Conduct risk is the hipster of the regulatory world. Whereas Credit risk is solid and sensible and Market risk is sharp-suited and dodgy, Conduct risk harks back to gentler times, when traditional values were important. Hipsters are neat, serious, thoughtful, slightly retro and importantly fashionable. Conduct risk also harks back to the past and is the latest fashion trend in regulation worldwide.
Conduct risk became a fashion as a result of the UK Parliament’s inquiry into the failure of the local banking sector. The inquiry’s final report, called Changing Banking for Good highlighted that “the financial crisis, and multiple conduct failures, have exposed serious flaws in governance [of UK banks]’. And management were to blame
"Those who should have been exercising supervisory or leadership roles benefited from an accountability firewall between themselves and individual misconduct, and demonstrated poor, perhaps deliberately poor, understanding of the front line”.
The UK inquiry called for a new criminal offence of “reckless misconduct in the management of a bank”, which was enacted into law in 2013. Recently, an obviously frustrated Greg Medcraft, head of ASIC, mooted a similar regime for Australia.
In the regulatory bloodbath that followed the failures of several UK banks, such as Halifax/Bank of Scotland (HBOS), and the obvious failure of the existing banking regulator, the FSA was replaced by the Financial Conduct Authority (FCA). The FCA is in many respects similar to ASIC, as some of the FSA’s prudential regulatory functions were hived off to a new Prudential Regulation Authority (PRA), which plays a role similar to APRA.
Although the FCA has (some say is burdened by) the word ‘conduct’ in its title, the regulator has famously refused to define the term ‘conduct risk’ instead saying that “you will know it when you see it”. However, a recent report found that some 81% of firms surveyed, including 26% of Systemically Important Financial Institutions (SIFIs), reported that they did NOT have a working definition of conduct risk. This means that a significant number of firms don’t appear to know conduct risk when they see it!
But ASIC is made of sterner stuff and recently unveiled a definition of Conduct Risk for the firms that it regulates as
“The risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees”. [And went on] “Conduct risk can have significant ramifications for an organisation, its shareholders, clients, customers, counter-parties and the financial services industry”.
At this point, it is picky but necessary to point out that ASIC’s definition is not actually talking about conduct, but instead ‘misconduct’ which is described as “inappropriate, unethical or unlawful behaviour”. But, since the fashion is for conduct risk, we can let that pass.
This definition of conduct risk is incredibly broad. Everyone would agree that unlawful behaviour was misconduct but the risk of unlawful activity has been formally monitored by compliance functions for many years. Few would argue that ‘unethical’ activities pose a risk, if only to the reputation of a firm, but of course one man’s unethical activity is another’s successful business model.
For example, Cash Converters has recently settled a class action refunding some $23 million to 37,500 of its past clients. The settlement, related to charging rates of up to 633% on payday loans, would be considered unethical by many, but not all, in the financial industry. But what of Westpac, which is the only one of the Four Pillars to be deeply involved in the payday lending industry, as a major funder of Cash Converters? Would ASIC consider Westpac’s conduct to be unacceptable? Unfortunately, we don’t know as ASIC has not descended to that level of detail.
But ‘inappropriate’? Inappropriateness is definitely in the eye of the beholder and subject to the fashions of the day. For example, is it illegal for banks not to reduce their mortgage rates to borrowers in line with RBA rate reductions? Certainly not? Is it unethical? Possibly, if it results in windfall profits. Is it inappropriate? For first-time borrowers, yes, but for depositors, not.
The pronouncements of regulators are not just idle reflections, but imply real attention by the firms that are regulated. Regulated firms are required by law to take the directions of regulators seriously, though it obvious that some firms may not be as complaint as they should be. Regulation imposes costs on firms and, while necessary, it is important that regulators are clear about what they wish regulated firms to do. Just as no definition (as in the case of the FCA) will cause firms to spend a lot of time and money second guessing what a regulator wants, so an extremely broad definition will cause firms to waste time and money chasing an unattainable target.
But a more important question is raised by ASIC’s entry into this debate – should ASIC even be concerned with conduct risk or would that be better handled elsewhere?
