Now More than Ever: The Need for Reliable Conduct Risk Metrics

The demands being imposed on the global banking system highlight the Achilles Heel of nonfinancial risk management and, particularly, misconduct risk, says Stephen Scott at Starling.

On 19 February, the S&P 500 reported it’s quickest ever retreat into a bear market. In a related story, the Financial Times produced a chart depicting this fall against other historical events. It is telling: this retreat was faster even than that during the Great Depression. The present contraction reflects the speed by which economic events can spread, contagion-like, in our inextricably linked global economy.

Banks are of course deeply caught up in current events.  As the Wall Street Journal put it aptly, “banks can’t do social distancing.” Central banks seeking to forestall economic crisis will look to the banking sector to help pump much-needed liquidity into markets, and to help assure that those monies reach small businesses and perhaps even households.

The intermediary role of banks has long been their key social function, and we will rely on them playing this role especially well in the coming months.  Banks have thus launched a coordinated global effort to win a relaxation of regulatory burdens, to include those targeting compliance related risks such as misconduct.

A Tale of Two Minds

Strong banks will be needed to “buffer the virus crisis,” the Australian Financial Review has argued.  Bank regulators are expected to support the banks in this, of course, which implies of necessity a backing away from regulatory “heavy-handedness.” Australian bank regulators have been called upon to “spare the lash” that had been wielded with gusto following a series of bank misconduct scandals catalogued by the Hayne Royal Commission. The Reserve Bank of New Zealand, which had stepped up its focus on misconduct risk following recent events in Australia, is now expected to delay regulatory initiatives so as to ease the burden on firms.

Bank restructurings – so vitally needed in Europe most particularly – are now to be put on hold. Late last year, Banco Santander Chairman Ana Botín observed that bankers remain distrusted around the world, more than a decade after the financial crisis, and suggested that this in part explains current political populism. Botín is understandably sensitive to the public mood across the Americas and Europe. Chile, one of Santander’s largest markets, has been torn by the worst protests and riots seen in decades, disrupting supply chains and prompting military curfews – all before the coronavirus hit and European bank shares plummeted by some 40%.

Thus, as the health crisis represented by the coronavirus outbreak spreads, we are beginning to see a global financial sector that seems to be struggling with two minds.  On the one hand, we must rely on our financial sector institutions as perhaps never before. On the other hand, an all-to-recent history of misconduct scandals suggests that we may not be able to trust in banks to do the right thing. So, even as the US Federal Reserve looks to extend lending to banks, the fractured nature of the US regulatory system is such that federal regulators are contemplating how best to ease bank rules even while their key state counterparts are seeking to gain greater control over the firms that operate in their jurisdictions.

Putting the “A” in GCRA

As has been the case for much of the past two years, Australia will likely be the petri-dish within which these competing priorities compete most visibly over the coming months, as the Reserve Bank floods the Australian market with AUD $150 billion in cheap cash – the largest stimulus in the country’s history.  Meanwhile, a new Banking Code of Practice, developed by the Australian Bankers Association in close consultation with ASIC, went live just two weeks ago

The Code gives professional standards of conduct the force of law, provides safeguards and protections not currently set out in the law and, in some areas, it sets higher standards than those that do appear in the law.  The appointment of former Government Solicitor Ian Govey to Chairmanship of the Banking Code Compliance Committee promises meaningful oversight to help ensure that banks implement the new Code as promised.

ASIC’s October 2019 Corporate Governance Taskforce review of non‑financial risk management found “boards were grappling with important elements of the management and oversight of non-financial risk.” A year on from the Royal Commission, the Australian Institute of Company Directors (AICD) is deeply considering several related challenges, perhaps chief among them: “how to provide ongoing cultural stewardship while retaining the distinction between the board and management.” In an era of individual accountability, such questions take on added heft.

As APRA continues to struggle in its efforts to launch a new data collection system, it has also just announced that it will allow firms to dip into reserves in order to increase lending.  This makes all the more important a 29 November 2019 MOU between APRA and ASIC, announcing joint efforts to achieve more timely and effective supervision, coordinated investigations and enforcement actions, and greater cooperation between the two agencies on policy matters and developing their internal capabilities.

