Jump to Content Jump to Main Navigation
Signed in as:

Part IV Conduct and Culture, 19 Managing Conduct Risk: From Rules to Culture

Antonella Sciarrone Alibrandi, Claudio Frigeni

From: Governance of Financial Institutions

Edited By: Danny Busch, Guido Ferrarini, Gerard van Solinge

From: Oxford Legal Research Library (http://olrl.ouplaw.com). (c) Oxford University Press, 2023. All Rights Reserved. Subscriber: null; date: 07 June 2023

Regulation of banks — Investment business

(p. 468) 19  Managing Conduct Risk

From Rules to Culture

I.  Introduction

19.01  In the years following the financial crisis of 2007–2008, the issue of ‘conduct’, although mentioned in a few official documents that studied the roots of the crisis and envisaged some possible responses, was not considered to be at the heart of the problem and attracted limited attention. In the period immediately after the crisis, the expressions ‘conduct risk’ and ‘misconduct risk’ were not commonly heard.

19.02  Only since 2015 have the concepts of ‘misconduct’ as applied to banks (and to financial institutions more broadly) and ‘conduct risk’/‘misconduct risk’ started to attract attention. One of the first relevant documents stressing the significance of ‘conduct’ and the need to improve the ‘culture’ of the banking sector, ‘Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform’, was (p. 469) issued in 2015 by the Group of Thirty,1 an influential, private, consultative body that advises on international economic and monetary affairs. This document put forward recommendations to banks, regulators, and supervisors highlighting the need to draw up a new conceptual framework to address conduct risk. Since then, the relevance of the issue has sharply increased, becoming one of the main topics of discussion among international financial bodies, authorities, and scholars.2

19.03  In particular, reference is made to the work of the Financial Stability Board (FSB), which, following an explicit mandate from the G20, has launched a comprehensive initiative to study the causes and effects of and possible remedies for ‘misconduct risk’. The concept of conduct risk was hinted at in FSB’s ‘Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture’3 (April 2014), but the topic was addressed in greater detail in the its letter of February 2015 sent to G20 leaders,4 in which it highlighted that ‘[t]he scale of misconduct in some financial institutions has risen to a level that has the potential to create systemic risks’, asked for ‘reforms to reduce the likelihood of misconduct’, and announced a broad, extensive workplan to address ‘conduct risk’.5 Beginning at that time, conduct risk has ranked very high in FSB’s list of priorities, as reflected in its published documents. In particular, the FSB has devoted much effort to analysing the role that compensation schemes and corporate governance may play in minimizing this risk. With respect to compensation, in March 2018 the FSB published the document, ‘Supplementary Guidance (p. 470) to FSB Principles and Standards on Sound Compensation Practices’,6 in order to specifically include conduct and conduct risk in the 2008 framework on compensation, outlined immediately after the financial crisis and aimed at aligning compensation at large institutions with prudent risk-taking and long-term results. The new document recognizes that a proper alignment cannot be achieved without emphasizing misconduct, and advances the idea that compensation tools can provide both ex ante incentives for good conduct and ex post adjustment mechanisms that ensure appropriate accountability. With respect to corporate governance, the FSB established a specific Working Group on Governance Frameworks (WGGF) with a mandate to elaborate on the widely held idea that governance tools may be effective in preventing misconduct. The results achieved by WGGF are described in the recent document, ‘Strengthening Governance Frameworks to Mitigate Misconduct Risk’7 (20 April 2018), directed at both firms and financial supervisors and recommending a set of governance measures (the ‘toolkit’).

19.04  In addition to the FSB, other important international institutions, especially supervisory authorities, have devoted some attention to the issue of conduct risk. IOSCO (the International Organization of Securities Commissions), for example, has addressed the subject on two different occasions. The first was in its ‘Securities Markets Risk Outlook’ of March 2016,8 in which ‘harmful conduct’ was included in a list of ‘risks related to core securities markets objectives of financial stability, market efficiency and/or investor protection’.9 Then, in June 2017, it published a (p. 471) document entitled ‘Task Force Report on Wholesale Market Conduct’,10 in which it sought to identify the main causes of misconduct in large investment firms and some measures that might minimize the problem. The topic was taken into consideration in the insurance context by IAIS (the International Association of Insurance Supervisors) in its ‘Issues Paper on Conduct of Business Risk and its Management’ dated November 2015.

19.05  At the European level, the issue of conduct risk clearly emerged as a crucial determinant of financial stability in 2015, in a report from the European Systemic Risk Board (ESRB) that focused on misconduct in the banking sector.11 In addition, the European Banking Authority (EBA) stressed the relevance of conduct risks and the need to evaluate their impact on bank capital, highlighting their relevance both in the context of the supervisory review and evaluation process (SREP)12 and the stress test.13

19.06  It should be recalled that the concept of conduct risk has garnered increased attention at the national level too, especially by financial authorities, sometimes even before the topic had been considered by the aforementioned international bodies. For instance, in 2013 the United Kingdom decided to establish a new supervisory authority with the specific task of addressing conduct risk issues (the Financial Conduct Authority, or FCA), thus separating ‘conduct supervision’ from ‘prudential supervision’ (the latter handled by the Bank of England’s Prudential Regulation Authority, or PRA). In its first year, the FCA published the document ‘Risk Outlook 2013’,14 in which it sought to pinpoint the root causes of conduct risk and to describe its implications. The discussion in this document formed the basis of many subsequent studies conducted in other countries and at the international level. Following the UK example, in 2014 ASIC (the Australian Securities and Investments Commission) conducted its ‘Survey on Conduct Risk’. In the United States, the topic has become quite central for financial authorities, to the (p. 472) point that in December 2017 the Federal Reserve Bank (the Fed) published a paper dedicated entirely to misconduct risk,15 in which it stressed the importance of financial firms investing in the development of an healthy risk culture in order to prevent and mitigate misconduct.

19.07  Against this background, it is clear that there is a need to better understand the nature and features of ‘conduct risk’/‘misconduct risk’, and the impact of its increasing prevalence in the context of financial markets. Moreover, there is also a need to understand the reasons that led international institutions to identify conduct risk as being crucial to the operation of the financial markets, especially in light of the far-reaching nature of this conclusion, which is in the process of bringing about major changes in both financial regulation and supervision. A clarification is needed not only for the purpose of defining the scope of and better understanding the regulatory agenda that purports to address conduct risk, but also to assess the objectives and features of the new tools that have been put forward for this purpose.

