By Wietske Jarvis-Blees, Thomson Reuters

SYDNEY: 23 July – Conduct risk has become the single biggest priority for boards and executives in Australia and financial institutions will need to undertake an analysis to determine whether conduct within the organisation is of an appropriate standard. 

It is not surprising to see conduct risk increasing on the list of priorities for executives of financial institutions, following a range of mis-selling scandals offshore and in Australia, the financial planning scandal at Commonwealth Financial Planning (CFPL) and ongoing investigations into interest rates and foreign exchange benchmark rigging, among other things.

According to Vivienne Tang, partner governance and regulatory practice at Deloitte in Melbourne, wholesale conduct risk and mis-selling risk have become the top priorities for board directors in 2014. Part of that, she said, has been driven by the UK’s Financial Conduct Authority which is reviewing how organisations manage conduct risk, but it is also driven by domestic events. 

"We can see conduct and misselling risk gaining momentum with the way that financial institutions operate in Australia. We know that this is already topical and front of mind at the larger banks. Our regulators are looking offshore for examples of what local authorities are doing in terms of supervising and enforcing standards to drive greater consumer protection from an Australian perspective," Tang said.

"Organisations will need to be prepared for this fact and begin thinking about how they are going to address the increased scrutiny around the quality of the products and services they deliver and how they will deliver them” Tang said “This will be a challenge for many particularly with the need to prioritise multiple projects, increasing costs and the adequacy of resources in terms of capabilities and capacity," Tang added.



What is conduct risk



Conduct risk is a fairly new term in the risk management industry, but it is one that is gaining traction rapidly. At a basic level, it refers to risks attached to the way in which a firm, and its staff, conduct themselves. Although there is no official definition, it is generally agreed to incorporate matters such as how customers are treated, remuneration of staff and how firms deal with conflicts of interest. 

John Morgan, consultant at Allens in Sydney, said: "In essence, it is the risk that companies may be exposed to a loss of reputation, or may be exposed to claims being made against them, or alternatively that regulatory enquiries or investigations will be conducted, or even proceedings by regulators will be commenced, arising out of the conduct of people working for the organisation. This may include employees and outsourced service providers."

He said that, while many of the recent conduct risk issues in Australia had centred on financial planning, there were also cases where it concerned breaches in competition law and general consumer law, for example.

 "Conduct risk can apply to a whole range of cases, but it essentially comes down to the approach taken in organisations to the way in which their executives and employees conduct their business, and there are two sides to it. On the one hand, there is the question whether they conduct their business in compliance with legal requirements, so there is a compliance element to it, but there is also the wider issue of conducting their business in an ethical and socially responsible fashion," Morgan said. 



Causes of conduct risk events



Regardless of the sector in which misconduct occurs, a poor internal risk culture and breaches in compliance programmes are typically at the root of the cause, while skewed incentive schemes can also frequently be found. This can be a particular problem where client engagement is outsourced and the lowest price is the key in appointing the service provider.

Morgan said that misconduct touched on a matrix of issues and was an important part of the wider enterprise risk management issues confronting an organisation. 

"It involves questions of culture; does the organisation have a culture which rewards good and compliant and ethical conduct, or does it have a culture that rewards just getting the sale?" he said.

Morgan said remuneration was another key driver of poor risk conduct. "If you are going to reward people by paying them a low base wage but high commissions on a sale, then clearly they are going to be incentivised to earn that commission and they might in those circumstances do it in ways which are either illegal or unethical in some way or another," he said. 

Professor Justin O'Brien, director of the Centre for Law, Markets and Regulation at UNSW Law and an Australian Research Council Future Fellow, said that far from being isolated cases, a number of recent misconduct cases, such as for example those relating to interest rate and foreign exchange benchmark rigging, had all the hallmarks of being systemic in nature. 

"In the case of benchmarks such as LIBOR, what we have found is a fundamental failure of internal compliance programmes to ensure that the submitters were insulated from pressures from their own trading desks. These compliance programmes simply were not robust enough to guard against the corruption of key benchmarks, and this appears to be a systemic problem, where financial institutions have not taken their responsibilities seriously enough," O'Brien said.

Regulatory response

Certainly in the UK, the newly created Financial Conduct Authority has put conduct management at the top of its priorities. In Australia, the regulatory response has to date proven more muted, perhaps in part due to ongoing inquiries into the financial system and the performance of ASIC as a regulator that touch on similar issues.

While ASIC has handed out fines to BNP Paribas and UBS for attempts to manipulate the Australian Bank Bill Swap Rate (BBSW) and investigations are understood to be continuing, the regulator has recently come in for a barrage of criticism for its handling of the CFPL scandal. 

According to the Senate’s final report (PDF) into ASIC's performance, which was published late last month, between 2006 and 2010, a number of rogue advisers at CFPL had "deliberately neglected their duties and placed their personal interests far above the interests of their clients."

Despite a "grievous breach of duties" and a "clear and persistent early warning signs of corporate wrongdoing or troubling trends that pose a risk to consumers" the Senate Committee found that ASIC was a “timid and hesitant regulator” that had placed reports of fraud in the "too hard basket". As a result, CFPL's misconduct escaped scrutiny and no one was held to account for a period of years. 



That was then, this is now



Going forward, market participants expect to see an increased regulatory focus on misconduct cases, possibly reinforced by additional funding for ASIC and a stricter penalty regime, which is something ASIC chairman Greg Medcraft has called for some time. 

In a recent interview with the Centre for International Finance and Regulation (CIFR), Medcraft also said he expects to see a greater regulatory focus on culture. "One of the things I think we probably need to focus on a lot more is culture and governance... We haven’t really focused heavily on culture and governance...," Medcraft told the CIFR.

