Chaos and confusion are a breeding ground for dishonesty, in financial markets as elsewhere. The market volatility sparked by the Covid pandemic and, latterly, by events in Ukraine has raised the alert level for internal fraud within banks and other financial institutions. Managers are now scrambling to reassess their risk controls as sanctions against Russia force firms to dump investments or extricate themselves from business deals.

“The minute Russia went into Ukraine and the sanctions started to kick in, I picked up the phone and asked whether we have people that feel pressure. All banks have some way of monitoring transactions, so my immediate question was, do these models need to be tweaked?” says a fraud head at a major investment bank.

Misconduct comes in various guises. A manager in a private bank may feel obliged to break sanctions to preserve a business relationship with a client that has invested in Russian oil and gas companies and now wants to get their money out. Or perhaps the client offers the manager a bribe to offload the positions.

Heightened volatility in markets can also lead traders to lose money and then break risk limits as they chase losses. This was the pattern of rogue trading by UBS’s Kweku Adoboli, which cost the bank $2.3 billion in 2011. Banks are already grappling with greater losses from fraud after Covid-induced changes in working practices increased their vulnerability to criminal acts.

Internal fraud often means trouble on three fronts for banks. They lose from the initial fraud, lose from reputational damage, and lose again when regulators hit them with hefty fines for lax controls. Internal fraud is now the second-largest category of operational risk loss for banks, accounting for 36% of losses in 2021, up from 18.9% in 2020, according to publicly reported data from ORX News.

During a conference call last month hosted by ORX with 70 of its participants from European and North American financial institutions, the conversation was dominated by concerns over monitoring of employees’ actions, particularly linked to turbulent markets. Since many companies have a multinational workforce, firms are looking to sharpen their controls over inappropriate access internally to networks.

“People are in the firefighting stage, making sure that they’re managing the right risks. A general heightened awareness of employee behaviour was raised,” says Steve Bishop, research and information director at ORX.

Financial regulators have tightened their focus on conduct risk, following prominent rate-rigging and mis-selling offences at institutions in previous years. The Federal Reserve Bank of New York’s Governance and Culture Reform initiative has three specific goals: to reduce incidences of misconduct; to promote healthier cultures within firms and across the industry; and to increase public trust in the financial services sector. The UK’s Financial Conduct Authority has a “5 Conduct Questions” programme, which it uses to assess large banks.

No go, Moscow

Many western governments have responded to the war in Ukraine by imposing sanctions against Russian companies and individuals. Action has included banning Russian banks from the Swift global payments system, freezing assets held abroad, and blacklisting hundreds of individuals with suspected links to the Russian executive.

In some cases, foreign banks were given a grace period to unwind exposures to proscribed entities. But most sanctions are effective immediately. At the time of publication, the US, UK and European Union are preparing a new round of financial and economic measures targeting Russia.

The speed and scale at which sanctions are being imposed have put bank compliance teams and risk managers under added pressure.

Firms are being inundated with changes, threats of changes … You’ve got to be thinking about what’s coming down the line tomorrow

Christian Hunt, consultant

“What we’re seeing [are] rapid responses driven by a political agenda. Firms are being inundated with changes, threats of changes. If you’re responsible for implementing that, you’ve got to be thinking about what’s coming down the line tomorrow,” says Christian Hunt, a consultant and a former managing director of behavioural science at UBS.

The consequences can be severe for banks that fail to observe sanctions. In the US, the Office of Foreign Assets Control, part of the Treasury department, can impose fines of up to $20 million and prison sentences of up to 30 years for sanctions breaches. Nor have financial regulators been reluctant to bare their teeth. In 2019, UniCredit and Standard Chartered were hit with fines of $1.3 billion and $950 million, respectively, for failings in sanctions compliance and anti-money laundering. Previous penalties for similar offences were $1.3 billion for Societe Generale in 2018; Credit Agricole’s $800 million in 2015; and the mammoth $8.9 billion that BNP Paribas paid in 2014.

In the UK, the Office of Financial Sanctions Implementation, the part of the Treasury that implements the Sanctions and Anti-Money Laundering Act, has broad powers to impose penalties should a sanctions breach occur. In cases where it is possible to estimate the value of the breach, the penalty is 50% of the estimated value or £1 million ($1.3 million), whichever is higher. In the EU, each member state is responsible for setting its own penalties for sanctions breaches.

Whys and wherefores

The threat of such punishments has forced banks to review their anti-money laundering and know-your-customer checks with respect to potential sanctions violations. An important part of this review, say experts, is to try and understand what causes individuals to act the way they do.

“You need to identify the key behavioural drivers to understand the root causes of breaches. When you have employee breaches, understanding what’s occurred and why, it’s typically always behavioural drivers,” says the head of conduct risk at a large bank.

There is a difference between conduct risk, as defined by financial supervisors, and behavioural risk. Conduct risk is focused on upholding conduct through formal mechanisms such as controls and standards to prevent market abuse, anticompetition and bribery. Behavioural risk management is focused on what people do within the context of a specific regulatory requirement.

Behavioural risk management teams look at more informal mechanisms that drive individual actions: decision-making, communication and learning. Their capability is rooted in behavioural science, which contrasts with the legal perspective around conduct risk. Behavioural risk management is carried out through interviews at the individual and group levels, surveys, and observing how groups of people make decisions and communicate during meetings.

