Culture and Consumer Protection – The Role of Compliance - Gráinne McEvoy, Director of Consumer Protection
08 November 2018
Speech
Address to the Association of Compliance Officers Ireland 2018 Conference on Culture Conduct and Compliance
I am delighted to be here at your conference on Culture, Conduct and Compliance. You have asked me today to speak about the role of culture reform in leading to better customer outcomes, the role of compliance in delivering that reform and finally the implications of digitalisation for consumers. This ask could not be more timely from the Central Bank’s perspective as conduct and culture are very high up on our regulatory agenda.
Introduction – the cost of misconduct
Given that misconduct can cause consumer detriment and even threaten the safety of financial institutions, regulators are increasingly focusing on how firms identify and manage conduct risk.
In the aftermath of the financial crisis, the regulation of conduct and consumer protection was reformed. There is now a recognition that firms should seek to prevent misconduct through the entire lifecycle of their interaction with customers – from the initial design of products, to distribution and complaints handling, and appropriate redress and compensation if things go wrong. These reforms are supported by additional rules and requirements and intensive supervision of firms. Yet despite these efforts, misconduct scandals continue to erupt regularly. Indeed, in the decade since the financial crisis, global banks’ misconduct costs have reached over $320 billion and public trust in financial institutions remains very low.
A recent example of the misconduct trend was with the US bank - Wells Fargo - that was opening accounts in customers’ names without their permission. Wells Fargo set its sales teams the task of selling eight products to each customer and tied compensation and bonuses for employees who reached these targets. It worked partly because the goal of meeting the target had the effect of shielding employees from considering the ethical implications of opening accounts that clients neither wanted nor knew about.
Just last month, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry in Australia published its interim report. It questioned the motivation behind the practice of charging advice fees to the dead and suggested the answer seems to be greed – the pursuit of short-term profit at the expense of basic standards of honesty.
Ireland, of course, has had its own recent misconduct issues after banks denied customers a tracker mortgage or put them on the wrong rate with sometimes devastating consequences up to and including the loss of homes in some cases. The banks have so far been required to pay out €580 million in redress and compensation to those customers.
These persistent misconduct issues have damaged trust in financial institutions, both globally and domestically. Indeed, Ireland is the least trusting of the financial services sector, according to the 2018 Edelman Trust barometer.
These issues have also prompted regulators worldwide to consider whether intrusive regulation and compliance measures are sufficient to deliver fair consumer outcomes. Increasingly, the international regulatory focus is on transforming the culture in the financial services sector.
What is Culture?
You will not find the avalanche in a single snowflake - but when enough snowflakes interact together in certain circumstances, an avalanche can ensue. And so it is with organisations. The experience of being in a group can change people’s behaviour. Indeed, research in behavioural ethics has shown that human responses are highly dependent upon situational and social pressures.
The Financial Conduct Authority has argued that there is “strong evidence that organizational culture and social norms affect the likelihood of rule breaking. ’’
Consequently, it is important to gain an understanding of what is culture, and how culture influences an organisation’s behaviour. While culture is somewhat difficult to define (and even harder to measure), we can deduce that culture is a learned and accepted set of shared beliefs and values that influence behaviours in an organisation.
Hence, it is crucial that organisations are aware of the important role that culture plays in shaping behaviour or “programming” the mind far more so than written rules. Culture guides people when there are no rules or no one is there to enforce those rules - “it is the way we do things around here’’. The President and CEO of the Federal Reserve Bank has noted that “culture shapes every conversation, every decision, and every action; it is at the root of whether an organization performs in a manner consistent with its mission, or not. ”
The Behaviour and Culture Review
During the course of the Central Bank’s Tracker Mortgage Examination, we identified a number of cultural issues that were standing in the way of fair outcomes for consumers. For example, we found banks taking a legalistic approach rather than doing the right thing by customers, and offering initial compensation proposals that fell well short of our expectations.
While the Examination addressed such issues, it also raised serious questions in our minds and in the minds of the wider public about the current - and not just the historic - culture in the banks. In July of this year, we published a detailed report assessing the current culture at AIB, Bank of Ireland, permanent tsb, Ulster Bank and KBC.
We worked with our Dutch counterparts in De Nederlandsche Bank (‘DNB’), recognised leaders in this field of behaviour and culture, and used a model combining the best of our respective culture and consumer protection frameworks. The aim was to provide a snapshot of the current culture in the five retail banks.
