Conduct risk что это
conduct risk
Conduct risk is the threat of financial loss to an organization caused by the poor judgment of managers and employees. Conduct risk management gained more attention in the corporate sector, and especially the financial field, after it was revealed that unethical behavior was a primary cause of the 2007 financial crisis. According to the Financial Stability Board, an international financial regulatory body, a major takeaway from the great recession of 2007 is that risk to a firm’s reputation should not be underestimated and more attention must be paid to improving the quality of products sold to consumers.
In the United States, a number of regulatory compliance bodies, including the Securities and Exchange Commission ( SEC), include corporate culture as a factor when considering enforcement actions and recommending punishments. For example, a compliance audit may evaluate:
The process for managing conduct risk will be different at each company based on factors such as the company’s industry and its customer base. In general, a successful step-by-step conduct risk management approach includes the following:
Conduct risk is often a problem during product development because it requires employees to actively manage potential risk issues throughout the product development lifecycle. Conduct risk management should not stop at product development, however, because it can permeate nearly every aspect business operations that involves customer interactions and does not fall under other risk categories such as credit, liquidity, market or operational risks.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) is responsible for the creation of the Consumer Financial Protection Bureau (CFPB), an independent regulatory agency within the United States Federal Reserve System. An important objective of the CFPB is to manage conduct risk by prohibiting unfair, deceptive or abusive acts or practices (UDAAPs).
Understanding Conduct Risk and How Organizations are Managing It
Overview
Over the last few years cost of conduct has increased significantly. While there is no clear definition and management framework in place, some of the companies have taken it head-on and defined approaches that can be adopted by similar firms across the geographies.
The Risk of Misconduct
Over the last few years, the cost of misconduct has increased significantly. The most notable has been the payment protection insurance (PPI) scandal that has already cost banks more than £18 billion* in fines in the U.K. Scandals such as this not only affect the bank’s financial stability but also its reputation, brand value, and customer confidence. The U.K. financial regulator, the Financial Conduct Authority (FCA), intervenes and imposes penalties where it sees unacceptable risk to the fair treatment of customers. According to the FCA, senior management must drive conduct risk mitigation and emphasize on a culture of keeping consumers «at heart of business.» The FCA recently said it will impose a deadline for making new PPI complaints and is launching a consumer communications campaign to raise PPI issue awareness and the deadline.
The increased level of scrutiny is not just a U.K. phenomenon. Around the world, regulators are taking measures to protect banking customers from unethical or unlawful practices. Asia Pacific regulators like those in Singapore (Monetary Authority of Singapore) and Australia (Australian Securities and Investments Commission) are introducing strict parameters to ensure responsible lending and insurance practices; and the Consumer Financial Protection Bureau (CFPB) of the U.S. is laying down new rules and stricter monitoring against malpractice in areas such as fair lending, mortgage servicing, insurance, debt collection, and the sale of ancillary products in connection with credit cards. While in the U.S., the Dodd-Frank Act focuses on internal business conduct requirements through a robust compliance and risk policy and external business conduct requirements (onboarding and pre-trade measures), the Market Abuse Directive contains provisions on insider information and market manipulation and the Financial Industry Regulatory Authority (FINRA) focuses on assessment of suitability of products for customers.
In addition to imposing fines, regulators have also introduced frameworks to monitor how banks and financial services organizations’ manage conduct risks and related exposures.
Apart from the regulatory pressures, customer satisfaction is also driving banks and financial organizations to look at conduct risk as an important area to monitor and control. Hence, organizations worldwide have created strategies and internal standards to ensure fair treatment of customers in order to meet regulatory requirements and achieve strategic competitive advantage by driving customer loyalty.