19.08  This chapter aims at deepening the discussion concerning all these issues. Section II analyses some well-known financial scandals that drew attention to the concept of misconduct and attempts to assess the nature of costs associated with them. Section III discusses definitional issues surrounding conduct risk and summarizes the various definitions that have been offered for it. Then, Section IV discusses two important perspectives for looking at conduct risk. Finally, remedial measures that have already been adopted to minimize conduct risk are discussed in Section V, and Section VI concludes, assessing the role of culture of financial firms in conduct risk.

II.  Examples of Misconduct and Analysis of the Related Costs

19.09  In order to begin fleshing out a discussion of the issues identified above, it is important initially to highlight the context in which the debate over conduct risk began. The increasing prominence of the issue began with some real-life cases of misconduct that shook public opinion.16 One of the most notorious cases of misconduct was the LIBOR manipulation scandal. From 2005 to 2012, various important banks agreed to manipulate the daily submissions utilized to calculate this benchmark rate.17 There were also other cases involving collusive behaviour (p. 473) among banks aimed at influencing relevant indexes (e.g. foreign exchange rates18 and Euribor19) for the purpose of altering the cost of specific products. In all these cases, this conduct had the potential to undermine the correct functioning of financial markets as a whole.

19.10  Other financial scandals that are frequently referred to as examples of misconduct are the various cases of mis-selling of financial products to customers (both retail and professional), in which intermediaries sold their clients financial products that were not aligned with their interests. The most famous example, often cited in the conduct risk literature, is the subprime mortgage-backed securities mis-sold by US banks, creating a bubble that triggered the great financial crisis. Another famous case of mis-selling is the Payment Protection Insurance (PPI) scandal, in which many UK banks sold insurance products to retail clients after supplying them with misleading information about their usefulness.20 More recently, the case of Wells Fargo, in which the bank opened ‘ghost’ accounts in the name of unwitting clients, clearly involved misconduct, and, in light of the sanctions imposed on the bank by US supervisory authorities,21 raises questions concerning how conduct risk should be addressed.

19.11  The idea that misconduct occurs every time there is a violation of national or international rules or regulations (such as tax rules, anti-money laundering rules, anti-terrorism rules, rules governing economic sanctions, etc)22 has led to a further broadening of the cases that are seen as falling within the category of conduct risk. From this perspective, for example, the ESRB has treated the infringement of US trade bans against Sudan, Iran, and Cuba by EU banks as cases of misconduct.23

(p. 474) 19.12  Misconduct cases obviously involve certain costs. While it is difficult to estimate the amount of these costs,24 it is important to at least describe the various categories they fall into.

19.13  On the one hand, as has frequently been pointed out, misconduct imposes large costs on customers. It is well known that misconduct is capable of harming the interests of those who are active in the financial sector in a direct or indirect way. Mis-selling of financial products, for example, harms the customers to which the inappropriate product is sold,25 while the manipulation of an index rate has the effect of making the financial products linked to this benchmark more expensive for everyone. From a broader perspective, it has also been argued that misconduct has the potential to harm the entire economy and the society at large26— misconduct may reduce public confidence in the markets and more broadly in the financial system, and since trust is vital for the health of that system, it could lead to systemic risk.27

19.14  In addition, misconduct may also have a negative impact on intermediaries forced to bear financial penalties and other costs (such as costs of redress, litigation costs, etc). To provide an idea of the amount of these costs, the ESRB has estimated that fines and penalties imposed on EU systemically important banks have absorbed all the capital issued by systemically important banks in the European Union from 2010 to 2015.28 Other independent studies have shown that the sharp increase in penalties and settlements for misconducts affected both EU and US large banks (see Figure 19.01).

Figure 19.01  Total fines, penalties, and settlements for the eighteen largest US and EU Banks, from 2009 to February 2016

Note: 1. Peer group of the eighteen largest US and EU banks includes the following six US banks: Bank of America, JPMorgan Chase, Citigroup, Morgan Stanley, Wells Fargo, and Goldman Sachs, and the following twelve EU banks: BNP Paribas, Credit Suisse, Deutsche Bank, UBS, HSBC, Barclays, The Royal Bank of Scotland, Rabobank, Lloyds Bank, Standard Chartered, ING, and Banco Santander. Data only includes fines, penalties, and settlements of 50 million US dollars or greater.

Source: BCG analysis for the years 2009 to 2014. CPG analysis for the year 2015 and YTD 2016.

19.15  In addition to monetary costs, financial intermediaries that do not behave properly also risk incurring important indirect costs such as reputational damage (often but (p. 475) not always associated with the application of penalties), which may reduce their ability to operate effectively in the financial markets.29 In other words, once misconduct is discovered it may affect the offending intermediary and jeopardize its sustainability.

19.16  In summary, misconduct costs may affect financial intermediaries, everyone that deals with them, and society at large. Misconduct may harm the clients of the financial institution responsible for such behaviour; the customers of other financial institutions, especially in cases affecting market integrity; and the economy and society as a whole, since it negatively impacts trust in the financial system (both intermediaries and markets). On a different level, misconduct harms the financial intermediary involved because it incurs significant direct costs (i.e. fines, penalties, and costs of redress) and indirect costs (e.g. reputational costs). In some cases, these costs may affect the viability of the institution and, especially if such behaviour is widespread or the institution involved is significant, this could also lead to a loss of confidence and to systemic risk.

(p. 476) 19.17  The serious consequences of misconduct explain the global focus on conduct risk and the significant of attention paid to it by supervisory authorities.

III.  Definitional Issues Related to ‘Conduct Risk’

19.18  Despite the attention paid to this subject by regulators, commentators, and others, there is some confusion about what ‘conduct risk’ specifically is. Documents often refer to ‘conduct risk’ or ‘misconduct risk’ without clarifying whether these terms are synonymous or not.30 There is no generally agreed-on definition of ‘(mis)conduct risk’,31 nor a definitive taxonomy of related terms. In general, ‘(mis)conduct risk’ refers to risks arising from the ‘behaviour’ or the ‘decisions’ at financial firms, thus implying that it has to do with people’s attitudes and choices. In most cases, such behaviour or decisions are considered to be possible sources of conduct risk when they fall short of expected standards. Beyond this expansive definition, there are different views among institutions, authorities, financial intermediaries, and in the academic literature as to the specific meaning of conduct risk and what falls within its scope. It has also been debated whether conduct risk relates only to wilful or fraudulent misconduct or extends beyond that to inadvertent or negligent behaviour; some supervisory authorities have taken the view that conduct risk may arise not only from deliberate actions but also as a consequence of negligence, and even from inadequacies in an organization’s practices, frameworks of control, or even education programs.32 Moreover, different views have been expressed as to the nature of such risk and to the category of risk it belongs among the various already identified in banking literature. In this light, it has often been remarked that ‘conduct risk’ has to do with ‘operational risks’,33 but the relationship between conduct risk and legal risk remains unclear. The common perception is that conduct risk arises from breaches of legal standards but also of codes of conduct and ethical principles; at the same time, it has frequently been pointed out that not all legal risks constitute conduct risk.34 Also unclear is the relationship between compliance risk and conduct risk.35 It should also be stressed that some international (p. 477) institutions, instead of clearly specifying the nature of conduct risk, focus attention on where the breach of standards of conduct is more likely to occur.36 Reference is usually made to the area of fair treatment of customers and more specifically to consumers (investors). The integrity of markets and prevention of financial crime is also frequently mentioned as a the subject of focus. Effective competition is sometimes considered to be another potential area where the breach of legal or ethical obligation may be considered to amount to misconduct.

