19.01  In the years following the financial crisis of 2007–2008, the issue of ‘conduct’, although mentioned in a few official documents that studied the roots of the crisis and envisaged some possible responses, was not considered to be at the heart of the problem and attracted limited attention. In the period immediately after the crisis, the expressions ‘conduct risk’ and ‘misconduct risk’ were not commonly heard.

19.02  Only since 2015 have the concepts of ‘misconduct’ as applied to banks (and to financial institutions more broadly) and ‘conduct risk’/‘misconduct risk’ started to attract attention. One of the first relevant documents stressing the significance of ‘conduct’ and the need to improve the ‘culture’ of the banking sector, ‘Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform’, was (p. 469) issued in 2015 by the Group of Thirty,¹ an influential, private, consultative body that advises on international economic and monetary affairs. This document put forward recommendations to banks, regulators, and supervisors highlighting the need to draw up a new conceptual framework to address conduct risk. Since then, the relevance of the issue has sharply increased, becoming one of the main topics of discussion among international financial bodies, authorities, and scholars.²

19.03  In particular, reference is made to the work of the Financial Stability Board (FSB), which, following an explicit mandate from the G20, has launched a comprehensive initiative to study the causes and effects of and possible remedies for ‘misconduct risk’. The concept of conduct risk was hinted at in FSB’s ‘Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture’³ (April 2014), but the topic was addressed in greater detail in the its letter of February 2015 sent to G20 leaders,⁴ in which it highlighted that ‘[t]he scale of misconduct in some financial institutions has risen to a level that has the potential to create systemic risks’, asked for ‘reforms to reduce the likelihood of misconduct’, and announced a broad, extensive workplan to address ‘conduct risk’.⁵ Beginning at that time, conduct risk has ranked very high in FSB’s list of priorities, as reflected in its published documents. In particular, the FSB has devoted much effort to analysing the role that compensation schemes and corporate governance may play in minimizing this risk. With respect to compensation, in March 2018 the FSB published the document, ‘Supplementary Guidance (p. 470) to FSB Principles and Standards on Sound Compensation Practices’,⁶ in order to specifically include conduct and conduct risk in the 2008 framework on compensation, outlined immediately after the financial crisis and aimed at aligning compensation at large institutions with prudent risk-taking and long-term results. The new document recognizes that a proper alignment cannot be achieved without emphasizing misconduct, and advances the idea that compensation tools can provide both ex ante incentives for good conduct and ex post adjustment mechanisms that ensure appropriate accountability. With respect to corporate governance, the FSB established a specific Working Group on Governance Frameworks (WGGF) with a mandate to elaborate on the widely held idea that governance tools may be effective in preventing misconduct. The results achieved by WGGF are described in the recent document, ‘Strengthening Governance Frameworks to Mitigate Misconduct Risk’⁷ (20 April 2018), directed at both firms and financial supervisors and recommending a set of governance measures (the ‘toolkit’).

19.04  In addition to the FSB, other important international institutions, especially supervisory authorities, have devoted some attention to the issue of conduct risk. IOSCO (the International Organization of Securities Commissions), for example, has addressed the subject on two different occasions. The first was in its ‘Securities Markets Risk Outlook’ of March 2016,⁸ in which ‘harmful conduct’ was included in a list of ‘risks related to core securities markets objectives of financial stability, market efficiency and/or investor protection’.⁹ Then, in June 2017, it published a (p. 471) document entitled ‘Task Force Report on Wholesale Market Conduct’,¹⁰ in which it sought to identify the main causes of misconduct in large investment firms and some measures that might minimize the problem. The topic was taken into consideration in the insurance context by IAIS (the International Association of Insurance Supervisors) in its ‘Issues Paper on Conduct of Business Risk and its Management’ dated November 2015.

