Amid Expanding Definitions and Growing Attention from Regulators, How to Make Conduct Risk Strategy Work

Widespread provision of mortgages to U.S. and European customers who couldn’t afford them and selling of the securities backed by those loans to institutional investors worldwide were the underlying causes of the 2008 financial crisis. U.K. banks’ pervasive sales of Payment Protection Insurance (PPI) to millions of consumers who didn’t need it became one of the biggest financial scandals in that country. Traders at more than a dozen major banks around the world colluding with each other to manipulate the most commonly used interest rate has brought the demise of that benchmark, the London interbank offered rate.

U.S. and European banks ended up paying more than $200 billion in fines for the various types of misconduct. They also face post-2008 regulations and regulators – such as the Financial Conduct Authority (FCA) in the U.K. and the Consumer Financial Protection Bureau (CFPB) in the U.S. – aimed at policing their behavior more closely to prevent such lapses in the future. Financial services firms have also beefed up their internal control systems to do a better job at self-policing. Today all major U.S. banks have programs aimed at preventing unfair, deceptive, or abusive acts and practices (UDAAP). Less than a decade ago, none of them had such a program, as the concept didn’t even exist. Many firms have created chief conduct officer roles within their organisational structures.

Conduct risk can be analysed in two general categories as it relates to the banking industry. Wholesale banking’s potential misconduct can involve rogue traders, conflicts of interest between investment banking and research, mis-selling complicated securities or derivatives and rate-fixing among others. Retail banking’s misconduct includes the likes of subprime mortgages and PPI, but also not doing enough to help clients experiencing financial difficulty or are vulnerable for nonfinancial reasons such as mental health.

While the U.K.’s FCA oversees both wholesale and retail conduct of financial institutions, in the European Union different regulators handle the two categories. The European Securities and Markets Authority, the European Central Bank and the European Banking Authority share the responsibility for wholesale banking conduct, but consumer protection is dispersed among national regulators and doesn’t have a central authority. An EU-wide regulation governs the coordination of national regulators on consumer protection, and the European Commission can alert them when violations may be harming consumers in many jurisdictions.

In the U.S., it’s just as fragmented. The Securities and Exchange Commission (SEC) and the Commodities Futures Trade Commission generally police the conduct of securities market players, and the CFPB focuses on the offering of consumer products. Yet the lines are not clear-cut, and prudential regulators also monitor conduct risk as part of their role to supervise the safety and soundness of financial institutions.

Firms should build a solid conduct risk framework to help them monitor external and internal needs and ensure open communication, visible oversight and transparent measurement.

A successful framework needs to rest on strong governance, defined appetite and a positive culture as its main pillars. Strong governance involves conduct policy design, senior management accountability, staff training and stakeholder monitoring. Defined appetite is about an effective definition, well articulated and aligned to operational tolerances of the business. Positive culture encompasses performance and incentive structures, cultural assessments of business units as well as monitoring and measuring behavior.

To make those pillars work, financial firms need to use integrated data and information, defined tools and techniques, and common processes. Integrated data means forward-looking information and analytics within and across life cycles. Defined tools would provide supporting applications and technology for the risk management and compliance management frameworks. Common process would include risk assessment, controls assurance, incident management, and reporting and monitoring.

A solid integration of the conduct risk program into the rest of the organisation’s strategy and operations will also ensure success. Integration needs to look at the different life cycles – business, employee, customer and product – to align strategy to be consistent throughout those lifecycles. Supply chain management and channel management are also important in the integration process.

Vulnerable customers

The COVID-19 pandemic has heightened the public’s and the regulators’ attention to financial institutions’ treatment of customers in financial straits as millions of people became unemployed when economic activity slowed down worldwide due to lockdowns and many people struggled to pay bills, housing and credit card payments. The term vulnerable customers, which originated in the U.K., has become common in the U.S. and the rest of Europe in referring to retail banking clients in possible financial difficulty. The FCA’s latest survey on financial resilience found that the pandemic pushed an additional 3.5 million adults to become vulnerable – or unable to stand financial shocks. That means over half of U.K. adults are now classified as vulnerable, which the FCA has warned the country’s banks to pay special attention to.

The FCA updated its guidance on how financial firms should deal with vulnerable customers in February 2021, expanding the definition of the term. Now the definition extends beyond financial difficulty into health issues (physical and mental), life events (bereavement, divorce, getting laid off) and capability (financial literacy). These circumstances can push people into financial difficulty, so being attuned to these issues can help the banks’ responses to be timelier and more effective.

In the U.S., the CFPB, under new leadership, will likely be more energised to focus on vulnerable customers in retail banking as well. Rohit Chopra, who was confirmed as the head of CFPB on October 1, 2021, was present when the Bureau was founded as directed by the Dodd-Frank Act of 2010. He has also been a close adviser to Senator Elizabeth Warren, who originated the idea of forming the agency and has been a vocal critic of banks in how they treat their customers in all areas. Chopra has said his first focus will be the financial impact of the pandemic on people.

Regulators initially were worried about how conduct risk was incorporated into the banks’ general risk management frameworks. But recently they have shifted their focus from internal controls, systems and procedures to outcomes for the customer. Regulators worldwide are demanding that banks prevent bad outcomes for their customers, especially vulnerable ones. That’s where the role of data and its power to alert to such outcomes become crucial for the firms in how they can satisfy their regulators’ ask on the subject. But in addition to analysing data, firms need to train their staff to identify vulnerabilities and to record them correctly.

