The definition of Conduct Risk
Conduct risk has been a defining theme of the Financial Conduct Authority in much the same way that treating customers fairly defined the Financial Services Authority.
There is much that is similar between those two initiatives. Both are focused on the outcomes of firms' actions, rather than compliance with detailed rules. Ticking boxes is out, risk management is in. The regulator itself has deliberately avoided defining the term "conduct risk", preferring firms to create their own definitions that are relevant to their individual businesses.
Thomson Reuters discovered in its Conduct Risk Report 2014/15 that 81 percent of firms remained unclear about what conduct risk was and how to deal with it. Next year's survey is now open for participation. This article will propose a definition of conduct risk driven by the FCA's own reasons for inventing the concept in the first place.
Conduct risk and operational risk
Conduct risk seems to overlap substantially with operational risk, which is defined by the Basel Committee on Banking Supervision (BCBS) as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events". The BCBS definition explicitly includes legal risk and excludes strategic or reputational risk. It seems likely, therefore, that there is substantial overlap between operational and conduct risk, although conduct risk does include strategic and reputational risks.
Not all firms are required to maintain a formal operational risk process, and for those firms without such a process a focus on conduct risk in effect requires its development.
The FCA's starting point
Although the FCA has not defined the term, it is possible to create a definition by considering the FCA's general approach to regulation and what it hopes to achieve by its focus on conduct risk, particularly in the aftermath of the financial crisis.
Conduct risk was born in part at least out of a realisation that firms must regulate themselves to a significant extent. The FCA has a headcount of less than 3,000 people whereas the financial sector it regulates is reckoned to employ around two million people. This disparity in size means that the FCA cannot adopt a policing style of regulation. Firms must instead be relied upon to understand what outcomes are likely to flow from their actions in respect of the FCA's statutory objectives. Those objectives are:
- Consumer Protection;
- Market Integrity;
- Effective Competition;
This approach suggests that the broadest definition of conduct risk is "all risks associated with activity by the firm which could threaten consumer protection or market integrity". Possibly the definition should also reference competition, but for the moment at least competition seems to be a rather separate element of the regulatory regime. Larger firms will already have access to legal advice to ensure that their activities stay on the right side of competition law.
Behaviour and the nexus with consumers
It is well understood that any business area where consumers interact with representatives of the firm may well involve conduct risk. The proposed definition also brings into scope activities that are more indirect in their impact on consumers and markets. Setting the firm's strategy is a good example of that. The FCA certainly expects firms to understand how their business strategy will affect consumers and markets, yet the activity of setting strategy is of itself remote from consumers and needs to be implemented to touch them.
Technology risk is another area of regulatory concern but consumers' interaction with firms through technology by definition takes place without any human contact from those firms. Nevertheless, the FCA expects firms to understand how their technology will affect consumers and markets. There have been a number of incidents in recent years where substantial problems have arisen for consumers through the systemic failure of technology. These risks must surely rank as conduct risks.
Thinking about conduct risk: threshold conditions
The definition proposed above might be criticised as being too expansive in nature. Narrower definitions may fail to detect the full scope of a firm's exposure to conduct risk, however, particularly given that regulatory focus will change over time. Making sense of risks at this high level is difficult. Fortunately, the regulatory regime provides something of a helpful framework for identification of the risks.
Under the Financial Services and Markets Act 2000, the FCA is required to consider whether firms meets the "threshold conditions". The assessment is done at the point of authorisation, but the act is clear that the FCA must keep firms' compliance with the threshold conditions under continuous review. The Threshold Conditions (COND) module of the Handbook provides guidance on the threshold conditions, which comprise:
- The Location of Offices;
- Effective Supervision;
- Appropriate Resources;
- Suitability;
- Business Model .
Firms could usefully consider what risks their activities present to their ability to meet the threshold conditions. For example, COND 2.3 deals with "effective supervision" and notes that the following matters are relevant:
- The Complexity of the firm's Pproducts;
- The way the firm's business is Organised;
- The firm's Close links with Others;
COND 2.4 deals with appropriate resources and includes consideration of business continuity, and there are other areas where firms could usefully assess their risks of compliance with the threshold conditions.
A review of the threshold conditions may not identify every one of firms' conduct risks, but as a starting point it has the advantage that it is the very basis which the FCA must itself use in assessing firms.
Developing a common standard
The absence of a definition means that firms have had to create their own definitions of conduct risk. Perhaps inevitably, these definitions are different from each other, and some will be better than others. Thomson Reuters has completed a conduct risk survey for the last two years, with the intention of developing best practice. Participation in the next survey, which can be accessed here is now invited.
Ashley Kovas is a member of the regulatory intelligence team at Thomson Reuters Regulatory Intelligence. A Chartered Fellow of the Chartered Institute for Securities and Investment (CISI), he has worked for the Financial Services Authority, asset managers, banks and insurance companies. He is the author of "Understanding the Financial Conduct Authority: a Guide for Senior Managers"; the views expressed are his own.