The New Normal: Conduct Risk & Personal Accountability

 Increasingly, leaders along all Three Lines of Defence are being held personally accountable for misconduct that takes place on their watch, says Stephen Scott at Starling.

On 30 April, Starling released its 3rd annual Compendium, a report on global regulatory activities aimed at promoting improved culture and conduct in the banking sector. In this, the first in a series of articles written in collaboration with Regulation Asia, Starling outlines some of the key takeaways from its 2020 report.

Last year, Starling and Regulation Asia shared the findings from earlier issues of Starling’s Compendium – covering the UK’s leadership role in driving the global supervisory agenda around conduct and culture and post-Royal Commission developments in Australia, to Hong Kong’s ecosystem approach and Singapore’s push to addressing culture and conduct issues.

Starling’s annual Compendium series has traced the evolution in thought regarding the supervision and governance of conduct risk among bank regulators and industry leaders, worldwide. As in previous years, clear trends have emerged,  as reflected in the Key Takeaways found in this year’s report:

  • CEO turnover – Misconduct was a principal driver of CEO turnover in the last year, which saw far higher than usual CEO churn. The banking sector saw the resignation or removal of CEOs at Westpac and NAB in Australia, HSBC in the UK, Credit Suisse in Europe, and Wells Fargo in the US; all firms that had suffered from prominent misconduct challenges.
  • Personal liability – The last year has seen a continued emphasis on individual accountability and personal liability schemes in several jurisdictions, often modelled on the UK’s Senior Managers & Certification Regime. In the US, the OCC assessed several ex-Wells Fargo senior executives with multimillion-dollar fines in one of the most pronounced examples of personal liability seen to date.
  • Anticipating outcomes – Regulatory efforts around culture and conduct risk have become grounded in an overt concern for customer outcomes. This prioritisation has been at the fore in much public commentary regarding related supervisory priorities and initiatives. With this, we have seen greater emphasis on the need for leading indicators of harm that might permit for proactive interventions.

Last year was a record year for CEO turnover in the US, and across many industry sectors, with over 1,600 CEOs having left their roles. In dozens of instances, this was driven by allegations of misconduct. This builds on a trend observed in 2018, when 17.5 percent of CEOs among the world’s top 2,500 firms either chose to step down or were forced out. For the first time, PwC then reported, “more CEOs were dismissed for ethical lapses than for financial performance or board struggles.”

Culture and conduct management challenges featured in many industries over the last year. McDonald’s was beset by legal claims stemming from alleged sexual harassment “and the company culture that enables it.” After deadly crashes of its 737 MAX aircraft, Boeing posted its first full year loss since 1997. Preliminary US Congressional committee findings indicated that a “culture of concealment” drove efforts to hide safety problems that led to the loss of life. Meanwhile, after a bribery scheme came to light, European rival Airbus faced EUR 3.6 billion in fines and penalties levied by regulators in France, the UK and the US. In Australia, a Royal Commission into Aged Care Quality and Safety detailed appalling cases of elder-abuse. A “culture of apathy” was blamed. And the UK’s accountancy industry was rocked after investigative journalists reported on a “culture of fear” that prohibited employees from speaking out about rampant abusive behavior.

Three lines of conduct accountability

It would be gratuitously easy to add to this list of examples. Yet many firms continue to view culture as a “soft concern”, and relegate related responsibilities to HR staff whose toolkit typically emphasises such staples such as personality testing (which critics liken to “office astrology”) or the perennial engagement survey (the metaphorical equivalent of an organisational “mood-ring”). But, after a decade of persistent misconduct scandals, culture and conduct risk management responsibilities in the banking sector have shifted away from HR to risk and compliance staff, working across the industry standard Three Lines of Defence (3LoD) risk management model.

Per this model, the First Line is established among those responsible for leading a particular business unit. The Second Line includes risk and compliance staff, meant to provide guidance to First Line risk managers and to challenge the business to drive improved risk management. The Third Line is set among the firm’s audit function, which is meant to assure that appropriate efforts are taking place along the First and Second Lines. Increasingly, senior management along all three lines are being held accountable, on a personal basis, for misconduct that takes place on their watch. Whether such executives were aware of the misconduct is largely immaterial where supervisors feel that such executives should have been so, or where it appears that they made insufficient investment in tools that permit for sufficient visibility into the drivers of such risk.