The findings of the Behaviour and Culture Report have been well publicised. Suffice to say, we found that they all have a distance to travel to embed a truly consumer-focused culture. The reviews found that while all five banks are working to embed a consumer-focused culture - one in which consumer needs are identified, discussed and taken into account - some banks are more advanced than others are. Additionally, we found the banks have much more work to do to ensure their organisations are sufficiently diverse and inclusive, particularly at senior level, to prevent groupthink, to guard against over-confidence and to promote internal challenge.
The outcomes of this work are naturally confidential on an individual bank basis. But we have sent the individual bank findings to the supervisory boards of each bank and have required them to create an action plan to address the concerns we identified and to mitigate the associated risks. We are in the process of presenting our observations in person to the boards of the retail banks to ensure we drive the conduct and culture message home and to impress upon them the high priority we are attaching to this issue.
It is globally recognised that regulators cannot prescribe culture for individual firms. However, regulators monitor, assess and influence culture within firms in order to guard against conduct risk and drive fair outcomes for customers.
Culture and Tone from the Top
We believe that organisations that have an effective culture share a commitment to high standards and values such as honesty, integrity and reliability. Like other regulators worldwide, the Central Bank is increasingly insisting that firms comply not only with regulations and with codes, but also that the people who lead regulated firms set the right tone from the top and create a culture that minimises the risk of misconduct.
We agree with Christine Lagarde, Managing Director, IMF, who said on a recent trip to Dublin that “those working in the financial sector must be as serious about values as they are about valuation, and just as passionate about culture as they are about capital.’’
As recently as April 2018, the Financial Stability Board identified lack of accountability for misconduct as a key cultural driver of misconduct and recommended that national authorities identify and assign key responsibilities, hold individuals accountable and assess the suitability of individuals assigned key responsibilities.
Individual Accountability
Against that background, the Central Bank is recommending individual accountability measures to drive better behaviour. These include proposed Conduct Standards for all staff in regulated firms, such as acting honestly, ethically and with integrity; additional conduct standards for senior management; and standards for businesses.
We are also recommending to government that a Senior Executive Accountability Regime (SEAR) be implemented through legislation which would place obligations on firms and senior individuals to set out clearly where responsibility and decision-making lies for their business. These requirements would assign responsibility to individuals and decrease the ability of individuals to claim that the blame for wrongdoing lay elsewhere.
The primary purpose of the Central Bank’s reform proposals is to act as a driver for positive behaviours and recognition of responsibilities by individuals.
Firms should ensure the standards to which they aspire are reflected in every business area including how whistleblowers are treated. In the case of systemic control failures within firms, staff often feel a disquiet or concern regarding how issues, including those affecting consumers, are being handled.
Whistleblowing
The Central Bank’s Protected Disclosures regime allows staff of regulated firms – and indeed members of the public - to provide information on suspected regulatory wrongdoing in a confidential form to the Central Bank. As you may be aware, people performing pre-approved controlled functions are under a legal obligation to report wrongdoing to us.
These reports are an important supervisory tool, which can provide information that might otherwise be unavailable to us. They have triggered action such as on-site inspections, the issuing of risk mitigation plans, firms being placed on a watch list and enforcement action. Further, the numbers of protected disclosures are increasing year on year – we received 113 protected disclosure in the twelve months to June 2018 compared to 79 in the previous year.
However, while we acknowledge how helpful these reports are, we also understand that this can be a difficult and indeed stressful step to take, as I am sure our next speaker, Eric Ben Artzi, will mention when he talks to you about his experience at Deutsche Bank.
Consumer Protection – Our Expectations
As Director of Consumer Protection, my objective is to ensure that the best interests of consumers are protected and that confidence and trust in the financial system is enhanced through effective regulation. The Central Bank expects the firms we regulate to understand the risks faced by their customers and to manage those risks effectively.
-
We expect firms to focus on delivering fair outcomes for consumers and not just on maximising shareholder return.
-
We expect firms to ensure all consumers are treated equitably, honestly and fairly at all stages of their relationship with the firm.
-
In addition, we expect that treating customers fairly should be an integral part of the good governance and corporate culture of all firms.
Our supervisory tools are evolving to help us assess how firms’ risk management frameworks are designed and governed and, importantly, how effective they are in practice at delivering fair consumer outcomes.