19.05  At the European level, the issue of conduct risk clearly emerged as a crucial determinant of financial stability in 2015, in a report from the European Systemic Risk Board (ESRB) that focused on misconduct in the banking sector.¹¹ In addition, the European Banking Authority (EBA) stressed the relevance of conduct risks and the need to evaluate their impact on bank capital, highlighting their relevance both in the context of the supervisory review and evaluation process (SREP)¹² and the stress test.¹³

19.06  It should be recalled that the concept of conduct risk has garnered increased attention at the national level too, especially by financial authorities, sometimes even before the topic had been considered by the aforementioned international bodies. For instance, in 2013 the United Kingdom decided to establish a new supervisory authority with the specific task of addressing conduct risk issues (the Financial Conduct Authority, or FCA), thus separating ‘conduct supervision’ from ‘prudential supervision’ (the latter handled by the Bank of England’s Prudential Regulation Authority, or PRA). In its first year, the FCA published the document ‘Risk Outlook 2013’,¹⁴ in which it sought to pinpoint the root causes of conduct risk and to describe its implications. The discussion in this document formed the basis of many subsequent studies conducted in other countries and at the international level. Following the UK example, in 2014 ASIC (the Australian Securities and Investments Commission) conducted its ‘Survey on Conduct Risk’. In the United States, the topic has become quite central for financial authorities, to the (p. 472) point that in December 2017 the Federal Reserve Bank (the Fed) published a paper dedicated entirely to misconduct risk,¹⁵ in which it stressed the importance of financial firms investing in the development of an healthy risk culture in order to prevent and mitigate misconduct.

19.07  Against this background, it is clear that there is a need to better understand the nature and features of ‘conduct risk’/‘misconduct risk’, and the impact of its increasing prevalence in the context of financial markets. Moreover, there is also a need to understand the reasons that led international institutions to identify conduct risk as being crucial to the operation of the financial markets, especially in light of the far-reaching nature of this conclusion, which is in the process of bringing about major changes in both financial regulation and supervision. A clarification is needed not only for the purpose of defining the scope of and better understanding the regulatory agenda that purports to address conduct risk, but also to assess the objectives and features of the new tools that have been put forward for this purpose.

19.08  This chapter aims at deepening the discussion concerning all these issues. Section II analyses some well-known financial scandals that drew attention to the concept of misconduct and attempts to assess the nature of costs associated with them. Section III discusses definitional issues surrounding conduct risk and summarizes the various definitions that have been offered for it. Then, Section IV discusses two important perspectives for looking at conduct risk. Finally, remedial measures that have already been adopted to minimize conduct risk are discussed in Section V, and Section VI concludes, assessing the role of culture of financial firms in conduct risk.

19.09  In order to begin fleshing out a discussion of the issues identified above, it is important initially to highlight the context in which the debate over conduct risk began. The increasing prominence of the issue began with some real-life cases of misconduct that shook public opinion.¹⁶ One of the most notorious cases of misconduct was the LIBOR manipulation scandal. From 2005 to 2012, various important banks agreed to manipulate the daily submissions utilized to calculate this benchmark rate.¹⁷ There were also other cases involving collusive behaviour (p. 473) among banks aimed at influencing relevant indexes (e.g. foreign exchange rates¹⁸ and Euribor¹⁹) for the purpose of altering the cost of specific products. In all these cases, this conduct had the potential to undermine the correct functioning of financial markets as a whole.

19.10  Other financial scandals that are frequently referred to as examples of misconduct are the various cases of mis-selling of financial products to customers (both retail and professional), in which intermediaries sold their clients financial products that were not aligned with their interests. The most famous example, often cited in the conduct risk literature, is the subprime mortgage-backed securities mis-sold by US banks, creating a bubble that triggered the great financial crisis. Another famous case of mis-selling is the Payment Protection Insurance (PPI) scandal, in which many UK banks sold insurance products to retail clients after supplying them with misleading information about their usefulness.²⁰ More recently, the case of Wells Fargo, in which the bank opened ‘ghost’ accounts in the name of unwitting clients, clearly involved misconduct, and, in light of the sanctions imposed on the bank by US supervisory authorities,²¹ raises questions concerning how conduct risk should be addressed.

19.11  The idea that misconduct occurs every time there is a violation of national or international rules or regulations (such as tax rules, anti-money laundering rules, anti-terrorism rules, rules governing economic sanctions, etc)²² has led to a further broadening of the cases that are seen as falling within the category of conduct risk. From this perspective, for example, the ESRB has treated the infringement of US trade bans against Sudan, Iran, and Cuba by EU banks as cases of misconduct.²³

(p. 474) 19.12  Misconduct cases obviously involve certain costs. While it is difficult to estimate the amount of these costs,²⁴ it is important to at least describe the various categories they fall into.