The most pronounced example of individual liability enforced in the last year was seen in the US. In the wake of the false accounts scandal at Wells Fargo, the US Office of the Comptroller of the Currency (OCC) charged eight former Wells Fargo executives (First and Second line) with a cumulative USD 59 million in personal fines. Former CEO John Stumpf was banned from the industry for life. In explaining its actions, the OCC said that Stumpf had “failed to respond to numerous warning signs,” and had thus allowed the firm to suffer “catastrophic reputational damage.”

This illustration represents a summary of the current state of affairs. Boards and senior management are often blind to cultural drivers of behaviour within their organisations. This makes it a challenge to swing the risk management sword with adequate precision. As an inevitable consequence, misconduct take place, resulting in poor customer outcomes. Typically, the risk of such misconduct is discovered only after the fact, leaving individual executives with personal liability exposure.

Summarising current regulatory priorities in this context, UK Financial Conduct Authority (FCA) CEO Chris Woolard offered this view in Starling’s report:

Senior managers and Boards should embed healthy cultures, which will lead to better outcomes for consumers and markets, which are also good for businesses and employees. Senior managers should be clear about what they are accountable for and should be thinking about what their accountability means in practice, including how they will embed a healthy culture in the firms that they run.

An absence of evidence is not evidence of absence

Such views were echoed by other contributors to Starling’s report. “For Singapore to continue thriving as a regional financial centre, it is paramount for the banking industry to operate with the highest standards of culture and conduct,” writes DBS CEO Shee Tse Koon, Chairman of the Culture and Conduct Steering Group established by the Association of Banks in Singapore (ABS). “Banking is built on the foundation of trust,” adds OCBC Group CEO and ABS Chairman Samuel Tsien. “This journey to strengthen culture and conduct requires a collective effort across departments, banks and the industry.”

Regulators, investors and firms themselves have a common interest in superior risk metrics by which to gauge the ‘soft risks’ that a firm’s cultural propensities may represent. Neither the HR manager’s toolkit nor standard risk and compliance processes have thus far permitted for the development of reliable leading indicators of culture and conduct risk. And an absence of evidence regarding culture or conduct concerns will no longer be accepted as evidence of their absence. With the threat of personal liability exposure, First- and Second-line leaders must be equipped with metrics that allow them to evidence the absence of culture and conduct risks and, where such risk is found, metrics that facilitate proactive risk mitigation.

Writing in his capacity as chairman of ORX, the industry association of operational risk managers, Starling advisor Mark Cooke and ORX Executive Director Simon Wills argue in Starling’s 2020 Compendium that risk managers must adopt “a far more dynamic and embedded approach, one that works proactively to prevent failure as part of ongoing operations, and not as some bolted on after-thought.” Former head of enterprise data analytics for Singapore sovereign fund GIC and Starling advisor Siew Kai Choy writes, “We need new governance tools; ideally tools that provide leading indicators of trouble rather than systems that merely record problematic events for subsequent forensic inquiry.”

RegTech firms have begun to bring such tools to market, and some bank regulators now actively promote the trialing of such tools among the firms they oversee. As the Hong Kong Monetary Authority (HKMA) argues in Starling’s report, “the time is right for closer collaboration among the banking industry, the technology community, and the HKMA to further facilitate the adoption of Regtech in Hong Kong.” It adds that the HKMA is actively developing “a Regtech promotion roadmap” and notes that it will explore “a number of Regtech-related initiatives over the next few years.”

Heightened regulatory sensitivity to culture and conduct risk, especially when coupled with liability exposure at the individual level for responsible executives along the Three Lines, implies a need to explore new tools and approaches to risk identification, assessment, and mitigation.  Simply doing ‘more of the same’ will not suffice.  Going forward, where firms or risk leaders opt to double-down on past failed approaches, this may well work to increase their personal liability risk among regulators grown impatient with ‘mere compliance.’

Such is the ‘new normal’.

A full copy of Starling’s Compendium is available here.

Stephen Scott is a risk management expert and CEO of US-based RegTech firm Starling. Last year, Starling was one of only eight firms to pass the initial screening to begin cross-border testing under the GFIN (Global Financial Innovation Network).

To Top