19.19  Factors that create conduct risk are often divided into three categories.37 First, some of the drivers of conduct risk are considered to be ‘inherent’ in financial markets (the ‘Inherent Factor’), in the sense that some of the features of these markets—including information asymmetry, demand-side weakness, the low level of financial skills among customers—often lead customers and financial firms operating in these markets to make poor decisions. Second, the way in which the financial sector is structured and managed, together with its predominant culture (the ‘Structures and Behaviours Factor’), are thought to be at the root of some acts of misconduct, since these phenomena may allow financial firms to obtain undeserved profits (e.g. by making decisions under the influence of conflicts of interest or by engaging in unfair competition). Finally, third, market and societal conditions (such as economic and financial trends, along with regulatory changes and technological developments) have also been identified as important drivers of conduct risk, drivers that may influence firm and consumer decisions (the ‘Environmental Factor’).

19.20  In sum, (mis)conduct risk is generally viewed as the risk associated with illegal or unethical conduct engaged in by financial firms and their employees. Beyond this broad definition, different institutions have focused their attention on specific areas or activities in which misconduct may occur and attempted to understand the drivers of conduct risk in these areas or activities. Despite the fact that some institutions have expressed the view that a specific definition of conduct risk is not necessary,38 the authors of this chapter believe that such a definition is needed in order to better understand the problem and the factors characterizing this risk. It is therefore necessary to briefly outline the various available definitions of ‘conduct risk’ or ‘misconduct risk’.

(p. 478) A.  The definition of ‘conduct risk’ according to the FSB

19.21  The FSB, which has devoted great effort to studying this topic, defines ‘misconduct’ as ‘conduct that falls short of expected standards, including legal, professional and ethical standards’,39 and considers ‘conduct risk’ to be any type of risk that may arise from a misconduct event. Such a broad definition follows the common perception of what constitutes conduct risk. The FSB also provides an extremely broad list of activities that may give rise to conduct risk concerns—it considers that conduct risk may occur in several sectors of banking activity, both internal and external to a financial firm itself, and includes all operational risks related to internal fraud, employment practices, and workplace safety; clients; products and business practices; business disruption and damage to assets; and execution, delivery, and process management.40 It is clear that this approach does not help clarify the specific nature of conduct risk or to distinguish it from other kinds of risk that may arise in the financial sector.

B.  The definition of ‘conduct risk’ according to supervisory authorities

19.22  A different approach has been adopted among supervisory authorities, which prefer specific definitions based on the areas in which supervision is required to address conduct risk, clearly linked to the scope and objective of the supervision in each of the areas.41

19.23  IOSCO, for example, defines ‘harmful conduct’ as ‘conduct (not necessarily illegal) that could: (1) harm the interest of investors; (2) jeopardize fair, efficient and transparent markets or (3) lead to potential systemic risk’.42 It is clear that this definition is more detailed than that adopted by the FSB, as it is grounded in specific negative consequences that may occur if the conduct risk materializes. Moreover, the definition used by IOSCO is based on the type of harm and distinguishes among the mis-selling of products, fraud on investments, and negligent behaviour.

19.24  A similar approach has been adopted by the FSA, whose task is to monitor the behaviour of financial firms. Even if this conduct authority has decided not to define the term ‘conduct risk’, it focuses attention on the potential drivers of this risk, (p. 479) which ‘may lead to faultiness in financial markets that drive poor consumer outcomes, weaken competition and threaten market integrity’.43

19.25  ASIC broadly defines conduct risk as ‘inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’, but especially focuses its attention on conflicts of interest that have the potential of harming customers.44

19.26  Along the same lines is IAIS, which has stated that ‘conduct of business risk can be defined as the risk to customers, insurers, the insurance sector or the insurance market that arises from insurers and or intermediaries conducting their business in a way that does not ensure fair treatment of customers’.45 It is important to note that, even if this definition limits conduct risk to the potential to harm insurance customers, IAIS recognizes the existence of a link between this risk and prudential risk, since misconduct may also affect the viability of the offending insurance firm.46

19.27  A similar approach is taken by the Fed (the prudential supervision authority of the United States), which adopts both a broad definition of misconduct risk (‘the potential for behaviours or business practices that are illegal, unethical, or contrary to a firm’s stated beliefs, values, policies and procedures’)47 and emphasizes the negative impact misconduct can have on financial firms, stating that it can undermine the ‘intermediation function by diverting management attention, damaging a firm’s reputation, driving a change in the composition of the firm’s workforce, depleting its capital, and making a firm less resilient’.48

19.28  The focus on the firm’ perspective is usually stressed by other national prudential authorities. For example, the Australian Prudential Regulation Authority (APRA) adheres to the broad definition of conduct risk adopted by ASIC, but explains that, as a prudential authority, its point of view differs from ASIC’s because it focuses on the risk that financial firms could incur significant losses that could undermine their viability and consequently harm depositors.49 The same applies to UK’s Financial Prudential Authority (FPA) which views conduct risk in the context of the procedures set forth to ensure a prudential evaluation of the amount of capital (p. 480) available to a bank and has recently stressed its relevance by asking the banks to apply a separate and additional stress test related to misconduct costs, in addition the ordinary stress tests used to measure the resilience of the banks against all other types of risks.50

