Conduct Risk framework – a guide for firms
Conduct risk: overview
Since its inception in April 2013 the FCA's regulatory approach has been underpinned by a strong Conduct Risk agenda. In particular, the FCA has made clear that it is determined to create a culture of good conduct at every level of the financial services industry to make markets work well and to produce a fair deal for customers. The FCA therefore expects all firms to have a strong Conduct Risk framework in place to facilitate a culture that delivers good outcomes both for consumers and the markets as a whole.
The FCA's key aim in relation to Conduct Risk is to ensure that firms do the right thing for their customers whilst keeping them, and the integrity of the markets in which they operate, at the heart of everything that they do. Firms should seek to promote good behaviour across all aspects of their organisation and develop a culture in which it is clear that there is no room for misconduct. Although "treating customers fairly" has long been part of the retail regulatory framework, Conduct Risk should not be seen as merely an extension of this. Linked to this is the commonly held misconception that Conduct Risk is only a retail issue. The FCA is just as interested in the role that wholesale conduct plays in underpinning the integrity of the markets in line with its objective to protect and enhance the integrity of the UK's financial system. It therefore expects both wholesale and retail firms to have properly functioning Conduct Risk policies and procedures in place.
| Firms that are unable to demonstrate how they are working towards this goal are likely to be required to take action by the regulator. Therefore, all firms should ensure that they have a robust Conduct Risk framework in place which is proportionate to their size and the risks that they face. |
Conduct Risk is not a defined term and the FCA has expressly stated that it is not suggesting that there is a single regulator-approved identikit culture that will suit every organisation. Rather, firms must develop their own Conduct Risk definition and strategy tailored to the specific risks that they are exposed to and the needs of their organisation. However, in a speech by Tracey McDermott in 2015, the key messages of which were repeated by Megan Butler, Director of Supervision on 28 September 2017, the FCA has set out five questions which every firm will be expected to answer.
Conduct risk: 5 key questions
The FCA has emphasised that, in line with its Conduct Risk agenda, it expects firms to move away from the following behaviours:
- prioritising profits over ethics and commercial interests over consumer interests;
- a tick-box and overly legalistic approach to compliance;
- the idea that disclosure at the point of sale absolves the seller from responsibility for ensuring that a product/service represents a good outcome for the customer (note the continued erosion of caveat emptor); and
- complying with only the letter (rather than the spirit) of laws and regulations.
It has also set out five key questions which it expects firms to ask themselves and be able to answer to the regulator.
- What proactive steps does the firm take to identify conduct risks in its business?
- How does the firm encourage people in front, middle, back office, control and support functions to feel responsible for managing conduct?
- What support does the firm put in place to help its people improve the conduct of their business or function?
- How does the firm’s board and executive committee get oversight of conduct in the organisation? And how do people bring it in to their discussions?
- Has the firm looked at where there are any business activities it is engaged in that undermine its work to improve conduct?
These questions aim to probe how firms embed long term good business practice, or how a firm considers good conduct in its training and induction programme.
When assessing Conduct Risk, the FCA will consider a firm's approach to these matters, and also whether the board is engaged with these issues.
As an example, the FCA has stated that it will look to see whether the board of a firm probes high return products/services and the extent to which the board monitors whether products are being sold to the markets that they were designed for. This will become even more important with some of the changes brought in by MiFID II product governance and the PRIIPs KID Regulation. It also suggests, in our view, that product governance should be embedded within a firm's conduct risk framework.
The FCA has also given the example of cyber and information security having a ‘huge conduct element – including basics like clear desk policies and phishing scams’. The FCA notes that it is also seeing conduct risk in emerging areas such as algorithms.
The FCA also wants firms to consider the incentivisation of employees in the firm. This may include more than just financial incentives. The FCA gave the example of a firm where a member of staff with a good P&L gets promoted or rewarded if they bend the rules. Or where in contrast positive role models are identified and championed.
The change to embed these principles is likely to represent a significant cultural shift for some firms and accordingly it is important to ensure that this change in the regulatory environment is taken into account when designing a firm's Conduct Risk management framework.
In addition, the FCA has made clear that it intends to hold senior management to account for Conduct Risk failings, particularly through the Senior Managers' and Certification Regime rules, and accordingly, a strong Conduct Risk framework is an important tool in protecting senior management from such liability.
| conduct risk framework: a high-level guide | |
|---|---|
| Assessment | What are the Conduct Risks that the firm is exposed to? Examples of key risks may include insider dealing, conflicts of interest, product design or misselling through inappropriate incentive schemes. What controls are in place to monitor and mitigate these risks on an on-going basis? How will it be ensured that these controls remain fit for purpose? A gap analysis should be conducted to assess any additional controls that need to be put in place. Do any changes need to be made within the organisation from a cultural/values perspective? How can this be tracked? How will this Conduct Risk assessment be periodically refreshed? |
| Definition |
What does Conduct Risk mean for your firm? What understanding do you want employees to have in relation to Conduct Risk? |
|
Strategy |
A clear relationship between Conduct Risk and business strategy should be established. The FCA will expect firms to be able to demonstrate/evidence how Conduct Risk matters are driving business strategy and decision making. What is the firm looking to achieve from a Conduct Risk perspective? What does success look like? |
| Risk Appetite |
Risk appetite should be informed by the key outcomes from the Conduct Risk assessment and the Conduct Risk strategy. Consider link to FCA's key objectives of good customer outcomes and market integrity. |
| Governance and Accountability | Clear lines of responsibility and accountability for Conduct Risk should be established. Consider the appointment of a specific Head of Conduct Risk and a specific Conduct Risk Committee(s), including reporting line to relevant senior manager if not him/herself a senior manager. Responsibility for the overall culture of firms sits with senior management who should set the tone for how their staff behave (senior management will be held to account where they share responsibility for conduct failings). How will a top down, rather than a Compliance led, process be ensured? Periodic reporting to the board, as well as leadership by senior managers, is critical. |
| Metrics | How will Conduct Risk be monitored? Consider the use of specific Conduct Risk KRIs and Management Information. Regtech solutions also offer new ways of monitoring behaviour outside of a baseline norm. MI should be reported at board level. How will senior management demonstrate/evidence how they use this information (for example to drive business strategy)? |
| Embedding | How will Conduct Risk matters be embedded into existing processes, procedures and practices? Consider the use of a Conduct Risk policy, specific Conduct Risk training and awareness raising initiatives. How can employees be incentivised and rewarded in a way that encourages the right outcomes? Remuneration, recruitment, performance management and promotion policies should be reviewed/amended to ensure that they are reinforcing the right values and embedding good behaviour. Consider the role of HR in hiring and promoting those who practise good conduct. |
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
