‘The  lessons of the last few years illustrate clearly that firms need to take proactive steps to improve conduct. Without a firm foundation in identifying the conduct risks inherent in your businesses, it will be hard to manage conduct, let alone show us and others that it is being managed. We know that most firms now understand the value in getting it right and not simply the cost of getting it wrong, and the benefit of good conduct in terms of building customer trust and analyst confidence. However, there is a long way to go, and it will not happen by regulatory osmosis. Firms and individuals need to take responsibility for their own actions.’

Tracy McDermott,  acting CEO of the FCA,  July 2015, Wholesale Conduct Risk

What is conduct risk?

The global financial crisis led regulators to carefully examine root causes of market failure. Contributory issues were identified, relating to market structure, the pricing of risk and availability of credit, and inadequate capital reserves held by financial institutions.

An additional and significant root cause upon which a spotlight has fallen since the crisis relates to a concept less tangible than credit, market or liquidity risk, namely that of conduct risk, or more specifically, poor identification, mitigation and management of conduct risk. The term has not been formally defined by regulators, but in the UK guidance in the form of thematic work and speeches has elucidated what it is. The supra-national standard setting body the Financial Stability Board has also published widely on risk culture and governance.

Poor behaviour in retail financial services, as evidenced by various mis-selling scandals, as well as poor behaviour in the wholesale sphere, with the manipulation of Libor and Forex, caused regulators to recognise that how a firm, through its staff, conducts itself and the culture within which it operates are of equal importance to its effective operation as adherence to a set of rules.  This recognition that rules alone were not sufficient to ensure the right outcomes for customers, consumers and the markets marked the beginning of conduct risk as a concept – to catch issues around behaviour, tone and ethical standards that were not adequately addressed elsewhere.

A global approach

Although conduct risk as a concept originated in the UK, it has now been adopted more widely across the globe. In Australia, ASIC has been inspired by the UK approach and now expects the firms it regulates to have fully developed conduct risk policies.  In the Middle East, the DFSA has done extensive work on senior management behaviors and related issues, and in the USA, the SEC seeks to ensure consumer interests are front and centre of firms’ thinking.

Identification of conduct risk

It falls upon a firm itself to identify the conduct risks to which it is exposed, and no two firms will have the same conduct risk profile.  There are commonalities, nevertheless, key among which are having the right ‘tone from the top’, incentivizing staff to behave in an ethical, fair and compliant way towards clients and customers, and on markets and making staff accountable for their actions. The FCA has said that it will assess a firm’s culture, and by implication it’s management of conduct risk by looking at a range of different measures, such as:

·        how a firm responds to, and deals with, regulatory issues;
·        what customers are actually experiencing when they buy a product or service from front-line staff;
·        how a firm runs its product approval process and the considerations around these;
·        the manner in which decisions are made or escalated;
·        the behaviour of that firm on certain markets; and
·        the remuneration structures.

The way in which a board engages in these issues will also be of critical importance.  A board should be looking to probe high return products or business lines, to fully understand strategies for cross-selling products, how fast growth is obtained and whether products are being sold to markets they are designed for.

The FCA also explained its approach to the interlinked concepts of culture, governance and conduct risk in a March 2015 Thematic Review, into  governance over mortgage lending strategies (TR 2015/4).  The conclusions have application beyond mortgage lenders and can be read as an indication of the FCA’s general thinking in these areas.


We expect firms to have a culture that places customers, market integrity and competition at the heart of their business. Culture is evidenced through the way firms conduct their business, what they expect of their staff and their attitude towards customers. Firms must evidence such culture exists and is applied from the top and throughout all layers of the firm. 


The governance of firms is the process of decision-making and the process by which decisions are implemented by senior management and Boards. We expect Boards to be able to clearly explain the conduct risks within
their own strategies, understand their own management information and how it influences good customer outcomes. 

