Conduct Risk in Financial Services

To help you stay on track for regulatory success

By Lee Werrell Chartered FCSI FISMM

Disclaimer
Lee Werrell 2014 All rights reserved. 1st Edition Publisher: Lee Werrell
The Publisher and/or author has strived to be as accurate and complete as possible in the creation of this publication, notwithstanding the fact that he does not warrant or represent at any time that the contents within are accurate due to the rapidly changing nature of the Internet. While all attempts have been made to verify information provided in this publication, the Publisher and/or author assumes no responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of specific persons, peoples, or organisations are unintentional. This book is not intended for use as a source of legal, business, regulatory compliance, accounting or financial advice. All readers are advised to seek services of competent professionals in legal, business, regulatory compliance, accounting, and finance field. While examples of past results may be used occasionally in this work, they are intended to be for example purposes only. No representation is made or implied that the reader will do as well from using the suggested techniques, strategies, methods, systems, or ideas. The Publisher and/or author does not assume any responsibility or liability whatsoever for what you choose to do with this information. Use your own judgment. This material is based on UK regulatory guidance at the time of publication and may apply to worldwide applications but this will be subject to your own judgement. Any perceived slight of specific people or organisations, and any resemblance to characters living, dead or otherwise, real or fictitious, is purely unintentional. In practical advice books, like anything else in life, there are no guarantees of income made. Readers are cautioned to reply on their own judgment about their individual circumstances to act accordingly. ALL RIGHTS ARE RESERVED. No part of this book may be reproduced or transmitted in any form or by any means, electronically or mechanical, including photocopying, recording or by any informational storage or retrieval systems without express written permission from the publisher. This EBook is intended to be printed on acid free paper Printed in the UK with World-wide rights attached

Facebook: https://www.facebook.com/Lee.Werrell.EBooks Facebook: https://www.facebook.com/ComplianceConsultant LinkedIn: uk.linkedin.com/leewerrell Twitter @leewerrell @complianceconst

Conduct Risk: How To Build An Effective Framework

Conduct Risk is the buzz phrase in the financial services world today. Throughout the recruitment job boards and ringing around the recruiters offices abound the titles of "Conduct Risk Managers" or "Head of Conduct Risk"; but very few seem to know what this involves precisely. There is obviously a great deal of information available including reasons for failure and fines that point you in the right direction, however, try to enter a Boolean search (containing the search term in inverted commas) for "Conduct Risk" into the handbook search box and you will find that it is not specifically defined in the regulator's handbook and nothing can be found between COND and conflicts of interest policy in the Glossary. From the various speeches and publications, a number of focus areas become evident and include; Aligning business models to fair treatment of customers Complaints handling Product development and governance Product Intervention Remuneration and reward policies Financial Promotion withdrawal and prohibition Conflicts of interest Incentives Wholesale Business Continuity

On January 24th 2014 Mark Carney, Governor of the Bank of England told bankers at a meeting in Davos that conduct is replacing capital as the key risk facing the industry. After progressing in building up their capital buffers against potential shocks since the financial crisis, firms need to improve their behaviour to regain public trust, Carney said. Firms are still battling with the damage to their reputations caused five years ago by the collapse of Lehman Brothers Holdings, interest rate swaps mis-selling and more recently financial the rigging of the London interbank offered rate and the alleged manipulation of key benchmarks in the foreign-exchange market. Carney, who is also chairman of the Financial Stability Board, echoed his private remarks at a speech at the annual meeting of the World Economic Forum, in which he urged banks to seriously change their behaviour. Banks must recognise that only exemplary behaviour can confer social license to global financial capitalism, Carney said. For the system to operate with integrity, penalties for misconduct cannot be seen as a cost of doing business. Conduct risk is not new and stems from not only the scandals and mis-selling debacles but is

rooted in the Treating Customers Fairly (TCF) initiatives and echoed throughout the rules in COBS, MCOBS and ICOBS. It would appear that the definition of the term is excluded within the FCA handbook and glossary purposely to make it a reflective and subjective term defined by each company. Added to this is the complexity of RDR effective from 31 December 2012 which made significant and fundamental changes to, and impacted the business models within the investment advice market. Add to this the additional work of implementing MIFID II as well as new regulator with a more intrusive supervisory stance and there are bound to be a great deal of elements that firms are unaware of and will undoubtedly get caught out whenever they are visited or complete "online" or "telephone" assessments. Also, dont forget, the previous regulators ARROW is replaced with the Firm Systematic Framework (FSF) with the aim of focussing the assessment of how firms manage the risks they create, and identify the root causes of what leads to these risks. The changes brought about by the new regulator are;

