The reputation of the global banking industry took a severe hit during the Global Financial Crisis (GFC), with the widespread sale of risky residential mortgage-backed securities (MBS) and collateralised debt obligations (CDOs) leading to the collapse of several prominent Wall Street names and imposing significant costs on the entire banking industry.
With banks being forced to write down over USD 300 billion in MBS assets, many questioned what had caused the crisis to materialise and how future losses could be avoided. But the scandals continued. As a result, regulatory scrutiny intensified, with US and EU authorities alone handing out over USD 350 billion in fines on the largest 50 banks since 2009, a number we at Quinlan & Associates expect to top USD 400 billion by 2020.
The international regulatory framework has also been significantly strengthened since the GFC, underpinned by Basel III, the Dodd Frank Act, and MiFID II, as well as a host of local legislative provisions. To comply with these regulations, banks have invested heavily in their compliance and control functions, with compliance spend at many firms more than doubling since 2009. Investments have been made in additional headcount, technology enhancements, and the restructuring of risk and compliance departments.
It is widely recognised that the root cause of the GFC can be traced back to the banking industry’s high-risk, high-reward culture. Incentives focused on short-term gains, a tolerance towards unethical behaviour, and a lack of personal accountability appear to have driven excessive risk-taking across the financial industry. We estimate this “bad behaviour” has wiped off over USD 850 billion in profits for the top 50 global banks since the GFC in the form of write-downs, trading losses, fines, and additional compliance costs. If we also consider indirect impacts such as goodwill impairments, increased funding costs, reduced business activity from reputational damage and credit rating downgrades, and legal fees, this number is likely to exceed USD 1 trillion.
In response to heightened levels of regulatory scrutiny, leading banks have focused considerable attention on bolstering their “Three Lines of Defence”. However, actions taken to better manage risk since the GFC have mainly focused on lines two and three (i.e. risk and compliance, and internal audit). We believe many of these “remediation” investments have been made at the expense of achieving meaningful change at the business unit level (i.e. the first line of defence). And it is not weak compliance measures or audit capabilities that have been behind this USD 850 billion P&L hit; it is bad behaviour and the absence of an effective front-line risk mindset.
The current Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has found that 90% of financial advisers did not act in clients’ best interests, pointing to weaknesses in cultural norms across the industry. The ongoing criminal cartel case against Citigroup, Deutsche Bank, and ANZ in Australia further highlights a fundamental problem around employee behaviour. Repeating occurrences of unethical behaviour reinforce our view that the second and third lines of defence alone are not sufficient to support a meaningful change in individual attitudes towards risk and that more attention needs to be paid to the front line. However, and put very bluntly, the roll-out of mandatory online compliance training is never going to drive a fundamental shift in employee attitudes towards risk.
If banks are serious about avoiding future fines and losses, we believe the solution lies first and foremost in developing a robust risk culture across the entire organisation. Although many firms have undertaken a raft of measures to better manage their risks, most of these measures are remedial and rules-based in nature; in short, they seek to drive behavioural change through a fear of being caught, rather than engendering a more fundamental evolution in risk culture where employees do the right thing simply because it is the right thing to do. As a consequence, many working in the industry still maintain a ‘what can I do?’ mindset (i.e. rules-based behaviour) rather than a ‘what should I do?’ mentality (i.e. values-based behaviour).
We also acknowledge efforts by regulators in more recent years to enforce individual accountability, such as with the UK Financial Conduct Authority (FCA)’s Senior Manager Regime (SMR) as well as Hong Kong’s Manager in Charge (MIC) regime, which both came into effect in 2016. However, cultural change cannot simply be regulated into existence: a bank’s cultural identify must be created from within and reflect its organisational DNA, and we believe it is here that many institutions still have much to do.
In light of the recent Royal Commission in Australia, we believe the next wave of regulatory crackdowns will centre heavily on the cultural dynamics within individual organisations. While the concept of risk culture may seem “fluffy” and hard to quantify by many working in the industry, we believe banks can address upcoming regulatory probes in a very tangible way.
Effectively managing risk-taking will only be possible when the concepts of risk culture and conduct risk have been accurately defined. A clear and compelling “tone from the top” must be supplemented with adaptations to policies, systems, and processes across the entire organisation. We see individual ownership and accountability lying at the heart of an effective risk culture, which needs to be underpinned by appropriate governance structures, incentive mechanisms, and robust communication strategies.
We believe the most effective risk culture framework is one in which problems are addressed at their source: the first line of defence. Prevention, in our view, is always better than a cure. There is simply too much value at risk for such an approach to be ignored.
Benjamin Quinlan is the CEO & Managing Partner and Hugo Cheng is a Consultant at Quinlan & Associates, a strategy consulting firm specialising in financial services. Download a copy of the full report entitled Value At Risk from Quinlan & Associates, available here.