Banks take various approaches to tackling conduct risk

Definitions, reporting lines, frameworks and metrics vary among major banks, research shows

Conduct keyboard
Key action: evaluating conduct risk starts with establishing a useful definition

  • Amid continuing pressure from regulators, banks have become more preoccupied with conduct risk in recent years. This is particularly the case among UK firms.
  • The annual reports of 16 large banks reveal they use various definitions of conduct risk and organise their attempts to deal with conduct threats differently.
  • Firms disagree about whether conduct risk should have its own separate risk framework and on the extent to which conduct overlaps operational risk.
  • Banks are working to identify metrics they can use to monitor conduct exposures, though some consultants and practitioners are sceptical about this.
  • For instance, Deutsche Bank has built an in-house conduct risk tool that takes all of the data from its global supervisory systems to spot anomalies.

The global financial crisis may have been eight years ago, but the world's largest banks still face immense pressure from regulators to improve their conduct.

Having uncovered manipulation in the foreign exchange market, global supervisors are planning to finalise and implement a code of conduct for the market in May 2017. More broadly, the Madrid-based International Organization of Securities Commissions says it is working to establish a task force of global regulators to scrutinise and set standards for conduct across all financial markets. And in the UK, several new rules relating to conduct, including the Senior Managers Regime, are due to be introduced on March 7.

Even today, the costs are high for firms that get it wrong. Twenty-five of the largest European and US banks have received combined fines and litigation costs of $260 billion since 2009, said Morgan Stanley analysts in an August 2015 report. They estimated these costs would rise by a further $65 billion by the end of 2017. Figures from the UK Financial Conduct Authority (FCA) show the country's banks have paid out £22.2 billion ($32.2 billion) since January 2011 for the mis-selling of payment protection insurance alone.

Chris Van Homrigh, senior executive leader for investment banks at the Australian Securities & Investments Commission (Asic), believes conduct is among the biggest risks faced by major financial institutions today.

"Every bank will tell you they're a client-focused organisation, but what does that mean?" he asks. "For me, it's about sustainable revenue streams and long-term value for shareholders. You want this client today, tomorrow and into the future. What's the biggest threat to that? Essentially, your reputation. What's the biggest threat to your reputation? It's poor conduct."

Since the Libor and forex manipulation scandals, Asic has been among the regulators pushing banks to do more to improve their behaviour (see box Conduct risk: a regulator's view). Research by shows many of the world's largest banks have responded to these demands – including by hiring heads of conduct, putting conduct risk frameworks in place, and citing conduct and culture more frequently in their annual reports. However, there are still critical differences in the way they define, organise and manage this type of risk.

Defining differences

The first noticeable difference in the way banks approach conduct risk is in the definition they use. looked at a group of 16 large banks based in Europe and the US, and found 11 published a definition of conduct risk in their 2014 annual reports – the latest available at the time of writing. Those descriptions are important for setting the direction of firms' conduct risk frameworks, say practitioners, and often form the basis for training programmes to teach employees how conduct relates to their individual activities.

Most of the definitions used by banks attempted to incorporate the impact of poor behaviour on clients, the market and the firm. In some cases, the effect on employees was also included.

In its 2014 annual report, for example, Barclays defined conduct risk as "detriment caused to our customers, clients, counterparties, or the bank and its employees through inappropriate judgement in execution of business activities".

In contrast, Citi adopted a slightly lengthier definition: "Conduct risk is the risk that Citi's employees or agents may – intentionally or through negligence – harm customers, clients, or the integrity of the markets, and thereby the integrity of the firm. Conduct risk is not limited to specific businesses or functions, but rather spans all conduct and behaviour at the firm."

The differences in the way banks define conduct risk are mirrored by similar discrepancies among regulators. The European Banking Authority has defined conduct risk as: "The current or prospective risk of losses to an institution arising from an inappropriate supply of financial services, including cases of wilful or negligent misconduct."

But the FCA, a conduct regulator, says it would rather not define conduct risk. "Conduct risks are idiosyncratic," says an FCA spokesperson. "It will always turn on the circumstances of a firm, their operations and activities. Firms need to make a judgement about the conduct risks they face and how they might mitigate these."

In general, banks are reluctant to talk about their treatment of conduct risk, but their annual reports show they have become more preoccupied with the subject in recent years. Use of the term 'conduct risk' has risen most noticeably at UK firms such as Lloyds Banking Group, Royal Bank of Scotland (RBS) and Santander UK (see figure 1).