FSA: Rules/Principles Based Reactive/Passive

Judgement/Opinion on adequacy of controls Firms decided best method to achieve outcomes (TCF) Focussed on processes and procedures Management responsible for identifying and developing controls for risk Senior Management to demonstrate adequate systems and controls implementation Defined actions from risks

FCA: Judgements & Outcomes Based Intensive/ intrusive

Judgement about Senior management Decision Making Process Regulatory Intervenes to ensure firms take action for required outcomes Focus on Governance, Outcomes & Behaviour Regulator will proactively identify risks and act to prevent crystallisation Greater emphasis on systems and controls to demonstrate Governance, Outcomes & Behaviour Evidence of risk identification, measurement and decision making process

Recently the FCA asked 26 life insurers and advisory firms to provide information about their service or distribution agreements; in total it received and reviewed 80 agreements. The FCAs findings included huge potential issues regarding undisclosed conflicts of interest, incentives and an amount of joint ventures that could lead to biased advice and undisclosed costs. Alongside the review, proposed guidance has been published to help firms further understand how they should act. The guidance explains why the FCA thinks certain payments between providers and advisers may cause conflicts of interest and also gives some helpful examples of good and bad practice. This includes how advisory firms might want to deal with conflicts caused by providers paying for IT development and maintenance, staff training, conferences and seminars, hospitality, research and promotional activities. Clive Adamson, the FCAs director of supervision, commenting on the findings, said:

The changes we made to the retail investment advice sector were designed to mark a step change in the way advice was given. It signalled the end of advice that might be influenced by the commission payments made by product providers to advisory firms, and the start of a new era of trust and transparency between a firm and its customers. The findings of this review reveal that the actions of some firms have the effect of undermining the objectives of the RDR. Most the firms involved in the review have already made changes, which are welcome, but we want all firms in this market to review and, if necessary revise their existing arrangements. We will revisit this area in the future to check that the necessary improvements have been made. Full Details can be found here http://www.fca.org.uk/news/life-insurance-and-advisoryfirms-undermining-the-objectives-of-the-rdr Confusion reigns According to the Thomson Reuters Conduct Risk Report of 2013 (published January 2014), 200 firms from major nations, in response to an increasing volume of regulatory change, demands and priorities admitted to placing increased importance on what they believe to be Conduct Risk while simultaneously working to identify and clarify what the concept means for their specific organisations. On questioning 200 compliance and risk practitioners from financial services firms across the Americas, Europe, Africa, Asia, Australia and the Middle East (and from across the financial services sector including banks, insurers and fund managers) to find their views on how the industry is defining and dealing with conduct risk. What is Conduct Risk? Since the 2008 worldwide banking crisis, many regulators have been working to impose and articulate their view and requirement to put policies in place to improve the behaviour of risk management within firms. Although there is no specific or universal definition of conduct risk, it is generally agreed that the concept encompasses the risks associated with the way in which a firm and its staff conduct themselves translated into fair customer outcomes. It should incorporate matters such as intrinsic culture, tone from the top, robust governance, how customers are treated (TCF?), remuneration of staff and how firms deal with conflicts of interest. The Thomson Reuters survey shows that over 84% of firms reported the absence of a clear working definition of Conduct Risk indicating the immaturity of the field. Respondents were asked their views regarding the key components they perceived as of Conduct Risk, culture rated the most important at 76%, closely followed by corporate