19.13  On the one hand, as has frequently been pointed out, misconduct imposes large costs on customers. It is well known that misconduct is capable of harming the interests of those who are active in the financial sector in a direct or indirect way. Mis-selling of financial products, for example, harms the customers to which the inappropriate product is sold,²⁵ while the manipulation of an index rate has the effect of making the financial products linked to this benchmark more expensive for everyone. From a broader perspective, it has also been argued that misconduct has the potential to harm the entire economy and the society at large²⁶— misconduct may reduce public confidence in the markets and more broadly in the financial system, and since trust is vital for the health of that system, it could lead to systemic risk.²⁷

19.14  In addition, misconduct may also have a negative impact on intermediaries forced to bear financial penalties and other costs (such as costs of redress, litigation costs, etc). To provide an idea of the amount of these costs, the ESRB has estimated that fines and penalties imposed on EU systemically important banks have absorbed all the capital issued by systemically important banks in the European Union from 2010 to 2015.²⁸ Other independent studies have shown that the sharp increase in penalties and settlements for misconducts affected both EU and US large banks (see Figure 19.01).

• View full-sized figure

Figure 19.01  Total fines, penalties, and settlements for the eighteen largest US and EU Banks, from 2009 to February 2016

Note: 1. Peer group of the eighteen largest US and EU banks includes the following six US banks: Bank of America, JPMorgan Chase, Citigroup, Morgan Stanley, Wells Fargo, and Goldman Sachs, and the following twelve EU banks: BNP Paribas, Credit Suisse, Deutsche Bank, UBS, HSBC, Barclays, The Royal Bank of Scotland, Rabobank, Lloyds Bank, Standard Chartered, ING, and Banco Santander. Data only includes fines, penalties, and settlements of 50 million US dollars or greater.

Source: BCG analysis for the years 2009 to 2014. CPG analysis for the year 2015 and YTD 2016.

19.15  In addition to monetary costs, financial intermediaries that do not behave properly also risk incurring important indirect costs such as reputational damage (often but (p. 475) not always associated with the application of penalties), which may reduce their ability to operate effectively in the financial markets.²⁹ In other words, once misconduct is discovered it may affect the offending intermediary and jeopardize its sustainability.

19.16  In summary, misconduct costs may affect financial intermediaries, everyone that deals with them, and society at large. Misconduct may harm the clients of the financial institution responsible for such behaviour; the customers of other financial institutions, especially in cases affecting market integrity; and the economy and society as a whole, since it negatively impacts trust in the financial system (both intermediaries and markets). On a different level, misconduct harms the financial intermediary involved because it incurs significant direct costs (i.e. fines, penalties, and costs of redress) and indirect costs (e.g. reputational costs). In some cases, these costs may affect the viability of the institution and, especially if such behaviour is widespread or the institution involved is significant, this could also lead to a loss of confidence and to systemic risk.

(p. 476) 19.17  The serious consequences of misconduct explain the global focus on conduct risk and the significant of attention paid to it by supervisory authorities.

19.18  Despite the attention paid to this subject by regulators, commentators, and others, there is some confusion about what ‘conduct risk’ specifically is. Documents often refer to ‘conduct risk’ or ‘misconduct risk’ without clarifying whether these terms are synonymous or not.³⁰ There is no generally agreed-on definition of ‘(mis)conduct risk’,³¹ nor a definitive taxonomy of related terms. In general, ‘(mis)conduct risk’ refers to risks arising from the ‘behaviour’ or the ‘decisions’ at financial firms, thus implying that it has to do with people’s attitudes and choices. In most cases, such behaviour or decisions are considered to be possible sources of conduct risk when they fall short of expected standards. Beyond this expansive definition, there are different views among institutions, authorities, financial intermediaries, and in the academic literature as to the specific meaning of conduct risk and what falls within its scope. It has also been debated whether conduct risk relates only to wilful or fraudulent misconduct or extends beyond that to inadvertent or negligent behaviour; some supervisory authorities have taken the view that conduct risk may arise not only from deliberate actions but also as a consequence of negligence, and even from inadequacies in an organization’s practices, frameworks of control, or even education programs.³² Moreover, different views have been expressed as to the nature of such risk and to the category of risk it belongs among the various already identified in banking literature. In this light, it has often been remarked that ‘conduct risk’ has to do with ‘operational risks’,³³ but the relationship between conduct risk and legal risk remains unclear. The common perception is that conduct risk arises from breaches of legal standards but also of codes of conduct and ethical principles; at the same time, it has frequently been pointed out that not all legal risks constitute conduct risk.³⁴ Also unclear is the relationship between compliance risk and conduct risk.³⁵ It should also be stressed that some international (p. 477) institutions, instead of clearly specifying the nature of conduct risk, focus attention on where the breach of standards of conduct is more likely to occur.³⁶ Reference is usually made to the area of fair treatment of customers and more specifically to consumers (investors). The integrity of markets and prevention of financial crime is also frequently mentioned as a the subject of focus. Effective competition is sometimes considered to be another potential area where the breach of legal or ethical obligation may be considered to amount to misconduct.