"Culture is actually what drives people to behave, and I think when we look at some of the issues that occurred, just analysing some of the root causes of the financial crisis, conflicts of interest, lack of skin in the game, most of that comes back to essentially the wrong culture in an organisation... Even if we look at things like what has happened with the manipulation of benchmarks, the LIBOR, the foreign exchange, in many banks it was just seen as 'that is just how you do things'... The culture was not right," Medcraft said. 

However, he added that regulators should not be relied upon to change the culture within organisations and that instead, that responsibility should fall on the company's management. "I don't think you regulate a change in culture, I think a change in culture has got to come from the top from the board and the chief executive officer," he said.

That is certainly the approach the Australian Prudential Regulation Authority (APRA) is taking with respect to the banking, insurance and superannuation industries. 

APRA's CPS 220 (PDF) prudential standard on risk management, which will come into force from January 2015, formalises the requirement for boards to ensure that a sound risk management culture is established and maintained throughout institutions. It stipulates that risk frameworks must be subject to internal and or external audit reviews on an annual basis, and an annual risk management declaration must be submitted to APRA that is signed by both the chairperson of the board and the chairperson of the board risk committee.

Morgan said the standard will be legally binding on APRA-regulated entities and will put greater responsibility on the board for risk management. "Board directors will no longer be able to just delegate risk matters to the company’s management. CPS 220 will require the board to approve a risk management strategy, that includes conduct risk, and the board will have to make an attestation to APRA once each year as to compliance with the requirements," Morgan said. 

"I personally think that there is lots of law there. The penalties may need to be reviewed and some of the drafting fixed, but it would be a good idea if ASIC got onto the business of identifying and catching individuals who are responsible and actually bringing civil or criminal proceedings against them. Apart from banning orders, one wonders why ASIC has not brought criminal or other proceedings against the individual financial planners who apparently engaged in very poor conduct," said John Morgan. 

Deep-rooted problems



Professor Justin O'Brien said that the recent scandals were indicative of a systemic problem that had not been sufficiently addressed by recent regulatory initiatives, which had allowed deep-rooted problems to prevail. 

"The market conduct that we have seen in the aftermath of the crisis demonstrates very clearly how little has actually been learned from this crisis," O'Brien said. 

"What we have done is we have saved the banks, but we have highlighted profound deficiencies in the paradigm governing corporate governance and the paradigm governing the creation of safety nets to safeguard globally significant financial institutions, without dealing with the fundamental problem. That fundamental problem is that there is a cartel operating at the highest echelons of global finance. Not only do we have casino banking, we have a rigged casino at that," O'Brien said. 

"We have created all of these safety nets, but what if the institutions that we are protecting have through default allowed cartels to operate at the highest echelons of global finance? What we are actually doing is we are distracting attention away from the fact that what is actually going on, not just within individual institutions but between individual institutions, has the effect of actually legitimising, creating and maintaining a corrupted market place," O'Brien said. 

O'Brien said he was not convinced that there was any political will at the moment to address these problems in Australia. While the Senate Committee report into ASIC's performance had been highly critical, at a political level there were no further indications that subsequent inquiries would be conducted, with the government instead referring to Future of Financial Advice reforms as a remedy. Meanwhile, the Interim Senate Inquiry Report, released earlier this week, made little mention of conduct-related issues.



What companies can do to protect themselves 



Nevertheless, with a greater focus on misconduct, and all the reputational damage associated with it, organisations would be wise to review whether they are appropriately protected from misconduct risk.

Siva Navaratnam, partner at Deloitte in Melbourne, said that financial institutions should conduct a value chain analysis which included governance, procedures and controls to ensure that conduct risk was managed appropriately. In particular, he said financial institutions would need to have a clear view of culture and controls which could either support or threaten market integrity. 

"Institutions have got to look at information flows in their organisation, so where information comes in, where does it flow to, what decisions are being made by whom, do they have the right delegated authority and who else is checking that they have acted in the best interest of the customer? " Navaratnam said. 

He said these types of value chain analyses could be difficult to implement, because individual stakeholders tended to focus on their individual priorities, with the trader focusing on the trading book, the sales staff focusing on commissions, and the customer focusing on the best price. Further complicating the situation, he said, was the fact that while organisational risk appetites might remain static, individual risk appetites, such as those related to meeting targets, could change depending on personal circumstances, for example around bonus time. 

"How do you actually detect that and how do you actually prevent that and how do you actually report that? I think [those are] the sort of questions that organisations should be asking," Navaratnam said. 

"The challenge would be to put in place a value chain assessment that says you are doing it in the best interest of all stakeholders, and there is no right or wrong answer. The reality is you just need checks and balances in place to actually ask the questions and then be able to respond to it in a defensible manner," Navaratnam said. 

Morgan said organisations should ensure remuneration structures were aligned with the overall culture of compliance that the organisation was looking to implement. "It is about aligning the culture and incentives, and making it clear through risk management and compliance programmes that there will be consequences if people don't comply with the particular requirements that the company has put in place," he said.

Morgan added that financial institutions needed to ensure they had the appropriate insurance arrangements in place, which could include professional indemnity cover, and directors' and officers' liability cover. 

O'Brien said that boards of directors needed to be more sceptical, and to ensure the compliance culture was applied throughout the organisation. 

"To what extent do boards of directors actually know what is going on in their institutions, to what extent they actually know what these products are and how they [are} sold and what purpose they have? What we are seeing all too often in many investigations around the world is that the boards of directors just simply didn't know. And secondly, compliance programmes should ensure the values of the company are lived and breathed throughout the organisation. If they are merely there to reduce the threat of litigation they are predestined to fail," O'Brien said.

This article was first published by the Regulatory Intelligence service of Thomson Reuters Accelus. Regulatory Intelligence (http://accelus.thomsonreuters.com) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.