governance at 74%, then by conflicts of interest and reputation both at 86%. Remuneration was flagged as a key component to conduct risk and a significant factor that contribute to a firm's culture. Addressing Conduct Risks It is clear that the majority of firms around the world have started to address conduct risk and most of the changes have been implemented in the last 12 months indicating that firms' awareness of conduct risk is growing. This is also evidence of the emphasis in which regulators are placing on corporate culture and the response across the industry toward consumer protection. The financial crisis of 2008 also created a greater focus on remuneration and incentive practices and these have become increasingly controversial. A recent fine for Lloyds Bank showed the flawed commission or bonus culture that was prevalent in yesteryear financial services sales. This proved a recent review conducted by the UK Financial Conduct Authority found that sales rewards and incentive schemes were likely to have exacerbated the risk of poor sales practice. 66% of surveyed firms said that they had reviewed their approach to incentives since 2008, the majority in the last 12 months. Just over half of firms had made changes to their remuneration policy with a third of them in the last 12 months and a further 10% plan to make changes in the next 12 months. So how do you prove "Conduct Risk" to a satisfactory level in the UK? Firstly you have to understand where conduct risk falls within your organisation and, in conjunction with the FCA Risk Outlook 2013 create an idea of where your risks may lie. The majority of these risks can fall under the Operational Risk umbrella, which a few consultancies can assist you with. You dont necessarily need expensive software for most modest size of firm, but you need to know how you arrive at the findings, and more importantly what you do about them. If you look in the handbook SYSC, you will see that Operational Risk would seem to apply to insurers (SYSC 13) and it could be easy to overlook SYSC 7. SYSC 7.1.2 R states "A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm." This effectively means that all risks apply to every firm; the three types are Credit Risk, Business or Market Risk and Operational Risk. Operational Risk is widely accepted to be the Basel II definition that states that operational
risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Identifying them is only the start as you then have to agree how best to measure them, which creates a real challenge and considerable work for most firms who do not normally deal in this area. Within the three main areas of conduct risk impact; Inherent, Structures & Behaviours and Environmental, there are a great deal of areas that can be measured. Within the first two areas a degree of qualitative and quantitative data already exists, but much of it is overlooked or unreported in most firms. A Conduct Risk Framework will help in identifying the elements and areas impacted. From this adequate and proportionate measurements can be made for reporting. Overlaid with a rationally decided appetite the data can provide an exception report for Senior

Management to consider. The three phases of good management are definition and measurement, management followed by activity. Running any business is typically conducted this way but the skill of management is actually created and enhanced as a result or product of the activity, therefore there is no definitive answer on how best to manage. The key to these phases is providing accurate and usable data to the second phase. Unfortunately many people when defining the Management Information do this the wrong way round. To assist Compliance professionals in their job and assist in the planning of their responsibilities, get your copy of our Compliance Managers Guidebook and Reference from http://www.complianceconsultant.org/guide/

Need a Compliance Manual? Over 90 Pages covering your regulatory universe. Get more details from HERE or click the link

Conduct Risk: Understanding the Aims

The FCA's main aim in relation to the initiative of Conduct Risk is to ensure that firms do the right thing for their customers whilst keeping them and the integrity of the markets in which they operate at the heart of everything that they do. Whereas Treating Customers Fairly was essentially viewed as common sense and good business practice, this was partly its downfall and created with it a certain impotence. Conduct Risk is looking at fair customer outcomes in all activities including extremely remote treasury transactions or outsourcing processes, through regulatory engagement and even ensuring that the root cause analyses of complaints are assessed for conduct risk objectives. Although many firms will say that they always consider the best outcomes for their customers, in reality and on closer inspection most processes are in place to protect the firm or deflect any criticism or complaint from customers. Many processes are designed to reflect the smoothest and most efficient running of the firm in providing its products or services to the customers on an initial and ongoing basis, but is it seeking to be fair to customers? Does the firm have an obligation to manage its costs and reduce the overheads of its operation to not only become slicker and faster in the general operation, but this would then increase the profit: should this be shared or used to keep customer fees down, or invest in better technology, or perhaps just swell the coffers of the firm? After all, surely the fundamental of any corporate social responsibility for any firm is to make sufficient profits to sustain their activity for the good of the community as well as all their customers, stakeholders and employees? Obviously it is clear that firms should seek to promote good behaviour across all aspects of their organisation and to develop a culture in which it is clear that there is no room for misconduct. Although TCF has long been part of the retail regulatory framework it is vital that Conduct Risk should not be seen as merely an extension of this. As mentioned above, there appears to be a commonly held misconception that Conduct Risk is only a retail issue. The FCA is just as interested in the roles that wholesale conduct and prudential standards plays in underpinning the integrity of the markets. This keeps alignment with its objective to protect and enhance the integrity of the UK's financial services. It therefore expects both wholesale and retail firms to have properly functioning Conduct Risk policies and procedures in place. Wholesale and commercial activity can obviously impact the customer by the firm taking excessive haircuts on the monies borrowed on the market to be lent out on mortgages or using the same provider all the time because of a long standing relationship or habit without any diligent justification of that relationship. It all comes down to getting value for money for the customers.