19.19  Factors that create conduct risk are often divided into three categories.³⁷ First, some of the drivers of conduct risk are considered to be ‘inherent’ in financial markets (the ‘Inherent Factor’), in the sense that some of the features of these markets—including information asymmetry, demand-side weakness, the low level of financial skills among customers—often lead customers and financial firms operating in these markets to make poor decisions. Second, the way in which the financial sector is structured and managed, together with its predominant culture (the ‘Structures and Behaviours Factor’), are thought to be at the root of some acts of misconduct, since these phenomena may allow financial firms to obtain undeserved profits (e.g. by making decisions under the influence of conflicts of interest or by engaging in unfair competition). Finally, third, market and societal conditions (such as economic and financial trends, along with regulatory changes and technological developments) have also been identified as important drivers of conduct risk, drivers that may influence firm and consumer decisions (the ‘Environmental Factor’).

19.20  In sum, (mis)conduct risk is generally viewed as the risk associated with illegal or unethical conduct engaged in by financial firms and their employees. Beyond this broad definition, different institutions have focused their attention on specific areas or activities in which misconduct may occur and attempted to understand the drivers of conduct risk in these areas or activities. Despite the fact that some institutions have expressed the view that a specific definition of conduct risk is not necessary,³⁸ the authors of this chapter believe that such a definition is needed in order to better understand the problem and the factors characterizing this risk. It is therefore necessary to briefly outline the various available definitions of ‘conduct risk’ or ‘misconduct risk’.

19.21  The FSB, which has devoted great effort to studying this topic, defines ‘misconduct’ as ‘conduct that falls short of expected standards, including legal, professional and ethical standards’,³⁹ and considers ‘conduct risk’ to be any type of risk that may arise from a misconduct event. Such a broad definition follows the common perception of what constitutes conduct risk. The FSB also provides an extremely broad list of activities that may give rise to conduct risk concerns—it considers that conduct risk may occur in several sectors of banking activity, both internal and external to a financial firm itself, and includes all operational risks related to internal fraud, employment practices, and workplace safety; clients; products and business practices; business disruption and damage to assets; and execution, delivery, and process management.⁴⁰ It is clear that this approach does not help clarify the specific nature of conduct risk or to distinguish it from other kinds of risk that may arise in the financial sector.

19.22  A different approach has been adopted among supervisory authorities, which prefer specific definitions based on the areas in which supervision is required to address conduct risk, clearly linked to the scope and objective of the supervision in each of the areas.⁴¹

19.23  IOSCO, for example, defines ‘harmful conduct’ as ‘conduct (not necessarily illegal) that could: (1) harm the interest of investors; (2) jeopardize fair, efficient and transparent markets or (3) lead to potential systemic risk’.⁴² It is clear that this definition is more detailed than that adopted by the FSB, as it is grounded in specific negative consequences that may occur if the conduct risk materializes. Moreover, the definition used by IOSCO is based on the type of harm and distinguishes among the mis-selling of products, fraud on investments, and negligent behaviour.

