Reputational costs are significant when conduct risk materializes. Aroon Kumar explains why this is particularly pertinent for banks, as they are uniquely reliant on the confidence and trust of their customers.
The events of the last two years and the associated disruption to how banks used to operate pre- pandemic have increased the risk of misconduct and compliance failure. This increase is driven by various factors, including the pressure on employees and management to meet financial targets, and contend with financial hardship and competitive threats. As a result, banks are beginning to recognize a new risk category, conduct risk.
Although lacking a widely accepted definition, conduct risk is generally understood to be the risk of inappropriate, unethical, or unlawful behavior on the part of an organization’s board, management, or employees. KPMG has partnered with social media analytics company, DataEQ, to analyze the key drivers of consumer satisfaction amongst major UAE retail banks, and ascertain whether they are meeting expectations of conduct and service. Consumers frequently complained about a lack of efficient support for their reported issues relating to business conduct, which included suspected fraud and incorrect information being received.
Public interest in conduct risk infringements is high, and failure to understand and mitigate conduct risk may expose banks to drastic regulatory action, fines, and reputational damage, which can harm its business for many years following the incident.
The risk of misconduct is tightly linked to an organization’s values and work culture, and the success of any business is linked to these aspects of behavior. In November 2020, the Central Bank of the UAE (CBUAE) issued the new Consumer Protection Regulation and Standards, aiming to protect consumers and contribute to the overall stability of the financial services industry by setting standards of business and market conduct.
Although these statements and regulatory developments are positive, most banks currently approach conduct risk management in a fragmented manner. Roles and responsibilities related to conduct risk across business units, senior management, control functions, and the board are unclear. Conduct risk is also generally not considered across all key areas and processes within an organization. Examples of such areas include the bank’s risk appetite, product development process, collection, and recovery process, as well as the remediation and reporting of complaints and allegations.
The root of the matter
Understanding and addressing the drivers of conduct risk is essential in implementing appropriate mechanisms to mitigate the risks. While the starting point for this journey varies from one bank to another, there are three areas at the root of conduct risk:
- Inherent factors: characteristics intrinsic to financial markets and their participants, such as information asymmetries between banks and their customers
- Structures and behavior: The banking sector’s products and services have certain inherent potential conflicts of interests that could prevent markets from working as well as they could
- Environmental factors: macro-economic developments that can impact financial markets and, in turn, put pressure on employees, management and boards to deliver promises to shareholders
Even with a conduct risk framework already in place, most banks still focus largely on materialized risk, such as fines and losses, instead of developing forward-looking risk indicators, “yellow flags”, such as increased customer complaints by service, product, or location, missed training, excessive working hours, and high employee turnover. Indeed, according to KPMG and DataEQ’s social media analysis, almost two-thirds of all online conversation about the banks was noise for social customer service teams, hindering their ability to prioritize the mentions which did warrant a reply. As a result, core questions remain unanswered, such as when a product moves from suitable for a customer to unsuitable. Such tipping point analysis that defines acceptable and unacceptable behavior is rarely conducted.
Addressing the risk
Like credit, market, interest, and operational risk, it is vital to tackle conduct risk more explicitly and systematically, using a holistic framework. A conduct risk framework must be tailored to the needs of a bank, based on its structure, strategy, size, business model, and geographic reach, and consider both short and longterm goals. The most successful frameworks are regularly subjected to board-level reviews that assess and challenge the framework. While a one-size-fits-all solution does not exist, at a minimum, a conduct risk framework should identify how conduct risk will be defined, incorporated in the risk appetite, and overseen across the bank. The framework should focus on ensuring acceptable behavior through trainings, remuneration and incentives.
Internal risk assessments of the business, its products and organizational set up, and external assessments of macroeconomic and regulatory developments and changing customer expectations, should form the basis for defining appropriate controls to manage conduct risk. Controls should include information barriers, whistle blowing and complaint management mechanisms as well as communications and personal dealing monitoring, amongst others.
In addition, there are several questions that management and boards should ask when developing a conduct risk management framework.
- Do the board and senior management understand their roles in managing conduct risk?
- Has the board considered conduct risk in the bank’s risk appetite statement?
- What support do employees receive to improve conduct in their business line or function?
- What proactive steps does the bank take to identify conduct risks in its business?
- Has the bank set appropriate conduct risk policies for board members and employees?
- How does the board monitor conduct at the board level and in the organization?
- How frequently is conduct risk on the agenda of the board or its committees?
- Has the board allocated responsibilities for managing conduct risk across all three lines of defense?
- How can a bank use existing or emerging technology to prevent or detect conduct risk?
The associated costs of building an effective conduct risk management framework should be seen as a long-term investment and a driver of business transformation, rather than a cost of compliance. A modern and well-designed framework is increasingly seen as a source of competitive advantage and an opportunity to facilitate long-term sustainable growth. By effectively managing conduct risk, banks can confidently grow, introduce new products, and innovate without worrying about unforeseen ethical, compliance and reputational failures.