C.  The definition of ‘conduct risk’ within the Banking Union context—EBA

19.29  The negative impact that misconduct may have on financial firms is particularly evident in the definition of conduct risk adopted by the EBA in its ‘Methodological Note’ on the new EU-wide stress test (2016) and in its Guidelines on SREP (2014). In both these documents, conduct risk is defined as ‘the current or prospective risk of losses to an institution arising from inappropriate supply of financial services including cases of wilful or negligent misconduct’.51 The central point of this definition is the risk that banks will incur losses as a result of breach of expected standards of conduct. Moreover, in the SREP Guidelines, conduct risk is considered to be part of operational risk and more specifically a sub-category of legal risk.52 These Guidelines provide a non-exhaustive list of hypotheses under which conduct risk is particularly high and may result in losses, namely:

a) mis-selling of products (retail and wholesale markets); b) pushed cross-selling of products to retail customers; c) conflicts of interest in conducting business; d) manipulation of benchmarks; e) barriers to switching financial products or financial services providers; f) poorly designed distribution channels (conflicts of interest or false incentives); g) automatic renewal of products; and h) unfair processing of complaints.53

It is important to note that these areas of concern are very similar to those highlighted by the supervision authorities54 whose principal concern is to protect investors. However, in the view of EBA, as appears to be the case with prudential supervisory authorities, concern with conduct risk is aimed chiefly at ensuring that banks’ exposure to losses is correctly measured and that their capital holdings are sufficient to address this exposure. In other words, EBA (and the prudential supervisors) have recognized that misconduct is a risk not only for (p. 481) external parties, but also for the bank itself. For this reason, it has to be taken into account in the process aimed at assessing compliance of a bank with the capital requirements.

D.  The definition of ‘conduct risk’ within the Banking Union context—ESRB

19.30  The ESRB has adopted a partially different point of view. It adheres to a broad definition of misconduct, but focuses specific attention on some aspects of conduct risk other than those already highlighted. Like the other bodies, ESRB defines misconduct risk as ‘risks attached to the way in which a firm and its staff conduct themselves’.55 From there, the ESRB selects specific concerns related to ‘how customers and investors are treated, mis-selling of financial products, violation of rules and manipulation of markets’.56 Finally, given the macro, prudential perspective of ESRB’s activity, it highlights two different dimensions of (mis)conduct risk. First it stresses that this risk could be a threat to the proper functioning of the entire financial system because, as has already been seen,57 it harms confidence and trust and may discourage the use of financial services. Second, it views misconduct risk as a potent threat because of the penalties and costs incurred by banks in misconduct cases, penalties and costs that may create uncertainty as to the business model, solvency, and profitability of banks (and other financial institutions), and thus also affect the users of the financial system. In conclusion, ESRB considers conduct risk to be a serious internal problem for banks, but also focuses on the negative impact misconduct could have for the entire financial system.

IV.  Conduct Risk: Between the ‘Conduct Perspective’ and the ‘Prudential Perspective’

19.31  The above analysis shows that conduct risk is generally considered as arising out of misconduct; that is to say, it is risk connected with the violation of legal rules, ethical principles, or codes of conduct. As has been suggested, this risk can be assessed from two different perspectives: the ‘conduct perspective’ and the ‘prudential perspective’.58

(p. 482) A.  The conduct perspective

19.32  The first of these, the ‘conduct perspective’, was the only one emphasized at the beginning of the debate about conduct risk.59 It focuses its attention on the negative consequences that misconduct causes for consumers, investors, and society at large. As has already been seen, misconduct may damage not only bank customers who have a contractual agreement with the offending bank, but also (indirectly) other stakeholders operating in the financial market and, more generally, the proper functioning and integrity of the market.60 Moreover, some institutions have also stressed that the impacts resulting from conduct risk could have consequences beyond the financial markets, since they can distort competition among banks or have political repercussions (consider the case of the breaches of embargo regulations). In other words, from a conduct perspective, conduct risk, when actualized in acts of bank misconduct, can affect bank customers, financial markets, and the society at large. In this sense, conduct risk is not a new risk, unknown before the financial crisis. Rather, in the wake of the various scandals discussed above,61 conduct risk has become important on its own; it can no longer be reduced to one (or more) of the categories of risk elaborated within the prudential framework.62 Conduct risk is not just a species of legal risk or compliance risk, but has become its own category of risk.

19.33  From the conduct perspective, the traditional remedy for reducing conduct risk is to improve conduct regulation and strengthen penalties for violations. In order to avoid damage to third parties (and possibly the entire financial system) resulting from misconduct, this remedy involves the adoption of new rules specifically governing the behaviour of intermediaries (conduct regulation) and assigning specific supervisory tasks to authorities (conduct supervision).63 However, this traditional ex post enforcement approach is not enough: because of the potentially significant disruptive effects of misconduct, prevention must be the primary objective of conduct supervision. Even if ex post enforcement and new sanctions (p. 483) imposed on financial firms are important tools, they have not been an adequate deterrent. This conclusion has been supported by some institutions and scholars, agreeing that ‘[t]he fear of penalties alone is unlikely to prevent misconduct sufficiently’.64 In this light, there is a need to rethink the way in which sanctions operate in order to achieve a greater deterrent effect. For example, the necessity of identifying specific employees who have not behaved properly, thereby enhancing individual responsibility, rather than increasing sanctions on financial firms, has often been highlighted.65 In addition, new tools are needed (in addition to sanctions and penalties) to help prevent misconduct. These new tools may include better corporate governance and compensation incentives.66

B.  The prudential perspective

19.34  Quite different is the approach followed by those institutions that emphasize a ‘prudential perspective’.67 This perspective also defines conduct risk as a risk relating to the possibility of misconduct. However, from this point of view, conduct risks are taken into consideration not because misconduct may cause harm to third parties (customers or other stakeholders), but because it may damage the bank (or other financial institution) responsible for it. In fact, as has already been seen, misconduct, when discovered, imposes important costs on offending financial firms, including costs of redress and litigation costs. Moreover, even when the misconduct does not involve violations of the law (and is not punished by the law), the offending bank can suffer reputational damage and lose clients. Conduct risk is thus viewed as involving potential financial losses68 that may reduce the amount of a bank’s capital and implicate its ability to fund its exposure, thus threatening (p. 484) its viability. In addition, the harsh consequences that a financial intermediary has to face, when misconduct is unveiled, may give rise to concerns as to the viability of the institution itself and, especially when misbehaviour is widespread among financial institutions or involve important banks, this may lead to systemic risk.69 Therefore, it is clear why prudential authorities have begun to consider conduct risk: it involves a prudential dimension that cannot be overlooked. There is a need to consider the consequences of misconduct with respect to capital and liquidity rules, and to address these consequences in the relevant regulations and in the approach of supervisory authorities. From this ‘prudential perspective’, the most important concern is to assess whether the capital of a specific bank is sufficient to bear potential misconduct costs without jeopardizing its stability. As has been seen in the European Union, conduct risk has recently been taken into consideration in EBA explanations of how to carry out prudential tests, including the stress test and the SREP test,70 which assess whether the amount of regulated capital is adequate to face the potential costs of misconduct, and if it is not, to ensure the availability of new equity. In this context, conduct risk is rightly considered to be a type of ‘operational risk’, and more specifically a legal risk, at least for the purposes of measuring the direct costs a bank may incur from it (penalties and costs of redress). However, as has already been mentioned, conduct risk does not involve only legal risk. The fact that conduct risk often entails behaviour that falls short of ethical standards or codes of conduct, behaviour that does not expose the bank to penalties or legal costs, implies the need to assess reputational risk. In any case, recent financial scandals have shown that conduct risk is by far the most important operational risk in the financial sector, and that it deserves to be specifically considered in determining adequate levels of bank capital and liquidity.71