Barclays did not mention conduct risk in its 2011 annual report, for instance, but the term was mentioned 97 times in 2014. If references to culture and cultural change in the right context are added to this, the combined number of citations balloons from four to 161 during that time frame.

Santander UK's 2011 annual report contained eight combined mentions of conduct risk, culture and cultural change. In 2014, however, these phrases were together mentioned a whopping 104 times, and a section reviewing the "top risks" facing the bank placed conduct risk second – above credit and operational risk. The report also pointed to conduct risk as an "emerging and future risk" for 2015.

An increasing emphasis on culture and conduct was also found at European and US banks, but references to conduct risk were more muted. UBS only cited the term six times in its 2014 annual report whereas culture was mentioned 69 times. This is an increase on 2011, when culture was only mentioned on 15 occasions.

In total, French and US banks made noticeably fewer references to conduct, culture and cultural change between 2011 and 2014 than their peers elsewhere. The firm with the lowest number of combined citations was Societe Generale, with nine mentions. At the opposite end of the scale was RBS, topping the charts with 350 citations (see figure 2). Neither bank was able to put anyone forward for an interview with


"It's not surprising UK banks have a bigger focus on conduct and culture at the moment," says Brian Gregory, London-based vice-president for non-financial risk and governance, risk and compliance at Wolters Kluwer Financial Services. "They have received huge fines for misconduct over the past few years."

Tone from the top

Banks' divergent treatment of conduct-related issues starts at the top. At least 11 of the 16 major banks analysed were found to have board or senior-level committees with a mandate that includes conduct. At some firms those committees are explicitly focused on conduct, while others place it alongside responsibility for ethics, regulatory issues, audits and examinations, or product approval, for example.

Increasingly, banks are installing specific frameworks for conduct risk. Among those analysed, 10 mentioned the existence of this in their annual reports (see table). Meanwhile, JP Morgan launched a culture and conduct risk programme for Europe, the Middle East and Africa in 2014. The scheme looks specifically at culture, conduct risk assessment, mitigation, metrics and training, and has now been implemented on a global basis. Barclays began a firm-wide conduct risk programme in 2013, while Morgan Stanley launched a similar one in 2014.



At least eight of the 16 major banks employed a senior member of staff in a conduct-related role. The titles of such positions vary: HSBC created the post of 'global head of conduct' in 2015, for instance, while RBS appointed a 'chief conduct and regulatory affairs officer' two years earlier.

Where should responsibility lie for conduct risk? On this question, banks have different answers. Some are reluctant to create what they see as another risk management silo. At JP Morgan, for example, responsibility for the design of the conduct risk framework lies with the regulatory strategy team, which has a remit to initiate or advise on projects with a strategic regulatory importance to the bank. Implementation of this framework is led by the senior leaders of each business.

The FCA says its regulations do not require banks to have a head of conduct, but it supports firms managing conduct risk in this way. "In some firms it might be appropriate for this to lead to explicit roles and responsibilities, in others not," a spokesperson said.

How conduct and operational risk fit together is another bone of contention. One director of regulatory strategy at a major bank says conduct issues should be embedded in banks' existing op risk frameworks and not isolated as a separate risk. "You want to have a complete view of your operational risk framework. But if you have too many risk assessment templates – one for [anti-money laundering], one for conduct risk, one for compliance – people running a business are required to look at outputs from lots of different frameworks, and there is a risk they will get out of date or inconsistent with each other," he says.

UBS appointed its global head of conduct risk, Tim Hudson, in 2014. He says the Swiss bank aims to capture conduct risk as part of its broader framework for op risk. "All operational risks, including conduct, conflicts of interest and suitability, are captured within the operational risk framework," he says. "For each of those we score them across five dimensions: financial risk, regulatory risk, reputational risk, and then impact on markets, and impact on clients. So we've built the assessment of conduct risk into every one of the taxonomies."

We expect the reporting and the selection of metrics to continue to evolve over time, as will the client and market impact of conduct risk
Tim Hudson, UBS

But Toby Billington, global head of wholesale conduct and risk culture at Deutsche Bank in London, says he would "sooner rather not" align conduct solely with operational risk, particularly when it comes to reporting. If conduct risk is included in this, "then it just becomes non-financial risk reporting", he says. "There is a real danger in that, because if you are saying that conduct is about human behaviour, it can be a financial or a non-financial risk."

Regardless of where conduct risk sits within their organisation, most banks have sought to identify their exposure by carrying out risk assessments.