Søren Andersen, chief risk officer at Nordea Asset Management, says managing behavioural risk requires understanding not only what drives individuals, but also the organisational context in which they work.

In a speech on March 22, New York Fed senior vice-president James Hennessy noted the increasing use of behavioural science to better understand human actions. “Thinking and decisions are driven by a multitude of inputs and motivations, some ‘rational’, some ‘irrational’, through both conscious and unconscious mental processes,” he said.

Another way of understanding the behavioural drivers of conduct risk is through a theory developed in the 1970s by criminologist Donald Cressey. He put forward the so-called fraud triangle: pressure, opportunity and rationality. In the context of internal fraud and sanctions breaches, pressure is the need to hit targets or meet sanctions. Opportunity is weak controls, or a change in processes. Rationality is the way that individuals justify misconduct: others are doing it, so why shouldn’t I?

Another insight of behavioural science is that humans are fundamentally social animals, which has important implications for the creation of norms within an organisation and expectations around conduct. “Our individual identity and actions are strongly influenced by our need to be a member of a group. We look to our group – usually those most immediate to us – for approval,” said Hennessy.

The regional chief risk officer at one large bank says what they fear most as they revise their control frameworks is inadvertently giving malicious actors privileged access – or the corrupting of employees by a hostile foreign entity by way of reprisal.

As well as reviewing controls and models, banks can also incentivise staff to follow guidance. In 2017, Citi amended its remuneration rules so that bankers who scored poorly in conduct assessments would receive lower bonuses. Previously, bonuses were contingent on an average score across various performance metrics.

Under pressure

The danger of losses from internal or external fraud echoes the early stages of the Covid pandemic, when banks feared that widespread remote working might increase the vulnerability of companies to cyber attack. Banks were also concerned that controls would be compromised if managers were not able to physically oversee staff.

An increase in volatility in financial markets in early 2020 stoked worries of misconduct among traders, too. The present uncertainty has led to similar warnings from op risk executives.

“Say, at month-end or quarter-end, you’re falling short on P&L, you need to make those numbers, and you’re feeling pressure. If left unchecked, people are motivated to look for opportunities to make money that might fail an ethical test,” says the head of conduct risk.

The dangers aren’t limited to the sell side, either. Asset managers have to factor in the effect of sanctions against Russian names as well as market disruption, says Andersen at Nordea: “In Covid, you would see portfolio managers worried about performance and meeting liquidity. Now, you worry about performance, but you have that extra layer of complexity about the legal implications of violating some rule.”

Dutch bank ING has ploughed extra resources into behavioural risk management, to help identify, assess and mitigate behavioural risks. The bank is only too aware of the cost of failings in this area. In 2018, ING paid €775 million ($845 million) to settle claims by the Dutch public prosecutor over anti-money laundering and terrorism financing mis-steps.

Mirea Raaijmakers, ING’s head of behavioural risk, says human behaviour is a driver of positive performance, “but it can also lead to actions that are undesirable”: “Within ING, we want to make sure that we keep track of how we behave and whether our behaviours are in sync with being a safe and compliant bank.”

Within ING, we want to make sure that we keep track of how we behave and whether our behaviours are in sync with being a safe and compliant bank

Mirea Raaijmakers, ING

Dutch peer ABN Amro has a team of 35 professionals staffing its conduct risk centre: behavioural scientists, criminologists, educational scientists and philosophers. The team investigates individual actions and decisions that are specific to ABN Amro, and how to address the causes of bad behaviour.

Wies Wagenaar, global head of the behaviour, ethics and learning centre at ABN Amro, says: “The core of behavioural risk is understanding why people make bad choices.”

ABN Amro has not been immune from its own bad choices. The bank was hit with a $500 million fine by US authorities in 2017 for a series of sanctions breaches in countries including Cuba, Libya, Iran and Sudan. Last year, it reached a €480 million settlement with the Dutch public prosecutor over anti-money laundering shortcomings.

“ABN Amro has a history of large fines for non-compliance, for making decisions to the detriment of our stakeholders, selling unsuitable products. Most of what the bank does is good, but we keep repeating the same mistakes. Context has a huge effect on the choices that we make. We need to understand what is helping and what is hampering,” says Wagenaar.

In response to the recent anti-money laundering investigation and fine, ABN Amro performed a root cause analysis. It found that the new client onboarding process was overly complex and prone to human error. ABN Amro had an 80-page anti-money laundering policy featuring a list of 223 risk-based questions that a banker needed to ask a client.

“We make it way too complex in the hardwiring of our organisation for people to understand what good looks like, what is the right thing to do. We didn’t have that human-centric and user-friendly design of our process,” says Wagenaar.

ABN Amro has responded by creating systems that simplify the process, says Wagenaar, clarifying what ‘good’ looks like, and instituting a culture where it’s OK to ask questions, and where it’s more important to make an informed decision than to be fast.

“It’s about the culture, but your culture always needs to be supported by a system. If we say something’s important, but our systems don’t reflect it, then you can have a great culture, but the behaviour will not be good,” she says.

Editing by Alex Krohn