19.35  The prudential perspective is not limited to assessing the adequacy of capital levels; it also requires measures to manage and reduce the risks of potential losses. This means that, like the conduct perspective, the prudential perspective implies the implementation of appropriate new tools designed to prevent misconduct. Similarly to the conduct perspective, from a prudential point of view it is clear that imposing new penalties on financial institutions is not an adequate solution, and may even have the effect of exacerbating the problem of adequacy of capital. Rather, in the context of prudential regulation, especially after the financial crisis of 2007–2008, corporate governance and systems of controls, together with compensation tools, (p. 485) have assumed a central role. In addition, prudential regulation has given to supervisory authorities a broad power to assess, in their prudential capacity, internal governance and institution-wide controls. More specifically, supervisory authorities have been asked to assess the capacity of banks’ internal governance mechanisms to identify, measure, and control all risks, including the conduct risk.72

19.36  In sum, conduct risk from two different points of view has been analysed: first, the conduct perspective, which focuses on the customer side (and particularly consumers) and market integrity; and second, the prudential perspective focusing on the viability of the intermediary in the face of misconduct-related losses. Depending on which of these perspectives is adopted, the features of preventative tools and the assessment of their adequacy by supervisory authorities may differ.73

19.37  In any case, both points of view stress the importance of developing a system capable of preventing misconduct.74 There has been a convergence of institutional opinion towards ex ante remedies, primarily in the area of internal governance of financial intermediaries, and with respect to the crucial role that risk culture plays in this context.

V.  A New Approach: From Rules to Culture

19.38  Taking into account that the main objective should be the prevention (rather than punishment) of misconduct, the international debate on conduct risk has begun stressing the importance of fostering robust firm cultures, in which customer satisfaction and ethical behaviour would become widespread among financial firms and their employees.75 Poor corporate culture has, in fact, been seen as one of the main causes of misconduct. For this reason, the need to improve firm culture seems to lie behind every new tool designed to manage conduct risk. To better understand the relationship between culture and these new tools, it is useful to analyse the tools as (p. 486) falling into the following three categories: conduct regulation; product governance; and internal governance.

19.39  With respect to the first of these, recent years has seen the implementation of new conduct regulations applicable to the financial sector requiring intermediaries to adopt specific conduct policies protective of customers and of the integrity of financial markets. For example, under MiFID II (Directive 2014/65/EU) intermediaries are now required to comply with new rules of conduct aimed at better protecting investors. This is also the case for the AIFMD Directive, which for the first time imposes specific duties on Alternative Investments Fund Managers (AIFMs) to protect their customers and the financial market. Although such approach, focused on the imposition of sanctions for the breach of such new rules is a typical ex post mechanism, it should also be considered that such rules seem to consider crucial the deterrence effect and be designed to prevent misconduct instead of simply punishing the offending financial firm. The common feature of these new regulations, in fact, is that they better delineate the way in which intermediaries (and other financial firms) must behave, replacing previous general standards with more detailed ones. In this way, they provide guidance to intermediaries and their employees as to how to carry out their duties properly according to the minimum standard of behaviour expected of them,76 and attempt to establish an improved culture among employees.77 Moreover, in order to enhance the deterrent effect of conduct regulation, stress has been placed on the need to introduce new sanctions affecting not only banks as entities, but also the specific employees responsible for misconduct (especially if they are at the top of the internal hierarchy).78 Enhanced personal accountability may heighten the fear of sanctions and reduce the temptation to misbehave, fostering a healthy corporate culture.

19.40  In any case, new conduct rules, even if they are important as indications to banks concerning how to behave properly and encourage a change in culture, have only an indirect and limited preventative effect.

19.41  A second category of tools aimed at tackling conduct risk are the European regulations related to ‘product governance’, and include those regulations requiring that financial institutions fashion their financial products keeping in mind the type of client to which they will be sold.79 These regulations provide for sanctions in case (p. 487) of violation; however, it is clear that their main objective is the prevention of misconduct (particularly mis-selling) before it occurs.

19.42  There is a direct relationship between product governance and culture. Product governance helps to create a healthy culture, since banks and their employees must always consider the interests of their clients. In addition, product governance works only if banks have a strong culture, because otherwise it risks remaining a mere formality.

19.43  Along the same lines as product governance are the AIFMD rules, which, among other things, require AIFMs to be organized in such a manner as to prevent conflicts of interest. Emphasis is placed on the need to prevent misconduct by avoiding conflicts of interest and on the adoption of corporate organizational forms that encourage good behaviour. These rules will be effective only if the internal organization of the financial firm encourages a healthy culture.

19.44  The last tool to help prevent conduct risk is the improvement of internal governance, which should be structured so as to foster a strong corporate culture. In fact, it is the internal governance dimension that has received most attention in the context of preventative remedies against conduct risk. This category could be split into two sub-categories: compensation practices and internal governance in the strict sense. The FSB has specifically addressed both of these in two different documents.

19.45  With respect to the compensation tool, it is clear that the structure of a firm’s employee compensation (especially of those in top management whose compensation is widely variable) influences employee behaviour, either for good or ill. FSB has stressed the importance of this tool, and in its Supplementary Guidance to the FSB’s ‘Principles and Standards on Sound Compensation Practices’ it provides recommendations for implementing a compensation system that will promote ethical behaviour.80

19.46  As respects internal governance, FSB has recently published a document81 outlining various governance tools. Importantly, FSB stressed the close link between governance and culture, expressing the view that senior managers should identify the existence of an unhealthy culture and attempt to change it. The FSB noted that good governance structure, in which each employee has clear tasks and responsibilities, may be useful for improving individual accountability and identifying individuals responsible for misconduct. In this way, sound governance paired with individual sanctions can improve firm culture and reduce conduct risks. In order to reduce (p. 488) conduct risk, internal governance (and systems of internal control) should not be limited to a set of formal procedures; it is crucial that these things reflect principles and values widely embedded in a firm’s internal organizational structure.