19.24  A similar approach has been adopted by the FSA, whose task is to monitor the behaviour of financial firms. Even if this conduct authority has decided not to define the term ‘conduct risk’, it focuses attention on the potential drivers of this risk, (p. 479) which ‘may lead to faultiness in financial markets that drive poor consumer outcomes, weaken competition and threaten market integrity’.⁴³

19.25  ASIC broadly defines conduct risk as ‘inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’, but especially focuses its attention on conflicts of interest that have the potential of harming customers.⁴⁴

19.26  Along the same lines is IAIS, which has stated that ‘conduct of business risk can be defined as the risk to customers, insurers, the insurance sector or the insurance market that arises from insurers and or intermediaries conducting their business in a way that does not ensure fair treatment of customers’.⁴⁵ It is important to note that, even if this definition limits conduct risk to the potential to harm insurance customers, IAIS recognizes the existence of a link between this risk and prudential risk, since misconduct may also affect the viability of the offending insurance firm.⁴⁶

19.27  A similar approach is taken by the Fed (the prudential supervision authority of the United States), which adopts both a broad definition of misconduct risk (‘the potential for behaviours or business practices that are illegal, unethical, or contrary to a firm’s stated beliefs, values, policies and procedures’)⁴⁷ and emphasizes the negative impact misconduct can have on financial firms, stating that it can undermine the ‘intermediation function by diverting management attention, damaging a firm’s reputation, driving a change in the composition of the firm’s workforce, depleting its capital, and making a firm less resilient’.⁴⁸

19.28  The focus on the firm’ perspective is usually stressed by other national prudential authorities. For example, the Australian Prudential Regulation Authority (APRA) adheres to the broad definition of conduct risk adopted by ASIC, but explains that, as a prudential authority, its point of view differs from ASIC’s because it focuses on the risk that financial firms could incur significant losses that could undermine their viability and consequently harm depositors.⁴⁹ The same applies to UK’s Financial Prudential Authority (FPA) which views conduct risk in the context of the procedures set forth to ensure a prudential evaluation of the amount of capital (p. 480) available to a bank and has recently stressed its relevance by asking the banks to apply a separate and additional stress test related to misconduct costs, in addition the ordinary stress tests used to measure the resilience of the banks against all other types of risks.⁵⁰

19.29  The negative impact that misconduct may have on financial firms is particularly evident in the definition of conduct risk adopted by the EBA in its ‘Methodological Note’ on the new EU-wide stress test (2016) and in its Guidelines on SREP (2014). In both these documents, conduct risk is defined as ‘the current or prospective risk of losses to an institution arising from inappropriate supply of financial services including cases of wilful or negligent misconduct’.⁵¹ The central point of this definition is the risk that banks will incur losses as a result of breach of expected standards of conduct. Moreover, in the SREP Guidelines, conduct risk is considered to be part of operational risk and more specifically a sub-category of legal risk.⁵² These Guidelines provide a non-exhaustive list of hypotheses under which conduct risk is particularly high and may result in losses, namely:

a) mis-selling of products (retail and wholesale markets); b) pushed cross-selling of products to retail customers; c) conflicts of interest in conducting business; d) manipulation of benchmarks; e) barriers to switching financial products or financial services providers; f) poorly designed distribution channels (conflicts of interest or false incentives); g) automatic renewal of products; and h) unfair processing of complaints.⁵³

It is important to note that these areas of concern are very similar to those highlighted by the supervision authorities⁵⁴ whose principal concern is to protect investors. However, in the view of EBA, as appears to be the case with prudential supervisory authorities, concern with conduct risk is aimed chiefly at ensuring that banks’ exposure to losses is correctly measured and that their capital holdings are sufficient to address this exposure. In other words, EBA (and the prudential supervisors) have recognized that misconduct is a risk not only for (p. 481) external parties, but also for the bank itself. For this reason, it has to be taken into account in the process aimed at assessing compliance of a bank with the capital requirements.