In a February 2020 update of its enforcement activities, ASIC reports that it has had 316 investigations ongoing in the six months running from September 2019. These address a range of misconduct issues and collectively represent a 52% increase in enforcement investigations (Jan 2019 – Jan 2020) involving leading Australian firms CBA, NAB, Westpac, and ANZ: that is, the very same firms now working with the Morrison government to craft a business rescue package to address the economic consequences of the current global pandemic.

In a February speech to the AICD, APRA Deputy Chair Helen Rowell observed, “At their heart, many of the problems identified through the Royal Commission and subsequently were the result of failures in governance and culture.” She went on to emphasize the importance of accountability in addressing such failures – the “A” in GCRA – governance, culture, remuneration and accountability.

The starting point for any discussion on accountability must be a recognition of two central principles that underpin APRA’s approach to this issue. The first is that boards are ultimately responsible – and therefore accountable – for the performance of their companies, executives and employees, and the outcomes they deliver to consumers. The second is that APRA is responsible for holding entities, including boards and senior managers, to account for meeting their prudential obligations, and we are accountable for making sure we use the tools and new powers we have to do just that.

A Tale of Three Lines

Such sentiments lie behind the Three Lines of Defense (3LoD) nonfinancial risk management framework. “Governing bodies and senior management are the primary stakeholders served by the ‘lines,’ and they are the parties best positioned to help ensure that the Three Lines of Defense model is reflected in the organization’s risk management and control processes,” writes the Institute of Internal Auditors (IIA).  Though the long-established industry standard model, the 3LoD has observably failed to produce desired outcomes, and it is riddled with complexity, coordination challenges and, often, internally opposing imperatives.

A principal problem with the 3LoD is that it is based on the idea that the company org chart reflects accurately how people operate in practice. By failing to focus instead on “the company behind the chart,” the 3LoD produces false comfort, immense frustration, and huge cost.

In recent years, regulators have emphasised individual liability when risk management failures take place. Australia’s bank regulators have taken stock of what has been learned through the industry’s implementation of the Bank Executives Accountability Regime (BEAR), and has signaled its intent to replace that with a new framework – the Financial Accountability Regime (FAR) – before the end of this year. APRA’s Rowell notes that many Australian firms struggled when implementing the BEAR, focusing more so on the number of accountable persons, rather than appropriateness of those included as one such.

This reflects the “company behind the chart” problem, and Rowell appears to appreciate this.  Highlighting the principles-based nature of the framework, she said institutions should seek to meet the requirements of the FAR in a way “that reflects the understanding of senior executives and directors of how accountability should work in practice within their organisation.”

Restoring Faith

Rowell also observed that entities were more likely to face challenges implementing BEAR requirements when they engaged consultants to do so for them. The onus is thus on firms themselves to develop new approaches. Observing that, outside Australia, some have begun to explore the viability of promising regtech solutions in this context, a Select Committee has been convened by the Australian Senate and tasked with exploring how Financial Technology and Regulatory Technology may benefit the country. To date, the Committee has received over 140 submissions from interested parties – ourselves and several other regtech firms among them.

“Boards cannot afford to ignore the oversight of non-financial risks,” ASIC’s Corporate Governance Taskforce warns. “Given clear evidence that existing frameworks have been driving poor outcomes for consumers, and also entities themselves,” remarked APRA’s Rowell, “the status quo is not an option.” That appears to be understood in Australian boardrooms. However, as the AICD notes, “the heart of the problem for boards is agreeing with management the kinds of indicators, particularly leading, that point to areas of weakness.”

Addressing the “heart of the problem” has perhaps never been so important.  The demands imposed on the global banking system by the current crisis highlight the Achilles Heel of nonfinancial risk management and, particularly, misconduct risk.  If we fail to address this now, a spate of scandals will inevitably erupt post-crisis, robbing the financial industry of what little public trust remains to it, and deepening discontent with capitalism itself.  On the flip-side, if banks do the right things now, they have a unique opportunity to restore faith with society.

Stephen Scott is founder and CEO of US-based RegTech firm Starling.

To Top