19.47  At EU level the importance of culture in the context of internal governance as a means to prevent misconduct has clearly been stated in the new Guidelines on Internal Governance (2017). An entire section of such document, entitled ‘Risk Culture and Business Conduct’, is devoted to stressing that a sound and consistent risk culture is essential for the governance mechanism to be effective and capable of preventing and minimizing misconduct.82 All these culture-enhancing tools show that it is risk culture, in the end, that lies behind the remedies put forward to prevent misconduct, especially in the field of governance. This means that not only firms have to adjust to such new approaches but also supervisory authorities will need to adapt their supervisory practices. As APRA has recently pointed out: ‘The traditional focus of supervisors on governance, risk management and internal controls would likely be inadequate if insufficient attention was given to risk culture.’83 In the end, if prevention of misconduct depends on the effectiveness of tools based on culture, supervision of behaviour and culture, either from a conduct or prudential perspective, becomes crucial.84


1  Downloadable at http://group30.org/publications/detail/166, accessed 2 October 2018.

2  See C P Skinner, ‘Misconduct Risk’, Fordham Law Review (2016), 84, 1559; L G. Arias Barrera, ‘Ethical Perspective of the Financial Sector’, 18 January 2017, available at https://ssrn.com/abstract=3018242, accessed 2 October 2018; R Plato Shinar and K Borenstein Nativ, ‘Misconduct Costs of Banks—The Meaning Behind the Figures’, Business and Finance Law Review, (2017), 32, 495; in economic literature, see also A Carretta and P Schwizer, ‘Risk culture in the regulation and supervision framework’, in A. Carretta, F. Fiordalisi, and P. Schwizer (eds), Risk Culture in Banking, Palgrave Macmillan, 2017, 73 ff.; H Köster and M Pelster, ‘Financial Penalties and Bank Performance’, Journal of Banking & Finance (2017), 79, 57–73; S V Tilley, B Byrne, and J- Coughlan, ‘An Empirical Analysis of the Impact of Fines on Bank Reputation in the US and UK’, 2018, available at https://ssrn.com/abstract=2980352, accessed 2 October 2018.

3  Available at http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1, accessed 2 October 2018.

4  Available at http://www.fsb.org/wp-content/uploads/FSB-Chair-letter-to-G20-February-2015.pdf, accessed 2 October 2018. The FSB sent other letters to G20 leaders in April and October 2015.

5  In May 2015 the FSB issued a workplan outlining measures to reduce misconduct risk, which was sent in June to the G20 deputies meeting. Since then, the FSB has published Progress Reports, periodically, summarizing the initiative launched and the results reached: in November 2015 (‘Measures to reduce misconduct risk —Progress Report’, available at http://www.fsb.org/2015/11/measures-to-reduce-misconduct-risk/, accessed 2 October 2018), the second in September 2016 (‘Measures to reduce misconduct risk—Second Progress Report’, available at http://www.fsb.org/2016/09/measures-to-reduce-misconduct-risk-second-progress-report/, accessed 2 October 2018) and the last in July 2017 (‘Reducing misconducts risks in the financial sector—Progress Report to G20 Leaders’, available at http://www.fsb.org/2017/07/reducing-misconduct-risks-in-the-financial-sector-progress-report-to-g20-leaders/, accessed 2 October 2018).

6  Available at http://www.fsb.org/2018/03/supplementary-guidance-to-the-fsb-principles-and-standards-on-sound-compensation-practices-2, accessed 2 October 2018. On this topic, see also previous documents issued by the FSB: ‘Round Table on Compensation Tools to Address Misconduct in Banks’, 10 May 2016 (at http://www.fsb.org/2016/07/fsb-round-table-on-compensation-tools-to-address-misconduct-in-banks/, accessed 2 October 2018); ‘Consultative Document on Supplementary Guidance to FSB Principles and Standards on Sound Compensation Practices’, 20 June 2017 (at http://www.fsb.org/wp-content/uploads/R200617.pdf, accessed 2 October 2018; ‘Supplementary Guidance to FSB Principles and Standards on Sound Compensation Practices: Overview of Responses To The Consultation’, 8 March 2018 (at http://www.fsb.org/wp-content/uploads/P090318-2.pdf, accessed 2 October 2018). Furthermore, a consultation is currently pending on ‘Recommendations for Consistent National Reporting of Data on the Use of Compensation Tools to Address Misconduct Risk’, which outlines the goal of ‘improv[ing] supervisory consideration of compensation practices’. See http://www.fsb.org/2018/05/recommendations-for-consistent-national-reporting-of-data-on-the-use-of-compensation-tools-to-address-misconduct-risk/, accessed 2 October 2018.

7  This document, available at http://www.fsb.org/2018/04/strengthening-governance-frameworks-to-mitigate-misconduct-risk-a-toolkit-for-firms-and-supervisors/, accessed 2 October 2018, followed a preliminary document published in 2017 titled ‘Stocktake of Efforts to Strengthen Governance Frameworks to Mitigate Misconduct Risk’, available at http://www.fsb.org/2017/05/stocktake-of-efforts-to-strengthen-governance-frameworks-to-mitigate-misconduct-risks/, accessed 2 October 2018.

8  Available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD527.pdf, accessed 2 October 2018.

9  See IOSCO, n 8, 7 and Ch 5.

10  Available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD563.pdf, accessed 2 October 2018.

11  See ESRB, ‘Report on Misconduct Risk in the Banking Sector’, June 2015, 5, available at https://www.esrb.europa.eu/pub/pdf/other/150625_report_misconduct_risk.en.pdf, accessed 2 October 2018.

12  EBA, ‘Guidelines on Common Procedures and Methodologies for the Supervisory Review and Evaluation Process (SREP)’, 19 December 2014, available at https://www.eba.europa.eu/documents/10180/935249/EBA-GL-2014-13+(Guidelines+on+SREP+methodologies+and+processes).pdf, accessed 2 October 2018.

13  See EBA, ‘EU‐Wide Stress Test—Methodological Note 2016’, point 338, 89, available at https://www.eba.europa.eu/documents/10180/1259315/2016+EU-wide+stress+test-Methodological+note.pdf, accessed 2 October 2018; see also the new ‘EU-Wide Stress Test—Methodological Note 2018’, point 353, available at https://www.eba.europa.eu/documents/10180/2106649/2018+EU-wide+stress+test+-+Methodological+Note.pdf, accessed 2 October 2018.

15  See Federal Reserve Bank, ‘Misconduct Risk, Culture, and Supervision’, December 2017, available at https://www.newyorkfed.org/medialibrary/media/governance-and-culture-reform/2017-whitepaper.pdf, accessed 2 October 2018.

