In Search of Banks’ Moral Compass
In Search of Banks’ Moral Compass – How are Bankers Acting When Nobody is Looking?
Looking beyond regulations towards cultural reform: how can conduct and culture be operationalised, measured and regulated?
Risk management in private banking is undergoing a metamorphosis. Urgent regulatory reform deadlines are pushing banks in Asia to look toward cultural reforms. While some regard a «Culture and Conduct» framework as key to sustainable growth, others may see it as a mere box ticking exercise. How can culture and conduct be regulated going forward and what is the impact of setting up a framework? In this article, we examine the current risk culture maturity landscape in Asia and explore implementation best practices.
Private banks in Asia required to take action
Within the banking industry, numerous scandals due to misbehaviour have proven that misconduct is not an isolated or fading issue(e.g. Julius Baer tax fraud case in 2008, HSBC money laundering case in 2015, Panama Papers in 2016, BSI and Falcon Bank in 1MDB-related case in 2016, etc.). As a result, stricter actions have been taken in both Europe (MiFID II) and Asia to mitigate risks. For example, banks have seen an increased focus on Customer Due Diligence (CDD) and Know Your Customer (KYC) checks for transparency during client onboarding.
«The collective impact of these failures has been a complete erosion of ethical standards»
While regulators are highlighting the importance of strengthening banks’ AML framework1, they have also come to realize the importance of implementing the right governance, supervision and oversight framework. This is where having the right risk culture comes into play.
Risk culture is a collection of beliefs and suppositions of how people should and should not act. It is something that evolves constantly can be both visible and covert. Having the right risk culture shapes the assumptions employees make about their risk appetites, values, responsibilities, etc. and these assumptions manifest themselves in the overall conduct of the bank.
Regulators worldwide have recently pushed banks to address their culture and conduct issues, with International Monetary Fund (IMF) highlighting that the problem of «poor culture» has become systemic in the financial sector. In Asia, both the Monetary Authority of Singapore (MAS) and the Hong Kong Monetary Authority (HKMA) have increased pressure on private
banks to shift from a compliant risk culture towards an embedded one ( see Fig. 1).
MAS’s regulatory perspective on this topic stresses the «importance of culture as a key driver of conduct». HKMA has further released a Bank Culture Reform Circular on 2nd March 2017 and gave banks one year to implement the new requirements. The regulator expects banksto:
- Establish sound governance structures with a clear tone from the top;
- Develop tools to measure and monitor staff and department adherence to the set cultural standards;
- Realign their incentives systems to look beyond financial gain.
Since March 2018, private banks operating in Hong Kong may expect closer scrutiny from regulators to evaluate their reform efforts, measures and impact. These requirements are a first step towards defining the minimum requirements for Hong Kong and HKMA may eventually require all banks to implement a predefined «one-size-fits-all» framework. For instance, Europe has already implemented a single supervisory mechanism, the Supervisory Review and Evaluation Process (SREP), which takes a risk-based approach to assessing banking supervision while upholding all banks to the same standards.
In a research report by CCP (Conduct Costs Project Research Foundation)2 done on conduct, culture and people, it was stated that the cost of poor conduct for 20 global banking groups from 2012-2016 was 264 billion GBP, an increase of 32% when compared to the period from 2008-2012.
Regulators are urging banks to perform a self-evaluation by addressing questions around risk culture (see Figure 2). The key message from regulators is to uphold to high standards of ethics and integrity.
Players in both Singapore and Hong Kong are now compelled to weigh profitability against sustainability and clients’ best interests. Private banks’ senior management will need to apply the right tone to reinforce and cascade the message downwards, while ensuring sufficient governance in risk controls, policies, processes, responsibilities and supervisory oversight. Clear roles and individual accountability are expected to be established, as well as sound recruitment and training practices.
Regulators want private banks to not only penalize poor behavior, but to also reward good risk behavior. Private banks are now expected to establish tools, metrics and data to measure and assess their gaps and progress. Eventually, institutions may be able to use the records to predict unethical behavior and allow for a more proactive risk management approach.
How change-ready are private banks?
Our industry expertise shows that several banks in Asia are still relying on legislation to shape their culture and conduct frameworks. While this ensures compliance, it means many are falling behind their more mature counterparts. Currently in Asia, the majority of players are still in the development stage of establishing a risk culture framework, with an emphasis on conduct and supervisory related issues.
According to our research, only two institutions have adopted a thematic review approach where risk is considered and measured holistically throughout their business activities, roles and responsibilities.
Conduct training and awareness campaigns seem to top the charts as the most popular initiatives adopted by private banks. While campaigns require a lower initial investment, they are not likely to instill long-term results when compared to full-fledged frameworks. There are institutions further along their risk culture reforms, already leveraging on both metrics and tools.
Some of these banks have even gone a step further to customer feedback collection, and others are measuring their employees and management on preset supervisory data points. Only three private banks have reported having data measurement practices in place with the readiness to use predictive behavioral analytics and data-driven incentive programs.
While many banks have started defining clear roles and responsibilities, a strong culture of personal accountability is often still under development. Observing industry trends, this topic will continue to be a key agenda for the regulators in the coming year. MAS has recently published guidelines3 on reinforcing financial institutions’ responsibilities on senior manager accountability, strengthening employee oversight, and promoting desired conduct among all employees. Singaporean players can expect the guidelines to be put in force in Q4 2018.
To summarize, private banks in Asia are facing two key challenges; identifying gaps in their current risk culture setup and/or setting up the right risk framework. We observed that just because measures have been put in place, they do not necessarily work well. For example, having a weak first line of defense with a strong remuneration focus will still cause misalignment.