19.30  The ESRB has adopted a partially different point of view. It adheres to a broad definition of misconduct, but focuses specific attention on some aspects of conduct risk other than those already highlighted. Like the other bodies, ESRB defines misconduct risk as ‘risks attached to the way in which a firm and its staff conduct themselves’.⁵⁵ From there, the ESRB selects specific concerns related to ‘how customers and investors are treated, mis-selling of financial products, violation of rules and manipulation of markets’.⁵⁶ Finally, given the macro, prudential perspective of ESRB’s activity, it highlights two different dimensions of (mis)conduct risk. First it stresses that this risk could be a threat to the proper functioning of the entire financial system because, as has already been seen,⁵⁷ it harms confidence and trust and may discourage the use of financial services. Second, it views misconduct risk as a potent threat because of the penalties and costs incurred by banks in misconduct cases, penalties and costs that may create uncertainty as to the business model, solvency, and profitability of banks (and other financial institutions), and thus also affect the users of the financial system. In conclusion, ESRB considers conduct risk to be a serious internal problem for banks, but also focuses on the negative impact misconduct could have for the entire financial system.

19.31  The above analysis shows that conduct risk is generally considered as arising out of misconduct; that is to say, it is risk connected with the violation of legal rules, ethical principles, or codes of conduct. As has been suggested, this risk can be assessed from two different perspectives: the ‘conduct perspective’ and the ‘prudential perspective’.⁵⁸

19.32  The first of these, the ‘conduct perspective’, was the only one emphasized at the beginning of the debate about conduct risk.⁵⁹ It focuses its attention on the negative consequences that misconduct causes for consumers, investors, and society at large. As has already been seen, misconduct may damage not only bank customers who have a contractual agreement with the offending bank, but also (indirectly) other stakeholders operating in the financial market and, more generally, the proper functioning and integrity of the market.⁶⁰ Moreover, some institutions have also stressed that the impacts resulting from conduct risk could have consequences beyond the financial markets, since they can distort competition among banks or have political repercussions (consider the case of the breaches of embargo regulations). In other words, from a conduct perspective, conduct risk, when actualized in acts of bank misconduct, can affect bank customers, financial markets, and the society at large. In this sense, conduct risk is not a new risk, unknown before the financial crisis. Rather, in the wake of the various scandals discussed above,⁶¹ conduct risk has become important on its own; it can no longer be reduced to one (or more) of the categories of risk elaborated within the prudential framework.⁶² Conduct risk is not just a species of legal risk or compliance risk, but has become its own category of risk.

19.33  From the conduct perspective, the traditional remedy for reducing conduct risk is to improve conduct regulation and strengthen penalties for violations. In order to avoid damage to third parties (and possibly the entire financial system) resulting from misconduct, this remedy involves the adoption of new rules specifically governing the behaviour of intermediaries (conduct regulation) and assigning specific supervisory tasks to authorities (conduct supervision).⁶³ However, this traditional ex post enforcement approach is not enough: because of the potentially significant disruptive effects of misconduct, prevention must be the primary objective of conduct supervision. Even if ex post enforcement and new sanctions (p. 483) imposed on financial firms are important tools, they have not been an adequate deterrent. This conclusion has been supported by some institutions and scholars, agreeing that ‘[t]he fear of penalties alone is unlikely to prevent misconduct sufficiently’.⁶⁴ In this light, there is a need to rethink the way in which sanctions operate in order to achieve a greater deterrent effect. For example, the necessity of identifying specific employees who have not behaved properly, thereby enhancing individual responsibility, rather than increasing sanctions on financial firms, has often been highlighted.⁶⁵ In addition, new tools are needed (in addition to sanctions and penalties) to help prevent misconduct. These new tools may include better corporate governance and compensation incentives.⁶⁶