16  See Skinner, n 2, 1562; IOSCO, n 8, 49.

17  For a detailed analysis of this case, see Skinner, n 2, 1572ff; see also ESRB, n 11; IOSCO, n 8, 49; FCA, n 14, 7.

18  See ESRB, n 11, 5; IOSCO, n 8, 49.

19  See Skinner, n 2, 1574; IOSCO, n 8, 49.

20  See IOSCO, n 8, 49; this scandal was also cited by FCA, n 14, 7; more in general, about mis-selling conduct, see ESRB, n 11, 4 ‘mis-selling of financial products leads to a suboptimal allocation of investments and risks (as witnessed in the years preceding the financial crisis)’.

21  Wells Fargo was recently fined by US authorities involved in both prudential and conduct supervision. From a conduct perspective, the US Office of the Comptroller of the Currency (OCC) levied, among other penalties, a 500 million US dollar fine (https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-41.html, accessed 2 October 2018); in addition, the US Consumer Financial Protection Bureau (CFPB) assessed a 1 billion US dollar penalty against the bank (crediting the 500 million US dollar fine collected by the OCC) (https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-announces-settlement-wells-fargo-auto-loan-administration-and-mortgage-practices, accessed 2 October 2018). From a prudential point of view, the Federal Reserve Board required the bank to bolster its governance and control systems (https://www.federalreserve.gov/newsevents/pressreleases/enforcement20180202a.htm, accessed 2 October 2 2018). On this case, see also FCA, ‘Transforming Culture in Financial Services, Discussion paper’, March 2018, 9, available at https://www.fca.org.uk/publication/discussion/dp18-02.pdf, accessed 2 October 2018.

22  See ESRB, n 11; IOSCO, n 10, 4.

23  See ESRB, n 11, 5.

24  To better understand the costs related to misconduct, the European Parliament commissioned three studies on the topic: see E. Carletti, ‘Fines for misconduct in the banking sector – what is the situation in the EU?’, March 2017, available at http://www.europarl.europa.eu/RegData/etudes/IDAN/2017/587402/IPOL_IDA(2017)587402_EN.pdf, accessed 2 October 2018; M R Götz and T H Tröger, ‘Fines for misconduct in the banking sector—what is the situation in the EU?’, March 2017, available at http://www.europarl.europa.eu/RegData/etudes/IDAN/2017/587401/IPOL_IDA(2017)587401_EN.pdf, accessed 2 October 2018; A. Resti, ‘Fines for misconduct in the banking sector—what is the situation in the EU?’, March 2017, available at http://www.europarl.europa.eu/RegData/etudes/IDAN/2017/587400/IPOL_IDA(2017)587400_EN.pdf, accessed 2 October 2018.

25  See ESRB, n 11, 6.

26  ESRB, n 11; see also Skinner, n 2, 1562.

27  Systematic risks connected with misconducts are often emphasized: see ESRB, n 11, ‘A misconduct case in one bank can quickly undermine the confidence of the public in the entire banking sector, because it is difficult for outsiders to differentiate between banks which behave well and those which behave badly.’; see also the FSB, n 4; FSB, ‘Strengthening Governance Frameworks’, n 7, 1; FED, n 15, 10f.; IOSCO, n 10, 3; in the academic literature: Skinner, n 2, passim.

28  See ESRB, n 11, 14f. See also FSB, Letter of July 2017, which estimates that ‘Global banks’ misconduct fines and litigation costs have reached over $320 billion since the crisis’; Resti, n 24, 5ff.; Carletti, n 24, 7; FED, n 15, 1. For an empirical research, see Köster and Pelster, n 2.

29  See FED, n 15, 1; G30, n 1, 11; Tilley, Byrne, and Coughlan, n 2.

30  See also IOSCO, n 8, which employs the term ‘harmful conduct’.

31  See FSB, ‘Stocktake of efforts’, n 7, 5; Carletti, n 24.

32  See, e.g., the definition of conduct risk given by EBA which also includes negligent behaviour (Part III.3). Contra, Skinner, n 2, 1562 who considers a conduct risk as ‘the intentional distortion of information that, when aggregated and synchronized across institutions, undermines market safety and soundness’.

33  See FSB, ‘Supplementary Guidance’, n 6, 4 ‘reputational and operational risk … both include misconduct risk’; EBA, ‘EU-Wide Stress Test—Methodological Note 2018’, n 13, 99 ff.; Resti, n 24, 5.

34  See FSB, ‘Stocktake of efforts’, n 7, 5.

35  See FSB, ‘Stocktake of efforts’, n 7, 5 ‘Responses to the survey suggest a general trend among financial institutions to link misconduct risk to day-to-day risk decisions of the different businesses as a first line of defence, or breaches related to codes of conduct, whereas compliance risk is seen as abiding by laws, regulations and rules’.

36  See FCA, n 14, 9, which expresses the view that assessing conduct risk has to do with evaluating behaviour of firms in the light of consumer protection, market integrity, and effective competition.

37  This scheme was developed by the FCA, n 14, 9 and has been followed by other supervisory authorities (or their associations): see IAIS, ‘Issues Paper on Conduct of Business Risk and its Management’, November 2015, 11ff.

38  FCA, e.g., decided to avoid defining ‘conduct risk’.

39  See FSB, ‘Stocktake of efforts’, n 7, 5. Actually, in ‘Supplementary Guidance’, n 6, 1, the FSB decided to ‘not propose a definition of misconduct’ believing ‘that each firm should internally define misconduct risk based on the firm’s characteristics and business and in a way that promotes adherence to legal, professional, internal conduct and ethical standards’. For a similar broad treatment, see: Carletti, n 24, 6, ‘conduct undesirable from the perspective of customers, investors or proper functioning of markets’.

40  See FSB, ‘Stocktake of efforts’, n 7, 6.

41  See IAIS, n 37, 6.

42  IOSCO, n 8, 14. It is also to be stressed that this definition is fully in line with IOSCO’s objectives as outlined on its website (www.iosco.org, accessed 2 October 2018).

43  FCA, n 14, 9.

44  ASIC, ‘Culture, conduct and conflicts of interest in vertically integrated businesses in the funds-management industry’, March 2016, 8 available at https://download.asic.gov.au/media/3583028/rep474-published-21-march-2016.pdf, accessed 2 October 2018.

45  IAIS, n 37, 6.

46  See IAIS, n 37, 6ff.

47  FED, n 15, 5.

48  FED, n 15, 1.

49  APRA, ‘Risk culture. Information paper’, October 2016, available at https://www.apra.gov.au/file/2221, accessed 2 October 2018.