Addressing Conduct Risk
Given the continued issues around having an effective conduct risk culture, many organizations have introduced or are launching best practices to manage conduct risks. Even though implementing the principles and framework defined for managing enterprise or operational risks should be applicable to manage conduct risks based on checklists, processes and controls and having a code of conduct, the length and breadth of conduct risks and its applicability varies from one organization to another forcing them to look at enterprise-specific frameworks to manage these risks. Some organizations consider incentives and punishments related to behavior as part of the framework too.
To effectively manage conduct risks, one needs to understand the entry points of these risks in the product design, sales, and customer engagement value chain.
Best Practices for Managing Conduct Risk
Risk Identification and Assessment:
Risk identification is key for the success of any conduct risk management program. The risks may come from various channels including sales, product design, customer service, mortgage servicing, and debt collection. Once the risks are identified and documented, assessment methodologies have to be defined to evaluate these risks in a controlled manner. Aligning conduct risk appetite with strategic decision-making processes helps ensure that all business decisions are made in the best interests of consumers while meeting all required regulations. Conduct risk is included as a component when setting risk appetite, limit tolerance setting and cascading to business units.
Key Metrics:
There should be a flexible framework to define an organization’s appetite with established key metrics including key risk indicators, key control indicators, and key performance indicators for conduct risks. To ensure transparency, conduct risks should be factored into the business strategy, while risk appetites and key metrics should be aligned with the decision-making processes and corresponding risks and controls. Examples of key metrics are customer satisfaction score, tracking transparency and advice in the sales process, post-sales servicing and issue resolution, and know-your-customer cadence failures.
Mitigation and Control Management:
Once conduct risks are assessed, appropriate controls need to be defined and evaluated for their effectiveness in a timely manner. In order to identify, monitor, and mitigate conduct risks effectively, organizations would need to define controls proactively and measure the effectiveness and adequacy of these controls periodically.
Issue and Remediation Management:
Issues should not be limited to control deficiencies alone but should be reported from any area such as customer complaint, product design, sale of a financial product, etc. Issues need to be recorded and routed through a systematic investigation and remediation process along with automated alerts for tracking issues and action plans throughout their lifecycle.
Complaints Management:
Organizations need to have an integrated and streamlined approach to record, investigate, and remediate customer and internal complaints about a firm’s or employee’s conduct. Complaints can be captured either through risk assessment surveys, or via phone calls, emails, or online portals, and addressed similarly as an issue.
Survey Management:
Surveys and questionnaires are widely used to assess employee behavior with customers and identify any underlying issues and complying with the regulations.
Besides these, tracking performance metrics, targets, compensation and reward are also key parts of the framework. To support this information reporting, metrics and conduct risk reporting and analysis to inform senior management, enabling them to provide the necessary oversight and evidence is also a key requirement.
How Organizations Around the Globe are Managing Conduct Risks?
Some of the banking and financial organizations have been proactively managing conduct risks with the help of technology and tone-at-the-top approaches.
Following are some of the stories of companies managing conduct risks:
A Leading Life Insurance Organization in South-East Asia uses KPIs to Measure Conduct Risk
In South-East Asia, the regulatory landscape of the life insurance industry is changing in response to initiatives proposed by the Monetary Authority of Singapore (MAS) under the Financial Advisory Industry Review (FAIR). Targeted at modifying the way life insurance products are advertised and traded, the FAIR proposals recommend a Balanced Scorecard (BSC) framework for the remuneration of financial advisors. The BSC framework is targeted at promoting good behavior by encouraging advisors to meet “non-sales” KPIs such as providing quality advice and suitable recommendations to customers.
With the help of technology, the company streamlined and automated their performance review process and regulatory reporting on a periodic basis. The exercise also helped the organization motivate its financial advisors to provide quality information and appropriate recommendations to customers. The organization ensured compliance with FAIR’s BSC framework proposal by reviewing and assessing the performance of financial advisors based on “non-sales” KPIs, and generate reports to relevant stakeholders. Measurement methods included post transaction checks, mystery shopping exercises, and infractions arising from complaints.
Pre-built and customizable reports enabled the organization to create internal information matrix which provided proactive capability to track conduct related issues, linked conduct to quantifiable parameters, provided visibility to executive management and reported externally to the regulator.
A Large Bank in Europe uses Risk Assessment to track Conduct related Risks
A Large Financial Services Organization in the U.S. Leverages Surveys to Measure Conduct Risk related to Vendors
The organization was facing issues to identify risks related to supplier conducts. The organization leveraged technology to automate surveys to identify risks related to supplier conduct risks. Surveys were conducted for agents to measure conduct risk by checking for number of escalations, exceptions, exemptions, query response time, and customer complaints. While the centralized repository enabled the organization to store, automate and manage surveys, the aggregation mechanism enabled it to report on exceptions, issues and conduct related risks in a timely manner.
Conduct risk: delivering an effective framework
Every company faces a unique set a conduct risks based on their industry and size. Building an effective framework for managing that risk can be a Herculean task. We have identified six core areas to simplify the process.
Highlights
Also on home.kpmg
Since the Financial Conduct Authority (FCA) took over the supervision of consumer protection in 2013, conduct risk has risen to the top of executive agendas.
Conduct risk is broadly defined as any action of a financial institution or individual that leads to customer detriment, or has an adverse effect on market stability or effective competition. The FCA has deliberately set out a very wide definition of вЂconduct risk’, leaving the onus on financial services firms to prove how they are protecting customers.
Businesses that fail to bring conduct risk in line face regulatory action, fines, and reputational damage, which can harm a business for years beyond the event. We have seen significant financial impact on firms due to conduct-related regulatory action—and it can all stem from the actions of an individual.
Because there is a high public interest in conduct risk infringements, it is increasingly important to take a holistic view for an effective defence.
Identifying conduct risk
Most businesses stress the importance of senior executives playing a role in conduct risk, particularly in helping to raise the visibility of a programme. Firms with in-house initiatives are intrinsically better at identifying drivers of conduct risk, such as conflicts of interest.
Even with a conduct risk programme already in place, some firms still focus too much on crystalised risk, such as fines and losses, as opposed to developing forward looking risk indicators. Another core question to consider is: when does a product or behaviour move from being reasonable to unreasonable? We call this the tipping point analysis.
Drivers of conduct risk
Understanding and addressing the drivers of conduct risk is essential in improving standards of behaviour. While the starting point for this journey varies from firm to firm, there are three core areas at the root of conduct risk:
While measuring conduct risk can be a challenge, it may be helpful to assess drivers through three lenses: specific business units; the overall firm; and the strategic medium to long term outlook.
Putting the framework together
Conduct risk programmes should be tailored to the needs of each firm based on size, business model, and geographic reach. The framework should take into account both short and long-term goals. The firms we have seen with the most successful programmes have regular board-level reviews that assess and challenge the programme. Scenario planning is a key consideration.
While there is no one-size-fits-all solution, we have identified six core areas for a successful conduct risk framework that can be seen in the diagram below. It covers governance, culture and behaviour, inherent and external risk assessment as well as key conduct controls and conduct management information.
6 Steps to Minimize Conduct Risk
A Framework for Assessing Regulatory Maturity
In the current regulatory environment, banks find it complex and challenging to interpret and assess regulatory requirements on conduct risk. In this this article, experts from Tata Consultancy Services suggest a robust approach for assessing the level of maturity attained by a bank in conduct risk vis-à-vis regulatory requirements and a remediation plan to bridge gaps.
with co-author Sasidharan Chandran
Conduct risk is a key emerging risk and has been defined by the Financial Conduct Authority (FCA) as “the risk that firm behaviour will result in poor outcomes for customers.” Conduct risk has evolved over the years from being an underestimated and unattended risk to one of the major risks faced by banks.
In addition to sizeable regulatory fines and costs of remediation, banks consider reputational damages as a prominent cost of conduct risk. With the digital landscape evolving and changing the way how businesses are run, digital conduct and analytics has been one of the major areas of focus for banks in the recent years. This has been underscored by the FCA in its annual business plan 2017/18, where it has identified technological development as one of the forward-looking areas.
Conduct Risk Challenges Faced by Banks
In this dynamic and complex regulatory environment, banks are finding it challenging to interpret and assess the requirements to implement conduct risk regulations. Factors contributing to the challenges include inadequacies in risk governance structures, lack of clarity about various components of conduct risk, ambiguities in clearly separating conduct risk from operational risk, deficient approaches to estimation and ill-defined metrics of conduct risk.
Though there are frameworks present in the market to assess conduct risk maturity, they lack aggregation of maturities at desired levels. The need of the hour is to put in place a unified and flexible framework to address multiple dimensions of conduct risk. The suggested conduct risk assessment framework would help manage some of the highlighted challenges.
Conduct Risk Capability Assessment Framework
The Conduct Risk Capability Assessment Model provides banks with an approach to assess gaps in conduct risk maturity, their root causes and remediation of gaps at granular levels. In other words, this is a tool for assessing the level of maturity attained by a bank vis-à-vis regulatory requirements.
The core purpose of the framework is to assess and quantify the level of maturity in complying with regulatory requirements. Maturity is measured by comparing the gap between current and target maturities. For the identified regulatory rules, key performance indicators were developed and used to derive the gap between current and target maturities. The rating model implemented in the framework enables a rollup of gaps at various levels, including lines of businesses, legal entities and banking groups.
Framework Approach
The methodology involved the following steps:
Example – A non-exhaustive list of components are product governance, marketing and selling, customer care, misuse of information, complaints management, market manipulation and insider trading.
Example – The Financial Conduct Authority’s Conduct of Business Sourcebook was interpreted and mapped to conduct risk components – product governance, customer care and marketing and selling. The risk components were further divided into conduct risk sub-components.
Example of a KPI belonging to the product governance component – Provide evidences for the presence of senior management approved detailed procedures and processes for product information preparation.
Example – All in-scope KPIs were mapped to the predefined and standardized root causes. A non-exhaustive list of root causes are board-level policies, board articulation, customer complaints, SLA violations, etc.
Example: The current maturity of the KPI mapped to “early stages” (requirements gathering has been completed. approach, methodology and implementation of the gathered requirements are being discussed/debated) and target maturity mapped to “fully integrated” (1.Policies, processes, evidences and other documentation required for the capabilities are with necessary approvals and are covered fully 2.Metrics for measurement, monitoring and remediation are in automated form).
Example – The framework provides a high-level plan to achieve higher levels of maturity (fully integrated state) from the lower levels of maturity (early stages state).
Framework Highlights
The assessment framework adheres to a set of standards with a view to supporting banks in their conduct risk journey, regardless of their current position.
Adherence to the Three Lines of Defense (LoD) Model
The three lines of defense model ensures coverage of all levels, namely business lines (first line), risk and support functions (second line) and internal and external audits (third line). For example, assume a regulatory requirement mandating avoidance of misselling of banking products to clients. This was approached from all three lines of defense and key performance indicators (KPIs) were formulated.
The KPIs check for:
Highly Objective Taxonomy
To avoid subjectivity creeping into the model, each technical term has been defined. Criteria to determine the level of maturity was defined through the presence or absence of certain attributes. By following this, each capability, sub-capability, stages in the maturity of compliance and measures used in KPIs were defined.
Aggregation of Gaps through Standardization and Rating Model
Use of standardized root cause category was instrumental in grouping together similar causes. This enables comparison among various conduct risk components and sub-components. The rating model used in the framework completely preserves gaps at granular levels even when they are aggregated. With this unique feature of aggregation, the framework can co-exist with and can supplement GRC systems of banks in analysing gaps in compliance.
Structured Approach to Remediation
Based on the desired level of maturity, a high-level plan to gradually move from lower levels of maturity to higher levels is made available as part of the framework. For each root cause category, a list of tasks to be initiated and milestones to be reached have been indicated. With the adoption of the three LoD model, remediation covers all three lines in a judicious manner.
Concluding Remarks
Key recent regulatory development is focused on improving risk culture; revamping remuneration and rewards; and fit and proper regimes. Global standard setters are also currently examining the systemic nature of the conduct risk with a view to mandating globally acceptable but locally relevant standards. This is expected to change the conduct risk landscape further, necessitating consistent and ongoing review of regulatory maturity at granular levels.
CONDUCT RISK SOLUTIONS
Conduct risk is a priority for banks. Daniel Melo, Senior Director for Fair Isaac Advisors, FICO’s consulting practice answers our questions about conduct risk and discuss how models and systems designed to address conduct risk can help identify and measure other operational risks while improving business efficiency and increasing the return on your investment.
Please give a brief description of conduct risk and its meaning to the layman.
Daniel Melo, Senior Director for Fair Isaac Advisors, FICO’s consulting practice
Conduct risk usually refers to the risk a bank’s misconduct poses to a bank’s customers, but the risk is also there for shareholders and the bank itself. When a bank has inappropriate policies, or policies that are not followed by its employees, this can result in large losses, fines and inappropriate charges. You can read about conduct risk nearly every day in the UK, where many of the top banks have been tarnished for PPI misselling, LIBOR fixing and other bad practices. This has led the Financial Conduct Authority to tackle conduct risk head on.
With so many potential implications for customer satisfaction, organisational reputation and regulatory compliance, every financial institution, its organizations and employees, need to put conduct risk in the center of its radar. In some cases, it may mean the introduction of new policies or processes that could require significant cultural change within the organisation.
Given the problems banks are facing in other markets, you’d think conduct risk would be a universal focus. But it isn’t. Outside the UK, the term is rare, and fewer banks are focused on creating a systematic way to prevent the kind of fraud, waste and abuse that leads to catastrophic fines, losses, lawsuits and reputational damage.
How can using a systemised approach in addressing conduct risk benefit both the customer’s experience as well as the efficiency of the business employing the system?
Banks have started to tackle conduct risk mitigation by assessing priority areas and reinforcing guidelines for conduct. But most have not yet determined how to operationalize conduct risk mitigation into everyday decisions and systems. It’s one thing to tell people to behave and follow procedures, but how do you make sure they’re doing that? How quickly can you identify a problem?
To provide excellent service and a fantastic customer experience, all financial institutions must manage their conduct to reduce or mitigate the risk of errors and mistakes. The advantage of a system for managing conduct risk is that it enables you to monitor activity at the right level of granularity, automatically detect when a certain behavior or action falls outside established parameters, and immediately create a case to correct the behavior. Banks use this kind of automation in all their customer decisions — it has equal value for monitoring and guiding internal actions.
Systematizing conduct risk management also enables you to identify areas that need improvements. Are there gaps exposing the institution to claims of wrongdoing? Could one mistake lead to more and make the problem bigger? Is it worthwhile taking action to change the process (balance between risk and reward)? Can you identify any priorities that would justify the investment?
Please explain how, by adopting an analytics-based system, banks can restore trust in both their consumers and the regulatory bodies they are aligned to.
The adoption of analytics restores trust by enabling the prediction of breaches and the prescription of actions to reduce and/or eliminate breaches. The combination of predictive and prescriptive analytics with continuous learning loops enables a systematic approach to Decision Management capable of significantly increasing the adaptive agility of an enterprise, as well as the quality of its operations.
Building conduct risk measures into each stage of the customer lifecycle as needed—making it part of day-to-day operations—can help ensure that the right steps are taken as a matter of course, lessening the burden on employees and ensuring every customer interaction is watertight. An analytics-based system works by encoding a bank’s rules and parameters right into the bank’s operations. It’s a way of ensuring that the correct actions are taken, and that any actions that appear to be outside the bank’s standards are flagged – much as the bank would flag a credit card transaction that looks suspicious.
What we tend to hear when banks encounter conduct risk issues is “We didn’t know this was happening.” When you have the right system in place, that won’t be an issue.
In what ways does data-driven analytics provide a clearer insight to tell a bank where their next conduct risk exposure may come from?
Many banks have traditionally taken an expert-led approach to compliance and risk management, relying on individuals to identify trends and predict customer behaviour. However, these analyses are often subjectively biased and do not always provide a clear measure of risk. In addition, manual assessments can quickly become overwhelmed when faced with large account and customer volumes.
While expert opinion is essential when designing the policies and processes that address both business opportunities and conduct risk responsibilities, it is data-driven analytics that can provide the clearer, deeper insight that will tell you where your next conduct risk exposure is coming from.
With this understanding, you can make more accurate decisions about what policies and processes you need to implement and more effectively measure their impact. Analytics-based Link Analysis is also critical in spotting chains of error or malpractice. While an individual instance of customer detriment is of course undesirable, when repeated it becomes part of a wider pattern or habit among your employees that could create a multifaceted and significant conduct risk exposure. Being unable to spot these connections could leave your organisation vulnerable.
For example, say staff at a particular branch are trying to boost their monthly sales figures by selling high-value long-term savings products to customers in their 80s. While the sales may make the branch staff happy and add to the bank’s revenue, the products sold are not appropriate to the target group or in the customers’ best interest. They could result in a significant compensation bill, not to mention reputational damage for the bank, should consumers and regulators become aware of the practice.
Using tailored analytic models across all sales activity and customer interactions will enable you to predict where your conduct risk efforts should be focused. We help our customers harness decision models that utilise a vast range of conduct risk inputs and other variables to identify decision strategies that balance profit, regulation and customer satisfaction.
FICO provide many solutions to address the problem, are there any ways in which a bank can use an analytics-driven framework to manage their conduct risk which will turn it into a competitive business advantage?
We believe there is a significant first-mover advantage, and those banks that take proactive action now have a lot to gain. Not only will they avoid penalties from the regulator and compensation payouts to customers, but they will also create proof that they are living up to their customer charter.
More transparent customer service and fairer treatment are what many consumers are demanding—and the ones that get it are likely to respond with increased loyalty. Combating conduct risk is an undeniable challenge, but the tools to meet it are at hand. A fully operationalised, analytics-driven framework will help harness and manage your conduct risk exposure and turn it into one of your greatest competitive advantages.
What new innovations is FICO working on over the course of 2014?
FICO’s innovation imperative is to enable Analytics-driven solutions by aggregating all of the necessary capabilities, and then, connecting them. FICO subscribes to the notion that the mitigation of conduct risk requires a systematic approach.
Customers implementing a conduct risk solution must consider
1) The management and integration of the rapidly growing sources of structured and unstructured data
2) The integration of typically disjointed enterprise processes
3) The deployment and proactive management of models
4) The deployment of persistent feedback loops
5) The deployment of actionable performance dashboards, and last but most importantly
6) The deployment of a cohesive and agile decisioning capabilities.
In 2014, FICO is introducing a number of new capabilities organized in a complete and fully integrated Stack designed to solve for all of these challenges. The FICO Decision Management Platform is at the center of the Stack. It delivers a real time, Analytics-driven decisioning engine complemented by modeling, rules management, and optimization capabilities. Complementing the FICO Decision Management Platform, the company will also introduce the FICO Analytic Cloud, a first of its kind. Not only will it deliver the power of FICO’s Decision Management Stack, it will also serve as the collaboration hub for data scientists, analysts, developers, and integrators to solve for fundamental business challenges, such as conduct risk.