Over the last few years cost of conduct has increased significantly. While there is no clear definition and management framework in place, some of the companies have taken it head-on and defined approaches that can be adopted by similar firms across the geographies.
Over the last few years, the cost of misconduct has increased significantly. The most notable has been the payment protection insurance (PPI) scandal that has already cost banks more than £18 billion* in fines in the U.K. Scandals such as this not only affect the bank’s financial stability but also its reputation, brand value, and customer confidence. The U.K. financial regulator, the Financial Conduct Authority (FCA), intervenes and imposes penalties where it sees unacceptable risk to the fair treatment of customers. According to the FCA, senior management must drive conduct risk mitigation and emphasize on a culture of keeping consumers "at heart of business." The FCA recently said it will impose a deadline for making new PPI complaints and is launching a consumer communications campaign to raise PPI issue awareness and the deadline.
The increased level of scrutiny is not just a U.K. phenomenon. Around the world, regulators are taking measures to protect banking customers from unethical or unlawful practices. Asia Pacific regulators like those in Singapore (Monetary Authority of Singapore) and Australia (Australian Securities and Investments Commission) are introducing strict parameters to ensure responsible lending and insurance practices; and the Consumer Financial Protection Bureau (CFPB) of the U.S. is laying down new rules and stricter monitoring against malpractice in areas such as fair lending, mortgage servicing, insurance, debt collection, and the sale of ancillary products in connection with credit cards. While in the U.S., the Dodd-Frank Act focuses on internal business conduct requirements through a robust compliance and risk policy and external business conduct requirements (onboarding and pre-trade measures), the Market Abuse Directive contains provisions on insider information and market manipulation and the Financial Industry Regulatory Authority (FINRA) focuses on assessment of suitability of products for customers.
In addition to imposing fines, regulators have also introduced frameworks to monitor how banks and financial services organizations’ manage conduct risks and related exposures.
Apart from the regulatory pressures, customer satisfaction is also driving banks and financial organizations to look at conduct risk as an important area to monitor and control. Hence, organizations worldwide have created strategies and internal standards to ensure fair treatment of customers in order to meet regulatory requirements and achieve strategic competitive advantage by driving customer loyalty.
Given the continued issues around having an effective conduct risk culture, many organizations have introduced or are launching best practices to manage conduct risks. Even though implementing the principles and framework defined for managing enterprise or operational risks should be applicable to manage conduct risks based on checklists, processes and controls and having a code of conduct, the length and breadth of conduct risks and its applicability varies from one organization to another forcing them to look at enterprise-specific frameworks to manage these risks. Some organizations consider incentives and punishments related to behavior as part of the framework too.
To effectively manage conduct risks, one needs to understand the entry points of these risks in the product design, sales, and customer engagement value chain.
Risk identification is key for the success of any conduct risk management program. The risks may come from various channels including sales, product design, customer service, mortgage servicing, and debt collection. Once the risks are identified and documented, assessment methodologies have to be defined to evaluate these risks in a controlled manner. Aligning conduct risk appetite with strategic decision-making processes helps ensure that all business decisions are made in the best interests of consumers while meeting all required regulations. Conduct risk is included as a component when setting risk appetite, limit tolerance setting and cascading to business units.
There should be a flexible framework to define an organization’s appetite with established key metrics including key risk indicators, key control indicators, and key performance indicators for conduct risks. To ensure transparency, conduct risks should be factored into the business strategy, while risk appetites and key metrics should be aligned with the decision-making processes and corresponding risks and controls. Examples of key metrics are customer satisfaction score, tracking transparency and advice in the sales process, post-sales servicing and issue resolution, and know-your-customer cadence failures.
Once conduct risks are assessed, appropriate controls need to be defined and evaluated for their effectiveness in a timely manner. In order to identify, monitor, and mitigate conduct risks effectively, organizations would need to define controls proactively and measure the effectiveness and adequacy of these controls periodically.
Issues should not be limited to control deficiencies alone but should be reported from any area such as customer complaint, product design, sale of a financial product, etc. Issues need to be recorded and routed through a systematic investigation and remediation process along with automated alerts for tracking issues and action plans throughout their lifecycle.
Organizations need to have an integrated and streamlined approach to record, investigate, and remediate customer and internal complaints about a firm’s or employee’s conduct. Complaints can be captured either through risk assessment surveys, or via phone calls, emails, or online portals, and addressed similarly as an issue.
Surveys and questionnaires are widely used to assess employee behavior with customers and identify any underlying issues and complying with the regulations.
Besides these, tracking performance metrics, targets, compensation and reward are also key parts of the framework. To support this information reporting, metrics and conduct risk reporting and analysis to inform senior management, enabling them to provide the necessary oversight and evidence is also a key requirement.
Some of the banking and financial organizations have been proactively managing conduct risks with the help of technology and tone-at-the-top approaches.
Following are some of the stories of companies managing conduct risks:
In South-East Asia, the regulatory landscape of the life insurance industry is changing in response to initiatives proposed by the Monetary Authority of Singapore (MAS) under the Financial Advisory Industry Review (FAIR). Targeted at modifying the way life insurance products are advertised and traded, the FAIR proposals recommend a Balanced Scorecard (BSC) framework for the remuneration of financial advisors. The BSC framework is targeted at promoting good behavior by encouraging advisors to meet “non-sales” KPIs such as providing quality advice and suitable recommendations to customers.
With the help of technology, the company streamlined and automated their performance review process and regulatory reporting on a periodic basis. The exercise also helped the organization motivate its financial advisors to provide quality information and appropriate recommendations to customers. The organization ensured compliance with FAIR’s BSC framework proposal by reviewing and assessing the performance of financial advisors based on “non-sales” KPIs, and generate reports to relevant stakeholders. Measurement methods included post transaction checks, mystery shopping exercises, and infractions arising from complaints.
Pre-built and customizable reports enabled the organization to create internal information matrix which provided proactive capability to track conduct related issues, linked conduct to quantifiable parameters, provided visibility to executive management and reported externally to the regulator.
The bank was finding it difficult to identify and assess employee conduct related risks. With the help of technology, the bank used the existing Risk Management framework to identify and manage risks that are associated with employee conduct and affect end customers. The Risk , Control Self-assessment capabilities were used for assessing and reporting such risks on a periodic basis and linking to performance evaluation of employees. The technology also enabled them to identify ownership for conduct risk in the organization and draw up the necessary policies and take necessary steps for such actions. The automated workflow enabled the bank to logically move through the conduct risk management lifecycle.
The organization was facing issues to identify risks related to supplier conducts. The organization leveraged technology to automate surveys to identify risks related to supplier conduct risks. Surveys were conducted for agents to measure conduct risk by checking for number of escalations, exceptions, exemptions, query response time, and customer complaints. While the centralized repository enabled the organization to store, automate and manage surveys, the aggregation mechanism enabled it to report on exceptions, issues and conduct related risks in a timely manner.