

As can be seen from the examples of current regulatory thinking provided above, the identification, management and mitigation of conduct risk in a financial services firm is not the defined responsibility of one particular group over another (although named board members are likely to bear responsibly for different heads of risk). The Board has an important role to play, but will only be able to make the right decisions if it has received the information it needs from those who report into it. The control functions – risk, compliance and internal audit –  are therefore critical in gathering and analyzing information from the business, which means they need to be equipped to ask the right questions, so that they can identify if there is a risk of ‘ethical drift’ for example, due the particularly poor culture on a trading desk where activity is dominated by one strong personality.  Lastly the business itself, as the first line of defence, needs to understand and embrace the role it has to play in effectively identifying the risks to which it’s area is exposed, rather than leaving this task to the risk or the compliance functions.

Across all areas of the business, certain skills and behaviours will be of particular value in ensuring conduct risk is managed well:

  • Strong and open lines of communication, so that tone from the top translates into action in the middle and tone at the till
  • Coherent and co-ordinated reporting, both at firm and group level, and seeking to encourage a ‘culture of appropriate escalation’
  • Meaningful root cause analysis when problems are found
  • Swift and adequately resourced responses to problems, to rectify them, based on what is in the interests of the customer, rather than what it is expedient to do.

All of this must be achieved against an ever more demanding background of other regulatory initiatives, many of which overlap with concepts that are linked to conduct risk, for example the MiFID II product governance, remuneration, incentives, conflicts and best execution provisions that will apply to investment firms from January 2018, in the EU.

Accenture Fintech Lab: Where’s my unicorn?

By Jane WalsheJane Walshe

Strap yourselves in ladies and gents.  Brush up that beard; polish that table tennis racket and puff up the bean bag – yes – it’s start up time!  Or the Accenture FinTech Innovation Lab London to be precise.  20 early stage start ups – some more clueless than others – some more hirsute than others.  Deep breath, hold on, HERE WE GO!

Three weeks in, several close calls with my mental health, one insane valuation I don’t understand and lots of invaluable feedback and I’m starting to get the hang of things.

Where’s my Unicorn?

Amongst other things, so far we’ve had sessions with some Venture Capitalists looking for their next Unicorn.  These charming men (and they’re nearly always men)  are easy to spot because they wear very expensive cashmere jumpers and have lovely manners. They do – every single one of them.  I’ve yet to meet a VC who does not wear a kitten soft, pastel v-neck sweater.   And they tend to have great teeth.   So when they slowly sacrifice your start up dream on their altar of ever greater profits, you barely notice because your nostrils are full of their expensive cologne and your eyes are blinded by the whiteness of their smiles.  And still nobody has been able to coherently explain to me why it is that a start up with little or no revenue can be worth into the millions (and millions).  Call me old fashioned, but I just don’t get it.

The VC game is one of Russian Roulette.  They know that out of the firms they invest in, only a handful will do anything really big.  However, if the ones that do get really big, get really really big, the profits far outweigh the money lost on the less effective propositions.

So which one are we?  Will their number come up with Enforcd?  Or will my co-founders and I continue to fund the company with our overdrafts?  More anon on effectively navigating these shark invested waters, folks…….

Enforcd/BBA Webinar – Enforcement Update 2017

By Jane WalsheJane Walshe
Enforcement Update 2017

On 9th February I joined Philip Allen of the BBA to deliver a webinar (click here to access the recording) entitled ‘‘Enforcement Update: What the Regulator wants and expects in 2017”.   Some interesting polling occurred which can be read about in a separate blog.

The main Enforcement themes this year were identified as

• Financial Crime
• Cybersecurity
• Individual accountability and culture
• MiFID II compliance

Secondary themes identified included supply chain risk management, including outsourcing and Market Abuse Regulation compliance (although this could be said to be included within financial crime). An additional area of risk was thought to be compliance with new Fixed Income, Currency and Commodities (FICC) Market Standards Board standards.

The themes were identified by reference to industry knowledge and what the FCA itself has said – in the 2016/17 business plan and, in a recent speech made by Enforcement Head Mark Steward. Reference was also made to the views of other industry participants on risks for 2017, most notably the Institute of Risk Managers, and Deloitte.

The only UK FCA case of the year so far, against Deutsche Bank for AML controls failings (netting them a fine of £163m a couple of weeks ago) was discussed. Further, whilst the webinar was in progress the PRA published their first case of the year. The Bank of Tokyo-Mitsubishi UFJ Limited was fined £17.58m and a fine of £8.925m was also levied on MUFG Securities EMEA plc because they failed to be open and cooperative with the PRA in relation to an enforcement action into BTMU by the New York Department of Financial Services.

Much industry discussion centring around the fall off in fines figures between 2015 and 2016 has speculated on a softening of approach to enforcement on the part of the Regulator. On 19th January Mark Steward forcibly dispelled any views of this nature when he said:

“Has light touch returned? Have we gone soft? For many of you today, the answer may be disappointing because it is a very clear ‘no’. We have not gone soft nor do we intend nor will we. Light touch has not returned”.

Senior Managers Regime Poll 2017

By Jane WalsheJane Walshe
Senior Managers Regime Poll 2017

On 9th February 2017, I joined Philip Allen of the BBA to deliver a webinar entitled ‘‘Enforcement Update: What the Regulator wants and expects in 2017”.  this piece focuses on the polling that occurred during the hour, which provides an interesting snapshot into current industry sentiment around conduct risk and individual accountability – themes which are as prevalent as ever across the financial services industry.