Conduct risk 

We see conduct risk as the risk that firm behaviour will result in poor outcomes for customers. A firm’s conduct risk profile will be unique to it; and there is no one-size-fits-all framework that can assess it. We expect firms to be looking at their own business models and strategic plans to see if they are identifying, mitigating and monitoring the consumer risks arising from them. They need to be considering customer outcomes equally alongside commercial objectives.


Further pointers on how to identify and manage conduct risk were provided by Tracy McDermott, then Director of Supervision, investment, wholesale and specialists (now acting CEO), in a speech delivered in July 2015.

Ms McDermott  identified five conduct questions firms should be asking themselves:

1. How are the conduct risks inherent within the business identified?

A firm must ask the right questions of the business, conduct root cause analysis when problems are identified and learn from past mistakes.

2. Who is responsible for managing the conduct of the business?

The FCA expects firms be asking themselves how they are encouraging their employees to be and feel responsible for actually managing the conduct of their business.  Essential within this is encouraging the first line of defence, the business itself, to manage conduct risk. McDermott said that they understand their business better than anyone else; they know where the risks are and they should – if correctly incentivised – have the greatest interest in long term, sustainable good business practices. They need to understand that is part of their job and be helped to do it well.

3. What support mechanisms does the business have to enable people to improve the conduct of their business or function?

Examples of effective support mechanisms may be where new product and new business approval committees are robust and appropriately represented by the control functions, or by a firm having training and induction programmes that lay out a it’s expectations of its staff.  Further, management information should be provided to those in supervisory roles that is useful, timely and genuinely helps them supervise their staff. McDermott went on to say:

Ultimately this is also about creating what we sometimes call a culture of appropriate escalation, where people can speak up when they observe poor behaviour or are unsure about what to do. Too often people are unwilling to do this, or are penalised if they do’.

4. How do the board and executive committees gain oversight of the conduct of the organisation?

At a basic level, this is about what information the board and executive see, and how they take it into account in the decision-making.   McDermott acknowledged that although progress has been made in getting conduct issues onto board agendas, there is still some way to go in getting them to take conduct implications into account in every strategic decision and recognise that their decisions can have just as big an impact on the way business is conducted as the behaviour and decisions of those who report to them.

5. Finally, do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions.

Ms McDermott pointed out as an example the fact that most employees of any firm will never – or rarely – see the CEO. Their role models are not board members but might be the top trader or the desk head. If they see a colleague rewarded and promoted, even if their behaviour is not consistent with the values of the firm, this does not send a clear message that such behaviour is not tolerated.

Conduct risk, behaviour and and culture- the developing picture

A number of initiatives are coming to fruition over the next year or so, as regulators seek to embed effective approaches to key elements of conduct risk throughout the industry. The advent of the Senior Managers’ and Certified Persons regime in the UK (effective 7 March 2016) will have a significant impact on UK deposit takers, and to a lesser extent Solvency II insurance firms.

The application of the SMR is being extended to those working in the fixed income, currency and commodities markets (FICC) including asset managers, as a result of a recommendation made by the Fair and Effective Markets Review, published in June 2015.  Additional UK industry led guidelines will also be forthcoming from the newly created FICC Markets Standards Board (‘FMSB’). The FMSB states its purpose as being

“to define and sustain good practice standards for wholesale FICC markets and raise standards of behaviour, competence and awareness across those markets and among participants, thereby contributing to the fairness and effectiveness of these markets”.

In a speech accompanying the publication of the Fair and Effective Markets Review, Bank of England Governor Mark Carney said:

‘The importance and complexity of their task is illustrated by the multiple root causes of the misconduct in FICC markets. Specifically, the Review identifies:

– Market structures which presented specific opportunities for abuse, such as poor benchmark design, and which more generally were vulnerable to conflicts of interest, collusion, and thin markets;

– Standards of acceptable market practice that were usually poorly understood, often ignored and always lacked teeth;

– Firms’ systems of internal governance and control that were incapable of asserting the interests of firms – let alone the wider market – over those of close-knit trading staff;

– Individual incentives that were skewed, with pay packages stressing short-term returns over long-term value and good conduct;

– And personal accountability that was lacking, with a culture of impunity developing in parts of the market.