19.34  Quite different is the approach followed by those institutions that emphasize a ‘prudential perspective’.⁶⁷ This perspective also defines conduct risk as a risk relating to the possibility of misconduct. However, from this point of view, conduct risks are taken into consideration not because misconduct may cause harm to third parties (customers or other stakeholders), but because it may damage the bank (or other financial institution) responsible for it. In fact, as has already been seen, misconduct, when discovered, imposes important costs on offending financial firms, including costs of redress and litigation costs. Moreover, even when the misconduct does not involve violations of the law (and is not punished by the law), the offending bank can suffer reputational damage and lose clients. Conduct risk is thus viewed as involving potential financial losses⁶⁸ that may reduce the amount of a bank’s capital and implicate its ability to fund its exposure, thus threatening (p. 484) its viability. In addition, the harsh consequences that a financial intermediary has to face, when misconduct is unveiled, may give rise to concerns as to the viability of the institution itself and, especially when misbehaviour is widespread among financial institutions or involve important banks, this may lead to systemic risk.⁶⁹ Therefore, it is clear why prudential authorities have begun to consider conduct risk: it involves a prudential dimension that cannot be overlooked. There is a need to consider the consequences of misconduct with respect to capital and liquidity rules, and to address these consequences in the relevant regulations and in the approach of supervisory authorities. From this ‘prudential perspective’, the most important concern is to assess whether the capital of a specific bank is sufficient to bear potential misconduct costs without jeopardizing its stability. As has been seen in the European Union, conduct risk has recently been taken into consideration in EBA explanations of how to carry out prudential tests, including the stress test and the SREP test,⁷⁰ which assess whether the amount of regulated capital is adequate to face the potential costs of misconduct, and if it is not, to ensure the availability of new equity. In this context, conduct risk is rightly considered to be a type of ‘operational risk’, and more specifically a legal risk, at least for the purposes of measuring the direct costs a bank may incur from it (penalties and costs of redress). However, as has already been mentioned, conduct risk does not involve only legal risk. The fact that conduct risk often entails behaviour that falls short of ethical standards or codes of conduct, behaviour that does not expose the bank to penalties or legal costs, implies the need to assess reputational risk. In any case, recent financial scandals have shown that conduct risk is by far the most important operational risk in the financial sector, and that it deserves to be specifically considered in determining adequate levels of bank capital and liquidity.⁷¹

19.35  The prudential perspective is not limited to assessing the adequacy of capital levels; it also requires measures to manage and reduce the risks of potential losses. This means that, like the conduct perspective, the prudential perspective implies the implementation of appropriate new tools designed to prevent misconduct. Similarly to the conduct perspective, from a prudential point of view it is clear that imposing new penalties on financial institutions is not an adequate solution, and may even have the effect of exacerbating the problem of adequacy of capital. Rather, in the context of prudential regulation, especially after the financial crisis of 2007–2008, corporate governance and systems of controls, together with compensation tools, (p. 485) have assumed a central role. In addition, prudential regulation has given to supervisory authorities a broad power to assess, in their prudential capacity, internal governance and institution-wide controls. More specifically, supervisory authorities have been asked to assess the capacity of banks’ internal governance mechanisms to identify, measure, and control all risks, including the conduct risk.⁷²

19.36  In sum, conduct risk from two different points of view has been analysed: first, the conduct perspective, which focuses on the customer side (and particularly consumers) and market integrity; and second, the prudential perspective focusing on the viability of the intermediary in the face of misconduct-related losses. Depending on which of these perspectives is adopted, the features of preventative tools and the assessment of their adequacy by supervisory authorities may differ.⁷³

19.37  In any case, both points of view stress the importance of developing a system capable of preventing misconduct.⁷⁴ There has been a convergence of institutional opinion towards ex ante remedies, primarily in the area of internal governance of financial intermediaries, and with respect to the crucial role that risk culture plays in this context.

19.38  Taking into account that the main objective should be the prevention (rather than punishment) of misconduct, the international debate on conduct risk has begun stressing the importance of fostering robust firm cultures, in which customer satisfaction and ethical behaviour would become widespread among financial firms and their employees.⁷⁵ Poor corporate culture has, in fact, been seen as one of the main causes of misconduct. For this reason, the need to improve firm culture seems to lie behind every new tool designed to manage conduct risk. To better understand the relationship between culture and these new tools, it is useful to analyse the tools as (p. 486) falling into the following three categories: conduct regulation; product governance; and internal governance.