The Central Bank generally adopts a risk-based approach to supervising firms’ conduct at a sectoral, rather than firm-specific level. We are now moving towards intrusive supervision of specific firms, to complement our existing sectoral thematic engagements. We are developing models to help us determine which firms pose the greatest potential harm should conduct issues arise. We are increasing our supervisory intensity in the area of conduct and consumer protection risk to ensure that firms truly understand the importance of embedding a consumer focused culture.
Focus on Consumer Protection Risk Assessment
We will also undertake more frequent, targeted use of our Consumer Protection Risk Assessment (CPRA) tool. As you are aware, this tool assesses the design and effectiveness of a firm’s governance and control measures to enable it to identify, manage and effectively mitigate the risks it poses to consumers.
We want to see evidence of a clear understanding at board and management levels of key consumer protection risks. Boards must be able to demonstrate not only that there are controls and policies in place, but also provide concrete evidence that they understand the risks that their culture and behaviours pose to consumer protection and what mitigations and actions they are putting in place to address these.
Whether you are engaged in product development, changes to your services or changes to your strategy, you must be able to show that you have considered the impact on the customer. This is not only about tick-box compliance with our regulations and codes, but rather about being pro-active and pre-emptive and putting the consumer at the heart of the business.
Our view is that if banks wish to restore trust, they must earn it – this cannot be achieved solely through rules and processes, but also in the way they are interpreted and practiced.
I cannot stress enough that the starting point for every firm is to understand and define conduct and consumer risk in the context of its individual strategy, business model, culture, systems and controls. Our recent targeted CPRAs found that Irish regulated firms must do more work in devising working definitions of conduct risk. It should go without saying, but if you do not define the risk, then how can you possibly manage it?
I am aware that the Association of Compliance Officers in Ireland (ACOI) has played a key role in developing compliance, culture and ethics education and continuous professional development. The ACOI and the Institute of Banking recently launched two new educational qualifications on leading and managing cultural change in the financial services sector. I was particularly pleased to see the emphasis that these courses are placing on teaching participants about the importance of developing understanding of the CPRA, conduct risk, ethics and behaviour as key to the development of a consumer focused culture.
Protecting Consumers – Managing Digitalisation Risk
The Central Bank’s mandate is the proper and effective regulation of financial services providers and markets, while ensuring that the best interests of consumers of financial services are protected. We seek to achieve a trustworthy and resilient financial services system that sustainably serves the needs of the wider economy and its customers, where regulated firms and individuals adhere to a culture of fairness and high standards.
Every year our Consumer Protection Directorate carries out a review of the risks facing consumers, which informs our regulatory and supervisory focus. This includes both traditional and digital channels. While there are certainly cases where digitalisation can confer great benefits, we need to monitor certain risks including that digitalisation may lead to the exclusion of certain groups of customers – such as the elderly, the visually impaired and rural consumers without access to robust broadband. It is within the gift of firms to mitigate these risks.
Algorithms and robo-advice need to conform to the regulatory framework in the same way that is required of traditional channels so that customers’ interests are best served. To address any conduct risk, robo-advice must have responsible oversight. Separately, firms must manage the risk posed by the increased volumes of transactions taking place online - like vulnerability to cyber-attacks and the theft of personally and commercially sensitive information.
However, the greatest risk to consumers comes not from technological developments, but from the culture of the firms in charge of the technology. If you put new technology in the hands of people and firms who have the best interests of customers at heart, it is far more likely to result in positive consumer outcomes.
From the perspective of conduct regulation, we want to make sure that consumers and investors are, and continue to be, protected irrespective of the technology they are using to engage with regulated firms. This means that the same principles of regulation, including the rules of the Consumer Protection Code, apply equally to both digital and traditional delivery channels.
Conclusion – Rebuilding Trust
Finally, some experts are of the view that the only thing of real importance that leaders do is to create and manage culture. As regulators, we see great promise in an approach that combines a focus both on culture and on compliance with rules. We recognize, however, that changing culture is like moving a supertanker – it will not happen overnight. The boards and senior managements are custodians of the cultures of the organisations that they lead. It is their job to set institutional standards such as fairness, respect, integrity and honesty – to set the tone from the top, ensure it is echoed from the bottom up and visible throughout the organization. It is your job as compliance officers to help them identify and manage conduct and consumer protection risks to ensure that the consumer-focused culture is actually delivered on the ground.