All these factors contributed to an ethical drift. Unethical behaviour went unchecked, proliferated and eventually became the norm.”

These comments illustrate how diverse the concept of conduct risk can be, encompassing low levels of personal accountability, skewed incentives and cultural issues around trader behaviour and camaraderie trumping the interests of clients and the market.

The point is that the behaviours identified in the FICC markets occurred in spite of myriad regulatory rules applying to them.  The failings show that rules in an ethical vacuum are ineffective. The regulatory drive now is to stop the ethical drift, by a mixture of new rules (the SMR as mentioned above), voluntary industry standards and codes, as well as requiring firms themselves to create systems and controls to mitigate conduct risk, and all that this entails.

The Banking Standards Board (BSB) is another UK non-statutory body that intends to work with banks and building societies to support their work on achieving cultural change and actively mitigating conduct risk.  In a June 2015 speech, BSB chair Dame Colette Bowe said:

‘. it is for the boards of banks to take responsibility for how the business delivers within this regulatory framework.  And it is, more subtly, the responsibility of the board to influence the culture of the whole business – the famous “tone from the top” – AND to take responsibility for making sure that this is both understood and acted on in all parts of the business, from the committed top, through the middle and right across the front line.  Moving from “tone at the top” through “action in the middle”.   By the middle, I mean those hard to reach parts, which are found in any business, not just banking, where messages get lost, communication falters, and “tone from the top” can seem utterly remote from what people are actually doing.’

The FCA has also published Guidance for Performance Management, for firms with staff who deal directly with retail customers, which makes clear that ‘tone at the till’ is also important.  Therefore, firms now need to address conduct risks relating to personal behaviour, accountability and responsibility at all levels of their organization:  the top, the middle, and the front line.

What is now clear is that increased personal accountability, a key element of conduct risk,  is set to become a reality across the whole of financial services, in due course.  It is likely that other jurisdictions will watch the implementation of the SMR in the UK with interest and may seek to adopt elements of it in to their own regimes, as they have done with conduct risk.  The BSB has noted that the US regulators are watching their work with interest.

Embedding the management of conduct risk into the firms operation

As can be seen from the examples of current regulatory thinking provided above, the identification, management and mitigation of conduct risk in a financial services firm is not the defined responsibility of one particular group over another (although named board members are likely to bear responsibly for different heads of risk). The Board has an important role to play, but will only be able to make the right decisions if it has received the information it needs from those who report into it. The control functions – risk, compliance and internal audit –  are therefore critical in gathering and analyzing information from the business, which means they need to be equipped to ask the right questions, so that they can identify if there is a risk of ‘ethical drift’ for example, due the particularly poor culture on a trading desk where activity is dominated by one strong personality.  Lastly the business itself, as the first line of defence, needs to understand and embrace the role it has to play in effectively identifying the risks to which it’s area is exposed, rather than leaving this task to the risk or the compliance functions.

Across all areas of the business, certain skills and behaviours will be of particular value in ensuring conduct risk is managed well:

  • Strong and open lines of communication, so that tone from the top translates into action in the middle and tone at the till
  • Coherent and co-ordinated reporting, both at firm and group level, and seeking to encourage a ‘culture of appropriate escalation’
  • Meaningful root cause analysis when problems are found
  • Swift and adequately resourced responses to problems, to rectify them, based on what is in the interests of the customer, rather than what it is expedient to do.

All of this must be achieved against an ever more demanding background of other regulatory initiatives, many of which overlap with concepts that are linked to conduct risk, for example the MiFID II product governance, remuneration, incentives, conflicts and best execution provisions that will apply to investment firms from January 2018, in the EU.