50  See FPA, ‘Stress testing the UK banking system: key elements of the 2018 stress-test’, March 2018, 15 (available at https://www.bankofengland.co.uk/-/media/boe/files/stress-testing/2018/stress-testing-the-uk-banking-system-key-elements-of-the-2018-stress-test.pdf, accessed 2 October 2018).

51  See EBA, ‘EU‐Wide Stress Test –Methodological Note 2016’, n 13, point 338, 89; and the new EU-Wide Stress Test, Methodological note (2018)’, n 13, point 353; EBA, n 12, 16. This definition has also been adopted by other works: see European Parliament, ‘Regular public hearing with Danièle Nouy, Chair of the Single Supervisory Mechanism’ (November 2016), 3f.; Resti, n 24, 5.

52  EBA, n 12, 97 (point 252–3).

53  ibid (point 253).

54  See Section III.2.

55  See ESRB, n 11, 3.

56  See ESRB, n 11, 3.

57  See Section II.

58  IAIS, n 37, 6; ESRB, n 11, 4.

59  FSA approached the problem from this perspective in its first letter to the G20 leaders of February 2015.

60  See the remarks of Mr William C Dudley (President and Chief Executive Officer of the Federal Reserve Bank of New York) at the workshop on ‘Reforming Culture and Behavior in the Financial Services Industry’, available at https://www.bis.org/review/r141021c.pdf, accessed 2 October 2018:

The financial sector plays a key public role in allocating scarce capital and exerting market discipline throughout a complex, global economy. For the economy to achieve its long-term growth potential, we need a sound and vibrant financial sector. Financial firms exist, in part, to benefit the public, not simply their shareholders, employees and corporate clients. Unless the financial industry can rebuild the public trust, it cannot effectively perform its essential functions. For this reason alone, the industry must do much better.

61  See Section II.

62  ESRB, n 11, 4; this is also hinted at in FSB, ‘Stocktake of Efforts’, n 7.

63  IOSCO, n 10, 26ff.

64  ESRB, n 11, 9.

65  ESRB, n 11, 9; IOSCO, n 10, 16; FSB, ‘Strengthening Governance Frameworks’, n 7, V. See also the new UK ‘Senior Managers and Certification Regime’ provided by FCA, available at https://www.fca.org.uk/firms/senior-managers-certification-regime, accessed 2 October 2018.

66  As has been seen (see Section I), after two years of studying misconduct risk, the FSB decided to establish the Working Group on Governance Framework to investigate how corporate governance might be used as a tool for reducing conduct risk.

67  The FSB has adopted a prudential perspective in its recent documents; see, e.g., the ‘Progress Report’, September 2016 where it states that:

Misconduct is also relevant to prudential oversight as it can potentially affect the safety and soundness of a particular financial institution and result in financial and reputational costs to that firm’; see also ‘Stocktake of Efforts’: ‘For prudential regulators, misconduct of the magnitude mentioned above can become a prudential issue for three reasons. First, fines and redress payments are losses that deplete the loss-absorbing capacity of a financial institution. Second, misconduct cases can be a reflection of underlying weaknesses of the governance framework. Third, misconduct of this magnitude suggests that some financial institutions may be unwilling or unable to get their employees to adhere to proper standards of conduct. This may further indicate that they are also unable to get their employees to adhere to other standards, including those for sound risk management.

68  See EBA’s definition of conduct risk. See also FED, n 15, 1; ESRB, n 11, 9.

69  This negative outcome is emphasized by ESRB, n 11.

70  EBA made clear in its Methodological Note 2016 that conduct risk is part of these exercises. The consultation document for the 2018 Stress Test aims at further emphasizing conduct risk.

71  ‘Conduct risk’ is not a ‘Pillar 1 risk’, but its potential effect on capital should considered under the ‘Pillar 2 requirements’. This means that each bank must conduct its Internal Capital Adequacy Assessment Process (ICAAP) process giving due consideration to conduct risk, and that supervisory authorities have the power to assess this process within the context of SREP.

72  See, e.g., the measures adopted by the Fed in the Wells Fargo Cases (n 21) requiring the improvement of governance and control systems.

73  Given the importance of conduct risk from a supervisory perspective, the architecture of financial supervision and the division of powers among financial authorities should be made taking into account its features and, in particular, the fact that it is two-sided. In particular, should conduct risk be considered as the main subject of supervision, then the idea of drawing a bright line between a ‘conduct’ authority and a ‘prudential’ authority should be considered very carefully.

74  The need for a more efficient prevention system has been widely recognized, see in particular: FSB, ‘Strengthening Governance Frameworks’, n 7, V; ESRB, n 11, 9ff.; Carletti, n 24, 7f.; Resti, n 24, 1.

75  See ex multis: FCA, n 21; Carletti, n 24, 7, ‘The development of a robust banking culture is thus considered key to addressing misconduct risk.’; FED, n 15, 4–5, ‘Though there are undoubtedly many contributing factors that give rise to this type of widespread breakdown, there is a growing academic literature that focuses on a firm’s organizational culture as a key driver of behaviour and resultant misconduct risk.’.

76  See, e.g., n 5 of MiFID II; ‘Incorrect conduct of firms providing services to clients may lead to investor detriment and loss of investor confidence. In order to address the potentially detrimental effect of those weaknesses in corporate governance arrangements, Directive 2004/39/EC should be supplemented by more detailed principles and minimum standards’.

77  This is hinted at in FCA, n 21, 2, who requires to ‘foster cultures which support the spirit of regulation in preventing harm to consumers and markets.’

78  See n 65.

79  See the new Insurance Distribution Directive (2016/97/UE) and also Article 16 of MiFID II Directive. See also, EBA, ‘Final Report. Guidelines on Product Oversight and Governance Arrangements for Retail Banking Products’, July 2015, available at https://www.eba.europa.eu/documents/10180/1141044/EBA-GL-2015-18+Guidelines+on+product+oversight+and+governance.pdf/d84c9682-4f0b-493a-af45-acbb79c75bfa, accessed 2 October 2018.

80  FSB, ‘Supplementary Guidance’, n 6.

81  FSB, ‘Strengthening Governance Frameworks’, n 7.

82  See EBA, ‘Guidelines on internal governance under Directive 2013/36/EU’, 2017, 33ff.

83  APRA, n 49, 5.

84  See, DNB, ‘Supervision Behaviour and Culture’, available at https://www.dnb.nl/binaries/Supervision%20of%20Behaviour%20and%20Culture_tcm46-334417.pdf, accessed 2 October 2018.