Finally,it is important to consider the risks that any new framework will invariably bring. As counter intuitive as it sounds to discuss the risks of a framework whose sole purpose is to minimize risks, survey results of more mature players revealed that frameworks can cause unwanted consequences. For example, how can banks prevent a culture of fear when they increase personal accountability?
How can abuse of the system be predicted and prevented? Some senior managers reported that certain employees had teamed up to protect each other’s interests and even resorted to whistle- blowing in order to «cover their own tracks».
Framework implementation – best practices
Measure, benchmark, diagnose
Our research shows that several banks in Asia are only starting to manage their risk culture. They often benefit from structured tools and maturity rating scales to benchmark their existing risk framework against best practices. Questionnaires, interviews, group workshops and existing data from the bank can be used for the diagnosis. The assessment can also measure how well the bank’s current risk culture supports the corporate values and strategy.
A standardized risk culture framework (see Figure 3) can be used to rate the bank on various relevant topics, such as their «Tone from the Top», «Organization & Responsibility», «Recruitment & Training», «Risk Management», and «Risk Control». These ratings can be further benchmarked against market best practices in a Risk Culture Maturity Matrix (see Figure 4) to determine the overall level of maturity. Such exercises have been shown to uncover gaps and give recommendations on the shape and form of the implementation roadmap.
Setting the right tone and rewarding positive risk behavior
It all starts with the tone from the top. Senior management needs to support cultural reform by defining a target and seeing it through. Many banks may have recognized bottom-up signals that there may be something wrong with morals, ethics, or attitude, but struggle to systemically measure and act on them.
For senior management to be heard, the risk culture message for (un)desirable behavior needs to be communicated consistently and effectively across the organization. Simultaneously, it is important not to forget that culture is always a top-down bottom- up collaboration. While the institution and leadership assign the values, employees are the ones to maintain and shape the culture. Interactive sharing platforms, cross-functional working groups and innovation challenges can be established to provide sufficient resources to foster employee empowerment and ensure the «voice of the people» does not go unheard.
Once a centralized message is defined, the risk culture framework can be built. Data from the framework streams (see Figure 3) is amalgamated into a customizable «Balanced Scorecard», a remuneration framework for both front-office staff and supervisors. The scorecard is a map of risk performance at branch and individual levels. It provides a regulatory focus on how banks measure, reward good and penalize poor behavior, by factoring in non-sales KPIs (such as ethical conduct, investment suitability etc.) that directly impact remuneration. The tool minimizes gaps in regulatory audits and aggregates various views, such as incidents, financial KPI’s, conduct and behavior, etc. Most importantly, it can be customized to measure the targets of different business areas, roles and responsibilities.
The results from the scorecard are factored into the bank’s incentives processes including performance management, talent programs and career progression paths. Performance-based incentives are one of the best ways of influencing behavior and culture.
As important as financial performance is, incentives also need to consider risk and behavioral metrics. A well-planned program ingrains individual risk metrics into the appraisal process with a predefined weighting against traditional performance indicators (e.g. sales). Individuals with «red flags» are reported as infractions and «green flags» (or outstanding performance) are also measured and factored into appraisals. A formal, fully transparent and sufficiently monitored incentives program minimizes the risk of abuse and misconduct. For these risk metrics and incentives processes to be fully understood by employees, they should be closely tied to the organization’s training programs.
A strategic and metrics-based program ensures that the bounds of acceptable and unacceptable behavior are understood throughout the organization and risk management skills of employees are regularly honed. These training efforts should be carefully measured and used to enhance existing practices to avoid a stagnant and outdated program. Care should be taken to prevent the training program from becoming a bureaucratic minimum requirement to fill the hours for Continuing Professional Development (CPD), and instead aim to bring more awareness and to develop the knowledge and understanding of key processes within the bank.
As mentioned previously, setting up a new framework may lead to unwanted consequences. This proves the need for a strategic approach where potential risks are discussed and mitigated at the onset of the risk framework implementation project. The potential risks vary depending on the used framework and the prevalent culture of the bank, but implementing certain «hygiene factors» can help prevent abuse. Being aware of the potential adverse effects of a new mechanism can give a heads-up by creating a safety net of control processes around it to detect outliers.
The impact of behavior and risk culture on financial institutions may very well be the financial industry’s biggest blind spot. The main mistake an institution can make is to approach risk reform requirements as a box-ticking exercise. This mindset is less likely to carry any benefits in a rapidly changing regulatory landscape.
With pressing deadlines from Asian regulators, there is a need for a comprehensive approach towards defining the right risk culture. By identifying and understanding the current and future state of culture and conduct within the organization, banks can implement the appropriate forward-planning reforms. Increased personal accountability, measurable culture initiatives and active prevention of conduct will be the focus in the years to come. As private banks collect more data into their balanced scorecards, senior managers will be able to use it to meet their organizations’ goals and eventually build predictive models around the data.
Although establishing the metrics will take time and investment, predictions are set to become heavy artillery in future change initiatives. By adopting the right tools and capturing the right data today, institutions can get themselves on the correct path to understanding how specific actions cause shifts in metrics. Synpulse has been supporting organizations with gap analysis in their risk culture framework through structured assessment methods, subsequently closing the identified gaps by implementing the necessary policies, procedures, the rolling out of an effective balanced scorecard and in providing effective training solutions in effecting the changes.
This article is co-authored by Piyush Pachori (Manager) and Sonja Husa (Consultant).
We would like to thank Dinesh Saini (Senior Consultant) for his contribution on this article.
To understand more about the article and its insights, please approach the contact person at the end of this page.
References & Footnotes
- Skinning the AML Monster – Are You Doing it Right? — Jan 2018
- Conduct Costs Results —2017
- MAS Consultation Paper — 2018