Overseas experience has demonstrated that the major sources of misconduct are not small fry, but the largest financial institutions. The Conduct Cost Project, which originated at the London School of Economics, has just published its annual survey of conduct costs, which showed that 16 of the largest banks in the world, including NAB, incurred costs for misconduct of over £ 205 billion (roughly AU$ 400 billion) for the period 2011 to 2014. In other words, the biggest culprits as regards conduct risk are the biggest banks. In Australia, such banks are regulated by APRA for prudential (i.e. solvency) purposes.
On the face of it, a separation of regulatory function - conduct versus solvency - would appear to be reasonable, albeit inefficient for both the regulated and the regulator.
However, APRA already regulates misconduct by its regulated banks, insurance and superannuation companies in the management of so-called operational risk. For example, as part of Basel II, banks are required to identify and manage ‘internal fraud’, which would cover the ‘unlawful’ part of the ASIC definition of conduct risk. In addition, banks are required to identify ‘market manipulation’ and ‘improper trade/market practices’ which would cover, for example, mis-selling of banking products. These regulations fall under what is called People risk in Basel II.
After many years of hard work, which even now is not yet complete, banks and regulators have come to an understanding of what some types of misconduct mean and have worked on implementing processes to manage and report on misconduct. More importantly, there are now agreed processes for creating a so-called risk management framework for managing not just people but other operational risks. Not that the rules are perfect, as the Conduct Cost Project losses show, but at least there is a template for managing such risks, albeit that it needs to be improved and reinforced.
With ASIC now attempting to regulate conduct risk, which is a subset of operational risk, this means that regulated firms, in particular the banking sector, will have to create duplicate compliance structures in order to manage what is essentially the same risk.
Just how different the ASIC approach will be for regulated firms is shown by the fact that ASIC has not approached conduct risk from a risk management perspective. Instead of employing a formal risk management process, such as ISO 31000, ASIC has suggested its own approach, known as the ‘3 Cs’ – Communication, Challenge and Complacency. While these 3Cs are important components of any risk management process, they are not sufficient and for example, do not identify the need to measure conduct risk nor to mitigate it in any meaningful way. In short, ASIC is starting out on a long, difficult journey that has already been travelled by APRA but without a road-map of where it wishes to go, other than a vague destination. Without such a road-map, ASIC and regulated firms will waste enormous time and money ending up in roughly the same place as APRA. For taxpayers, this is not a side-show, as the longer it takes to tackle banking misconduct, the more misconduct will go unpunished.
What to do?
One suggestion is to divide up the work. For example, while APRA is interested in the prudential aspects of conduct risk, in the form of capital charges, there is no reason why, in misconduct cases, APRA cannot share data and experience with ASIC so that it can become the enforcement arm, in much the same way as the police and public prosecutor operate – one detects the crime and the other prosecutes. Regulators would be more efficient working in concert to detect and prosecute misconduct rather than duplicating their efforts.
Overseas experience has shown that only when regulators cooperate is serious misconduct punished. In the cases of fines for misconduct, such as for LIBOR and FX manipulation, it was the joint approach by transatlantic regulators that resulted in the largest fines being levied. And interestingly, it is when criminal prosecution authorities, such as the US Department of Justice, cooperated with regulators that banks really sat up and listened.
The role of, and rationale for, ASIC came up scrutiny in the recent Financial Services Inquiry, headed by David Murray. While recognising that ASIC has an important role in financial regulation and generally does a good job despite insufficient funding the inquiry noted that ASIC should be given a “new product intervention power” to ensure that financial products do not result in “significant detriment to consumers”. This recommendation is very specific, requiring ASIC to take a much bigger role in scrutinising financial products and creates a classic consumer protection role in ensuring that financial products are fit for purpose.
Like other consumer protection regulation, such an approach would focus on detecting and redressing the damage caused by badly designed products rather than the process of creating and selling such products. By concentrating on the processes for developing financial products, which will be as varied as the many firms that create them, ASIC risks compromising its vital consumer protection role.
In order to be successful, Australian regulators must identify the roles in which they will be most effective, splitting up the task of prosecuting financial misconduct between them and leveraging their respective strengths, rather than trying to duplicate regulation.
And fashions, even in regulation, change. In the UK, Antony Jenkins, the patron saint of conduct risk, has just been unceremoniously dumped as CEO of Barclays Bank, ostensibly for concentrating on managing the bank’s toxic conduct rather than making profits. The conduct risk pendulum may already be beginning to swing back and the current fashion for piousness may be fading.