Deutsche Bank held a series of workshops with senior stakeholders from each business line in 2015 to discuss "what was keeping them up at night", says Billington. The bank highlighted more than 100 issues, which were consolidated into eight high-level issues and sub-divided into an extensive amount of work.

"Last year was largely about making sure we not only understand what our biggest risks are, but making sure we actually validated those globally," he explains.

As with other banks, Deutsche Bank found that while board-level executives had a good understanding of the conduct risk issues facing the firm, differences arose in terms of what that actually meant for each business line.

Both UBS and another major bank spoke to organised similar internal sessions. Once senior management had developed a list of conduct risks – including different types of market abuse and personal misconduct across all business lines – each business head then went away to examine which of the risks existed in their business, evaluate existing controls and identify where the highest risks or gaps were. They then reported their findings back, helping to form a firm-wide framework.

Hudson describes UBS's conduct risk framework in terms of the 'three lines of defence' model, in which frontline managers comprise the first line, and independent risk management and audit functions make up the second and third lines, respectively.

"In the second line of defence, we will set the expectations and then check the first line are executing appropriately," he says. "The second line will also own some of the responsibilities: for example, the co-ordination and initial production of metrics and reports."

Tim HudsonTim Hudson

Hudson is reticent about UBS's framework on conduct risk, but says it comprises several work streams, one of which is devoted to governance and another focused on reporting. The governance work stream is designed to ensure conduct is on the agenda and considered appropriately by relevant governance bodies within the bank, he explains. When it comes to the reporting work stream, the goal is to come up with tangible metrics and measurements the bank can use.

"We expect the reporting and the selection of metrics to continue to evolve over time, as will the client and market impact of conduct risk," he says.

Measure for measure

Narrowing down the metrics banks can use to measure their conduct risk can be challenging. Regulators face similar obstacles in trying to quantify – and capitalise – conduct risk (see box The capital challenge).

Hudson says UBS is looking at metrics related to employee behaviour, product suitability, conflicts of interest and market conduct. But, more generally, there are a wide variety of measures banks are using to assess their exposures.

"There is a whole series of metrics now that banks can use to identify – that they can prove to the FCA they are dealing with their customers fairly," says Gregory at Wolters Kluwer. "If you look at it from an operational risk perspective, the banks know or should be able to identify a series of bad outcomes if they undertake a process or a transaction incorrectly."

For example, if the conduct risk identified was mortgage mis-selling, banks could look at indicators such as the number of customers cancelling in the first three months, the amount of bad debt on their books, or how and where the product was sold, says Gregory.

Ideally, such metrics should be reported internally in a way that allows potential problems to be clearly flagged and dealt with, say practitioners. For instance, Billington says Deutsche Bank has built an in-house tool that takes all of the data from its global supervisory systems to spot anomalies. "I can look at that globally and at everybody in the entire wholesale bank," he notes.

If any geographic region is an outlier according to these metrics, Billington and his colleagues can click through and identify the individuals or products involved. The eventual goal is for this to be run by an algorithm, which would flag up any such anomalies automatically. However, just carrying out enquiries on a weekly basis would put most banks in a better position than they were in the past, when bad behaviour was found to go on for months or even years, he says.

There is a whole series of metrics now that banks can use to identify – that they can prove to the FCA they are dealing with their customers fairly
Brian Gregory, Wolters Kluwer Financial Services

Some practitioners and consultants are sceptical about how far banks can go with the use of metrics. Some place a greater emphasis on 'softer' controls, such as ensuring all employees are fully aware of the consequences of poor conduct.

Roger Miles, managing director for behavioural risk at US consultancy Berkeley Research Group, describes econometric measures as an "unhelpful" way of approaching behavioural risk, because these tend to ignore biases and the tribal nature of employees. If banks are attempting to effect behavioural changes, he thinks the focus should be on educating employees how to make better decisions.

Hudson at UBS agrees there needs to be a balance between econometric and less tangible, more subjective measures. "It's very difficult to capture some of the conduct risk elements just through metrics, so you really need that qualitative assessment as well."

Banks say conduct reports to senior management and the board usually include both quantitative and qualitative measures, such as customer surveys of products and services that include conduct issues, as well as information from human resources such as statistics on training programmes and examinations. Many banks are also introducing culture metrics for employees – tracking figures on staff turnover, disciplinary events and client feedback – and sharing these with supervisors.

Those metrics aren't necessarily new, but, historically, many of the data points would have been looked at in different areas of risk management, says the director of regulatory strategy.