19.39  With respect to the first of these, recent years has seen the implementation of new conduct regulations applicable to the financial sector requiring intermediaries to adopt specific conduct policies protective of customers and of the integrity of financial markets. For example, under MiFID II (Directive 2014/65/EU) intermediaries are now required to comply with new rules of conduct aimed at better protecting investors. This is also the case for the AIFMD Directive, which for the first time imposes specific duties on Alternative Investments Fund Managers (AIFMs) to protect their customers and the financial market. Although such approach, focused on the imposition of sanctions for the breach of such new rules is a typical ex post mechanism, it should also be considered that such rules seem to consider crucial the deterrence effect and be designed to prevent misconduct instead of simply punishing the offending financial firm. The common feature of these new regulations, in fact, is that they better delineate the way in which intermediaries (and other financial firms) must behave, replacing previous general standards with more detailed ones. In this way, they provide guidance to intermediaries and their employees as to how to carry out their duties properly according to the minimum standard of behaviour expected of them,⁷⁶ and attempt to establish an improved culture among employees.⁷⁷ Moreover, in order to enhance the deterrent effect of conduct regulation, stress has been placed on the need to introduce new sanctions affecting not only banks as entities, but also the specific employees responsible for misconduct (especially if they are at the top of the internal hierarchy).⁷⁸ Enhanced personal accountability may heighten the fear of sanctions and reduce the temptation to misbehave, fostering a healthy corporate culture.

19.40  In any case, new conduct rules, even if they are important as indications to banks concerning how to behave properly and encourage a change in culture, have only an indirect and limited preventative effect.

19.41  A second category of tools aimed at tackling conduct risk are the European regulations related to ‘product governance’, and include those regulations requiring that financial institutions fashion their financial products keeping in mind the type of client to which they will be sold.⁷⁹ These regulations provide for sanctions in case (p. 487) of violation; however, it is clear that their main objective is the prevention of misconduct (particularly mis-selling) before it occurs.

19.42  There is a direct relationship between product governance and culture. Product governance helps to create a healthy culture, since banks and their employees must always consider the interests of their clients. In addition, product governance works only if banks have a strong culture, because otherwise it risks remaining a mere formality.

19.43  Along the same lines as product governance are the AIFMD rules, which, among other things, require AIFMs to be organized in such a manner as to prevent conflicts of interest. Emphasis is placed on the need to prevent misconduct by avoiding conflicts of interest and on the adoption of corporate organizational forms that encourage good behaviour. These rules will be effective only if the internal organization of the financial firm encourages a healthy culture.

19.44  The last tool to help prevent conduct risk is the improvement of internal governance, which should be structured so as to foster a strong corporate culture. In fact, it is the internal governance dimension that has received most attention in the context of preventative remedies against conduct risk. This category could be split into two sub-categories: compensation practices and internal governance in the strict sense. The FSB has specifically addressed both of these in two different documents.

19.45  With respect to the compensation tool, it is clear that the structure of a firm’s employee compensation (especially of those in top management whose compensation is widely variable) influences employee behaviour, either for good or ill. FSB has stressed the importance of this tool, and in its Supplementary Guidance to the FSB’s ‘Principles and Standards on Sound Compensation Practices’ it provides recommendations for implementing a compensation system that will promote ethical behaviour.⁸⁰

19.46  As respects internal governance, FSB has recently published a document⁸¹ outlining various governance tools. Importantly, FSB stressed the close link between governance and culture, expressing the view that senior managers should identify the existence of an unhealthy culture and attempt to change it. The FSB noted that good governance structure, in which each employee has clear tasks and responsibilities, may be useful for improving individual accountability and identifying individuals responsible for misconduct. In this way, sound governance paired with individual sanctions can improve firm culture and reduce conduct risks. In order to reduce (p. 488) conduct risk, internal governance (and systems of internal control) should not be limited to a set of formal procedures; it is crucial that these things reflect principles and values widely embedded in a firm’s internal organizational structure.

19.47  At EU level the importance of culture in the context of internal governance as a means to prevent misconduct has clearly been stated in the new Guidelines on Internal Governance (2017). An entire section of such document, entitled ‘Risk Culture and Business Conduct’, is devoted to stressing that a sound and consistent risk culture is essential for the governance mechanism to be effective and capable of preventing and minimizing misconduct.⁸² All these culture-enhancing tools show that it is risk culture, in the end, that lies behind the remedies put forward to prevent misconduct, especially in the field of governance. This means that not only firms have to adjust to such new approaches but also supervisory authorities will need to adapt their supervisory practices. As APRA has recently pointed out: ‘The traditional focus of supervisors on governance, risk management and internal controls would likely be inadequate if insufficient attention was given to risk culture.’⁸³ In the end, if prevention of misconduct depends on the effectiveness of tools based on culture, supervision of behaviour and culture, either from a conduct or prudential perspective, becomes crucial.⁸⁴