A summary of the webinar can be read here and to access the recording click here.

During the webinar, the 260 attendees were asked to vote on three questions:

1. Use of tools to identify conduct risk

The first question focused on how well equipped firms feel they are to identify conduct risk.

Regulatory Intelligence ToolsGiven the intangible nature of concepts like culture and conduct risk, it is perhaps not surprising that only 14% of respondents feel highly confident that they have the right regulatory intelligence and management information to identify, manage and mitigate the conduct risks they face. More encouraging is the 50% of respondents who feel reasonably confident they have what they need. Only 11% of voters are not confident at all or only marginally confident.

So, the results suggest that that the industry is making strides towards getting the tools it needs to help it comply with regulatory obligations around culture and conduct risk, since 89% of respondents were in the middle or above with their assessment.

2. Individual accountability risks

The second question focused on when the first cases under the new Senior Managers’ and Certification Regime will start to be brought by the regulators.

SMCR Survey 2

68% of respondents were of the view that the FCA and/or the PRA will bring their first case against a senior manager under the new regime within the next 6-12 months.

12 months from now will mark just under 2 years of the regime coming into force. This is not much time for misconduct to be identified, investigated and proven.

Retrospective cases cannot be brought so although issues may have been in existence pre-SMCR, the failure to take ‘reasonable steps’ can only run from 7 March 2016. The regulator will face knotty legal issues if or when it brings cases against individuals that seek to straddle both the old APER regime and the SMCR.

It’s my view that it may seek to mitigate the risk of an unsuccessful case as far as it can, and so will stick to post-7 March 2016 facts (or hypothesis), thus avoiding additional legal and evidential complexity.

Two years to identify problems, investigate them and then bring a case is a tight timeframe indeed.

Further, although the regulators do not need to make a finding against a firm before making a finding against a senior manager, it will be far easier for them to succeed in a case against a manager where a firm has already settled the issue (or the firm has lost at Tribunal if settlement was not forthcoming). Again the timeframe is very tight if the poll result is proven to be correct.

Whether or not one agrees with the result of this survey, what it illustrates is that the industry holds the view that the Regulators will seek to take action against senior managers as soon as they realistically can. This sentiment shows that regulator messaging around individual accountability, and the intention to hold people to account, has been heard loud and clear by those in banks. This is borne out by conversations I have had with bankers and those who support them: people are worried.

3. Senior Manager cases – which type of firm will be hit first

The third and final question asked in the poll was perhaps the most instructive. The results were as follows:

SMCR Survey 3

66% of voters believe that the first SMCR case is likely to be against a small or medium-sized firm, rather than a large firm.

The inconvenient truth, both for the industry and regulators, is that it is undoubtedly far easier for a case to be successfully brought against an individual in a less complex organisation than it is to make a case stick against someone in a global firm with thousands of staff (unless it’s a lowly trader who has been engaged in borderline criminal activity – in which case they are fairly easy to pick off – although their desk heads and senior managers still slip through the net).

The figures on cases against individuals under the Approved Persons Regime also bear this out. An intention of the new SMCR is to address this imbalance. Whether the regulator succeeds in this remains to be seen. There may be a tension in the Enforcement division of the FCA, between a desire to execute Parliament’s intention in creating the new regime and to hold senior people in big firms to account, on the one hand, and on the other a motivation to bring a couple of speedy cases (quick wins) against managers in smaller firms to rapidly promulgate messages around individual accountability.

Looking ahead

What is clear from what Mark Steward has been saying recently is that the FCA expects to have more contested cases on its hands. Far from being a quiet year for Enforcement, 2017 may yet turn out to be one of the most significant in recent times – a period when post-crisis legislation around conduct and behaviour will be put to the test.

FCA Enforcement Head says firms must continue to up their game

By Jane WalsheJane Walshe
firms must continue to up their game

At a conference (Practising Law Institute Sixteenth Annual Institute of Securities Regulation in Europe) today Mark Steward, FCA Director of Enforcement and Financial Crime, made a number of comments on fines, conduct of financial services firms and the need for senior managers to take responsibility for their actions, and to exercise meaningful oversight of what goes on in their firms.

Mr Steward made the point that there is no policy intention towards fewer large fines. He said that financial penalties and sanctions need to fit the crime, taking into account all mitigating factors.

He also went on to say that what happens in the future in terms of enforcement activity and related fines, depends on what happens in the market rather than any fad or change in approach by FCA. The FCA will use the full range of it’s powers where misconduct is found.

Mr Steward also pointed out that the penalty must fit the crime, and that the measure of enforcement is not the aggregate level of fines. He said that enforcement is in public interest and there are number of elements to this: detecting misconduct as early as possible, investigating fairly, and in ensuring justice for those affected by consequences of misconduct.

Mr Steward said that the only protection against high fines is good conduct and the avoidance of misconduct that would otherwise justify those sanctions.

He concluded by saying that firms must continue to up their game, find ways to overcome the inherent reluctance to accept responsibly. Senior managers need observable evidence that they are thoughtful, apprehend consequences of their actions, have a sense of duty and possess insight into what should be done, and have compulsion to set about doing that right thing.