"You would have had to pull it all together expressly for the purpose of forming a view on culture," the director says. "Now we're looking at the same data, but through a different lens, and there are more tools going into the business to help the conduct risk data set."

Conduct risk: a regulator's view

One regulator that has homed in on conduct issues in recent years is the Australian Securities & Investments Commission (Asic).

"I would say conduct risk has been around since financial institutions opened their doors," says Chris Van Homrigh, Asic's senior executive leader for investment banks in Sydney. "It's always been there, but it's now developing a language of its own."

In December 2013, Asic sent out a questionnaire to 21 investment banks – including firms based in Asia, Europe and North America – to determine their appetite, attitude and approach to conduct risk.

The regulator asked them to provide information on: their performance and remuneration frameworks; disciplinary processes; material risk-takers within their organisation; governance and supervisory frameworks; and the alignment of business strategies with their conduct risk strategy. Responses were then reviewed and compared against best practice, and areas requiring further consideration were fed back to the banks.

The exercise uncovered some interesting results, says Van Homrigh. "One of the early observations we saw was that of the institutions surveyed, only seven appeared to have their conduct risk strategy aligned with their business strategy," he says. "Yet if you ask any bank whether their credit risk strategy is aligned with their business strategy, or their market risk strategy is aligned with their business strategy, they would totally be in sync."

Another area where banks fell short was on 'tone from the top' – the ethical atmosphere created by messages from the company's board and senior management. In April 2014, the Basel-based Financial Stability Board identified this as one of several key indicators of a bank's risk culture, along with accountability, incentives, communication channels and the ability of lower-level employees to challenge decisions made by those more senior.

Asic shared its observations with other global regulators, such as the Hong Kong Securities and Futures Commission, the US Securities and Exchange Commission and the Bank of England, which considered them as part of its work on the UK Fair and Effective Markets Review.

When it comes to ongoing supervision, Asic looks at what Van Homrigh calls "the three Cs" – effective communication, encouraging challenge and guarding against complacency. Now it has formed an idea of what constitutes best practice and held discussions with banks on the improvements they need to make, the regulator is spending more time examining their frameworks and looking at specific controls.

"What we're doing now is looking at how these organisations influence their culture by detecting and understanding the key drivers of poor behaviour and good behaviour," he says. "It's about trying to lift standards without imposing additional regulation."

The capital challenge

Regulators are eager to ensure banks hold sufficient capital against the risks inherent in their business. On this level, consultants say conduct risk is harder to deal with than other risks, such as market or credit.

The Bank of England Prudential Regulatory Authority (PRA) places conduct risk in the loss event category of 'clients, products and business practices', one of several defined by the Basel Committee on Banking Supervision.

The PRA issued a document last July outlining the internal methodology it will use to calculate a Pillar 2A capital add-on for conduct risk events. Although it is driven predominately by supervisory judgement, the charge is quantified with the help of data submitted by banks. That data includes each firm's biggest conduct loss over the past five years and the level of expected annual loss for conduct risk, as well as behaviour-related scenario assessments for potential exposures over a five-year horizon.

The Pillar 2A charge only applies to firms that are not using the advanced measurement approach – the own-models approach to calculating operational risk capital used by more sophisticated banks.

David Kenmir, UK-based co-lead for conduct and culture in the financial services risk and regulation practice at consultancy PwC, says it is tough to accurately calculate a capital charge for conduct risk.

Where banks have taken specific provisions against losses, such as those associated with the mis-selling of payment protection insurance, banks can easily put their finger on worst-case exposures – making them a "known-known", says Kenmir. In contrast, each time a new product is designed or a bank begins operating in a new market, an inherent conduct risk is created. "What you can't do is say how much it is going to crystallise and how much it could cost you at a future date to deal with whatever the matter is. That's an unknown-unknown," he says.

But Brian Gregory, vice-president for non-financial risk and governance, risk and compliance at Wolters Kluwer Financial Services in London, believes that putting a number on conduct risk should be no more difficult than quantifying op risk in general.

"Both of these are quite tricky things to do," he notes. "[But] if you keep conduct risk to treating customers fairly, you should have a clear understanding of what might be the consequences of failing to do one or more of these interactions appropriately."

In some cases, regulators are now asking banks to assess their potential exposure to conduct losses as part of their supervisory stress tests. For instance, the Bank of England incorporated the impact of high misconduct costs and fines in its 2015 stress tests, the results of which were published last October. Following a recommendation from the European Systemic Risk Board, the European Banking Authority also announced in November 2015 that it would ask banks to calculate the potential cost of misconduct during its tests of the largest European banks.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: