Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials of robust conduct risk frameworks and why new conduct risk metrics and monitoring approaches are required

Following the financial crisis that began in 2007–08 and the international regulatory onslaught that followed – primarily from the US and European Union – the cost of mishandling conduct risk is now greater for banking and financial institutions. Following the Enron scandal two decades ago and the ensuing enactment of the Sarbanes-Oxley Act in 2002, few envisaged a global financial crisis would result in the passage of the even more onerous Dodd-Frank Act (2010).

“Some of the events that triggered a change in the approach to conducting surveillance and some of the drivers that have helped us evolve to more mature conduct surveillance programmes … were the Libor scandal and collusion that resulted in several regulatory changes, lawsuits and fines,” said Steve LoGalbo, director of product management at NICE Actimize. He said firms need to ensure they monitor conduct risk like hawks as “such situations create damage in public trust of the financial markets.”

 LoGalbo also stressed that the Dodd-Frank Act was a key driver of stability “to promote financial stability in the US by improving transparency and accountability” in the financial system. “Ultimately we are trying to protect consumers from abusive financial services practices, and regulations across the globe evolved as well,” he said.

 For example, in several developed jurisdictions, regulators are currently empowered to hold senior managers personally liable for the misconduct of their employees – most prominently evidenced by the Senior Managers and Certification Regime (SCMR) in the UK. Worse still, with teams more internationally dispersed, managing conduct and culture is more challenging than ever. “The new requirement recently with SCMR aims to embed personal responsibility into functions held by boards [of directors] and senior managers at firms,” LoGalbo added.

What do the numbers say?

During the session, two poll questions were put to attendees. Perhaps the starkest finding of the first question was that nearly 40% of attendees were unsure of when their organisations had last updated their conduct risk rules. Equally concerning is that only one in five (19%) declared themselves “very confident” in their entity’s systems and controls for monitoring conduct risk. While half opted for the more lukewarm “fairly confident”, the remainder (31%) claimed to be “not confident” – a figure that may raise a few eyebrows in an age of enhanced regulatory scrutiny.

Citing a recent survey from his company, LoGalbo pointed out that 82% of firms NICE Actimize surveyed are now giving conduct risk the same priority as financial risk. “That is a really significant change in approach to identifying risks other than the financial risks that firms can be exposed to,” he said.

Similarly, recent data from the Association of Certified Fraud Examiners (ACFE), shared by Boston-based panellist Yaron Naor, vice-president and general manager of eLoomina in the Americas, indicated that, based on interviews with thousands of fraud professionals, 51% of organisations had uncovered more fraud since the onset of the Covid‑19 pandemic. The same data showed that 71% expected fraud levels to increase and 38% increased their budgets for anti-fraud technology. 

“The good news is 80% of organisations implemented at least one or more changes to their anti-fraud programmes,” he said. 

The ACFE’s figures also noted that, in 85% of investigated cases, there were, in hindsight, red flags that could have been detected. 

Naor said, ultimately, how such data gathered from varying teams and groups within an entity “to actually detect those red flags sooner rather than later to make sure we prevent fraud from happening altogether” was key to ensuring sound conduct and governance. 

“I am actually heartened by the surveys. Anyone who tells you their organisation’s framework can catch conduct risk 100% of the time is deluding themselves,” said Christian Hunt, founder of consultancy Human Risk. “We cannot say ‘job done, now move on to next thing’,” he added, chiding traditional tick-box compliance programmes, which he believes are too routine and perfunctory.  

The problems of compliance being practised in too focused, limited and segregated a manner also resonated with LoGalbo, who indicated that, five years ago, many of the largest financial firms still had siloed surveillance programmes.

 “Manual or disconnected processes [involved] simply ticking the box. Lately, we have seen more emphasis on taking more proactive steps to a place where we can identify misconduct in better ways,” he said, adding that voice surveillance was not even on the radar of many firms a mere five years prior. 

“Disconnected monitoring [was] taking place. You might have trade activity [overseen] in one team and electronic communications surveillance in another, or maybe not monitoring voice [data] at all. There was no real connection between surveillance taking place and that has now evolved,” LoGalbo said. 

Technological innovations in analytics are driving compliance experts towards new ways of surveillance and breaking down such silos. By bringing functions and analytical tools together, there has been an evolution in risk surveillance.

 Such programmes are increasingly being enriched by a combination of “enhanced analytics, natural language processing and AI [artificial intelligence] to improve the way we understand data,” said LoGalbo. For example, he emphasised that organisational communications channels are ripe with “data points that can be leveraged by compliance teams to better detect risk”. 

Another key driver of the movement towards greater use of data monitoring in enhanced surveillance is that traditional analytics were not designed to handle the volume of data with which modern institutions are routinely inundated.

 “Regulations require us to capture and store more data. Obviously, that creates more challenges for compliance … Ultimately, we want to become more proactive and less reactive,” LoGalbo said, stressing the trend towards cloud storage and more advanced analytics. 

Similarly, Naor noted that advances in behavioural science and AI could be used to identify risks at even earlier stages.

 “We can now focus not only on highest-risk employees, but also those that are trending upwards that do not yet have a high score or [have not done] anything serious, but are going there. That is a valuable indicator to not only help identify fraud now but prevent fraud from happening in the future,” he said. 

Reflecting on nearly two years of the pandemic, Naor highlighted that remote working environments required new communications platforms and controls. But it has been shown that, under such circumstances, “supervision and internal communications to educate and enforce policies and procedures became much more challenging”. 

While the concept of know-your-customer is as old as the modern compliance profession, increasingly the focus is on knowing one’s employees – and what they do on and off the job. The reason is that most corporate malfeasance these days stems from the acts of insiders. 

The monitoring function, by leveraging behavioural science capabilities, now enables compliance teams to understand employees’ behaviour and identify those signals that suggest they might be exposing their organisations and themselves to risk, said Michael Kenney, vice-president of operational risk at US mortgage giant Freddie Mac. 

“Leveraging data to expose suspicious employee behaviour or changing behaviour compared to how other individuals are working. Monitoring teams and surveillance teams are coming together,” he said. “Monitoring teams identify risky individuals so that surveillance teams can adopt a more proactive approach to looking at their activities.”

Keeping an open mind on conduct risk

At the outset of the session, conduct risk was defined as “any action of a regulated firm or individual that leads to customer detriment or has adverse effects on market stability or competition”. 

Yet it may be that outdated, myopic definitions of conduct risk stymie the creation of forward-thinking and adaptable compliance and risk mitigation programmes needed to counter the conduct risks that banking and financial institutions and multinational corporations face – possibly even creating blind spots to the threats of tomorrow.

“I would not fixate on what it is. Conduct risk is just a catch-all term,” said Hunt. 

For example, the UK Financial Conduct Authority (FCA) does not even define the term “conduct risk”. Such ambiguity is intentional, said Hunt. “It is not because [the FCA] cannot, but because it wants to keep it deliberately broad … It is an umbrella term that covers all of these particular issues.”

A key problem, he said, is when compliance, legal and risk professionals “think of conduct risk as a factory [where] we have robots doing things that we just need to reprogramme”. The consequence is that new methods or typologies of fraud and malfeasance may not be detected with such pedestrian approaches.  

In response to an audience query on whether “conduct risk was a risk driver, risk event or a risk impact,” Kenney responded, “It could be any of those but, first and foremost, you have to recognise it as a risk in your risk taxonomy and then also … think holistically about where the risk can manifest.” 

The key, he said, is in leveraging traditional pockets of risk management data and human assets across an organisation and looking at potential malfeasance more broadly when envisaging what the harm could be. “It could be a bad apple, process or the product. You have to think about outcomes other than what impacts the company itself.”

Hunt stresses the importance of senior management knowing what is going on and having the detail they need to make informed decisions.

“What does senior management need to know? What is  they need to see to have the sort of visibility that is expected of them? In the case of people in the UK, we are under SMCR. This is not just a regulatory expectation that you will have this under control – you are personally accountable,” he said. 

His solution to the perennial quandary of how much is enough information? “I would [ask] those people in senior positions what [information] would you like to see? … One of the challenges when looking at something like conduct is that there are things that can be measured, some things are easier to measure and others much harder. There are things we might discover after the event that we might not have spotted beforehand.” 

Ultimately, Hunt concluded that conduct risk was never something that experts and the firms they served had ever truly come to grips with as a concept. “Businesses have thought about it and we understand reputational risk, but this is a 21st-century challenge. We need to be innovative … there is no single right answer, so we must think of the fact this involved human beings and take an adaptive approach,” he said.

Sponsored content