Hot topics keep the spotlight on conduct risk

There is no one-size-fits-all definition for conduct risk. Firms need to define it themselves because the regulators haven’t. Some firms are seizing on the opportunities presented by areas such as environmental, social and governmental (ESG) issues to use conduct risk to talk about a firm’s purpose and sustainability in a broader way than ever before. And as regulators’ attention is shifting to outcomes, their definitions are also expanding. More and more hot topics such as ESG and diversity, equity and inclusion (DEI) are becoming part of conduct risk. The pressure on financial firms to heed ESG and DEI concerns is coming not just from regulators but also from their customers and the public at large. Younger people are more attuned to the needs of society and the environment, and are expecting their banks, brokers and money managers to also pay attention. Customers expect companies to behave a certain way when it comes to these areas and they’ll take their business elsewhere if they’re unsatisfied with that behavior.

Meanwhile regulators are catching up, too. Europe has been ahead in the game somewhat, having codified many ESG-related disclosures and requirements for financial firms already. The EU’s anti-greenwashing rules narrowed the definition of what counts as ESG-compliant investments, which forced the region’s asset managers to lower the amount they could report as ESG assets by $2 trillion in 2020. In the U.S., the SEC has moved to expand disclosure requirements related to ESG for publicly traded companies while the Federal Reserve Board and other banking regulators are working on frameworks for analysing climate risk for their supervised entities.

DEI plays into the firms’ responsibility for providing all segments of society equal access to their products and services. U.S. regulators have recently announced their intention to revise the 1977 Community Reinvestment Act, which makes sure banks lend to underserved communities and has been an important consideration for conduct risk. While they have to provide access to underserved clients, banks also have to make sure the products and services are appropriate for such groups. Financial firms have to weigh suitability and affordability of their products for their retail customers, especially when it comes to vulnerable customers.

One of those areas where suitability and affordability might have to be considered more carefully is Buy Now Pay Later (BNPL), a relatively new product in developed markets popularised during the COVID-19 pandemic. Offering zero-interest installment plans for purchasing most common merchandise, BNPL has been expanding rapidly in developed markets in the last few years, after having been around in emerging markets much longer. Fintech firms’ technological ease of use for consumers has contributed to the speedy growth of BNPL; so has consumers stuck indoors during the pandemic doing more of their shopping online. While fintech firms have mostly skipped suitability or affordability analyses of their customers while making what’s essentially unsecured credit available to wide swaths of society, regulators are worried about consumers taking on too much debt. The U.K.’s FCA has already indicated its intentions to regulate BNPL. The CFPB is likely to follow in the U.S.

How to improve conduct risk management

As regulators and the public have paid more attention to financial firms’ conduct, customer vulnerability risen and the definitions of conduct widened, the importance of a strong conduct risk framework has grown. The next step for firms is to figure out how they can use the huge volumes of data they have in their possession to help them predict potential bad behavior and identify vulnerable customers in order to be proactive after decades of being reactive.

“Data is where we can find the transformation of the programs,” Will Ellis, senior director of conduct risk at Ally Bank, said during a September 2021 webinar titled From Hindsight to Insight – Transforming Your Culture and Conduct Risk Programs. “They’ve been very qualitative, now we should try to get quantitative. The data is all there. It’s just not connected.” Ellis’s bank has looked at case studies of other firms – within the industry but also outside – to identify conditions that lead to misconduct so that it can monitor the data for such conditions. Studying the British banks’ PPI scandal, Ellis and his colleagues didn’t ask if it would ever happen in the U.S., but rather how it might happen in their own backyard, and they used the probable conditions to set up alerts for potential misconduct.

Financial and nonfinancial firms are increasingly looking to utilise data, statistical analysis, and advanced analytics, such as artificial intelligence (AI) and machine learning (ML), to identify potential misconduct concerns and behavioral risks. Data-driven analytics are an extremely powerful tool for identifying both isolated and systemic conduct-related problems through exploration of large, disparate sets of data. For example, to catch potential misconduct in retail banking, firms can look at the proportion of non-compliant sales identified through compliance monitoring, and the proportion of customers who complain about mis-sold products. Firms can also analyse outliers in their customer data to identify higher-risk sales, such as certain types of investment products sold to certain customer segments, such as elderly clients, or look for mismatches between declared risk appetites and investment products marketed.

A holistic approach to misconduct surveillance requires multidimensional analysis of disparate data in all its forms (structured and unstructured) and across multiple sources (external, internal and third party). The transactional dimension could involve scrutiny of financial metrics, transactions analysis and market analysis. The communications dimension would likely cover many forms and media of exchange, including emails, social media, chats, phone conversations, text messages and documents shared. The behavioral dimension would look at peer-group relations, activity, and even emotion and sentiment analysis.

For example, when monitoring a trader on the capital-markets side of the business, data would be collected on the trader’s risk limit breaches, volume trade amendments, counterparty disputes, portfolio valuation (fluctuations in mark-to-market values), email communication patterns, digital fingerprint in social media, unusual system and physical access, emotional deviation and more. Algorithms incorporating advanced data science methods would be used to comb through all this data to detect potential anomalies or patterns that might suggest misconduct.

Next-generation conduct risk analysis would also add AI and ML to the data analysis to provide additional intelligence and insight augmentation. The AI systems can be fed data from historical instances of misconduct, inside or outside the firm, to help set up criteria and alerts for human monitors (surveillance officers) to focus on specific individuals or behaviors.

But let’s not forget that culture is as important as all the analytical tools used. To be effective, companies’ conduct risk strategies have to be based on a culture that puts customers first and pays close attention to their needs, as well as their vulnerabilities. And that culture has to emanate from the top of the organisation, with leadership providing the moral compass to the rest of the staff, according to Ally Bank’s Ellis.

“Culture is what attracts and retains your employees, your customers and potential investors as well,” Ellis said. “If you take care of your employees, they’ll take care of your customers, who will take care of your bottom line.”