How does RDR fit in with Conduct Risk? The potential distortion of the advice that consumers received with the complexity of commission rates and payments was removed by, and was the cornerstone of the Retail Distribution Review (RDR). Originally set as an objective by the regulator back in 2006, the dual purpose was to wipe out any influence of inappropriate advice from the payment of commission and to ensure that providers were to compete on price and quality of their products, including investment expertise, and not to taint the advice with additional supplements or enhancements to their generous commission percentages. Various schemes were dreamed up by some providers who sought to channel business to particular providers by setting up service or distribution agreements, and thus ultimately affect or influence the advice the consumers received. To establish a view and test the potential issues, the FCA wrote to a sample of 8- firms and included insurers, advisory and investment firms and asked them to provide their top five distribution agreements which they than scrutinised very closely. Their findings were that there was a poor management culture in some firms and some advisory firms were incentivised to promote some particular products or services, thereby creating the risk of a personal recommendation being weighted towards the driver of the firms commercial benefit, rather than considering the best interest of the consumer; a flagrant breach of the RDR rules. Additionally this review highlighted the poor and inaccurate systems and controls that were in place. In some there was minimal conflicts of interest management or disclosure. Providers and advisory firms sometimes set up joint ventures and further work uncovered huge concerns about these. Appearing predominantly to channel money to advisory firms to secure the effective distribution, these arrangements obviously had the potential to to influence any advice dispensed by the firms advisers. The result was the issuing of the document GC13/5 Inducements and Conflicts of Interest Guidance which explained the importance of and the expectation by the regulator that all regulated firms were expected to undertake their business practices aligned to the FCAs 11 Principles of Business. Specifically, Principle 8 Conflict of Interest; requires firms to manage conflicts of interest fairly, and in accordance with SYSC 10. The report findings show that firms showed a very real risk of breaching principal 8 and the inducement rules, and so, once a firm has identified an actual or potential conflict, it must implement, maintain and operate effective organisational arrangements and take reasonable steps to prevent any recurrence or future conflicts of interest. Firms were expected by October 2013 to review and if necessary revise their existing distribution arrangements in order to prevent undermining the objectives of the RDR. One of the major risks identified in the Conduct Risk initiative is the identification and managements of conflicts of interest and need to be broken down across the following

topics: How identification and control of any conflicts of Interest are documented. This involves having an effective and well articulated risk framework and controls on research spending and correct governance in place which will be clearly documented. Additionally there will need to be joint Compliance and Ops monitoring and reporting and this will in itself require effective design of Management Information (MI). How firms manage the purchase of research and trade execution services on customers behalf This obviously involves accurate due diligence and investment governance, including what services are to be paid by whom. How firms managed gifts and entertainment Again, this involves having an effective and well articulated risk framework and controls coupled with robust governance around the frequency and value being correctly documented. Ensuring customers have fair access to all suitable investment opportunities; This will involve accurate due diligence and investment governance. How firms manage personal account dealing by all employees; This will involve accurate monitoring and fair application to all staff, and How trading firms allocate the cost of errors between themselves and customers. This is a further need to have an effective and well articulated risk and controls framework and reliance of contractual limitations being correctly and fairly documented. The regulator will be following up on this work and the fallout from the previous findings will create the expectation that firms have acted on the consultation guidance and additional publications. Firms who fail to act could very well be subjected to further action.

Conduct Risk: Regulatory Expectations

Sometimes it is easier to se what shouldnt be continued, to understand the antithesis and start your planning. In this regard the FCA has emphasised that it expects firms to move away from certain behaviours, such as prioritising profits over ethics and commercial interests over consumer interests; the still prevalent tick box and overly legalistic approach to compliance; as an extension of the former, only complying with the letter instead of including the spirit of laws and regulations; effectively removing caveat emptor for firms who still consider that disclosure at the point of sale absolves the seller from all responsibility of ensuring that a product or service represents a good outcome for the customer

Unnecessarily complex products may lead to excessive prices for consumers or reduced access to financial services. The FCA will act where: There are unfair obstacles to consumers ability to enter or exist a product due to consumers changing needs or environmental conditions. In responding to environmental or changing business conditions, firms adopt strategies that support their own interests but which may not be in the longterm interests of their customers. Firms are over-exploiting their existing customer base due to limited new business. Firms are developing complex, opaque and over-priced products that are not in the long-term interests of consumers and are difficult to compare. Consumers are not fully aware of their financial needs and what products or product features would adequately serve these needs. Consumers do not have access to products that meet real needs within regulated markets, due to a lack of competition and resulting shortfall in product availability and innovation.

There is a key element to all this that firms may not realising and that is that when assessing Conduct Risk the FCA will not only consider a firm's approach to such matters, but will also want to see evidence of the board being fully engaged with these issues. An example of this could be that the regulator would look to see whether the board of a firm probes high return products or services and the extent to which the board monitors whether products are being sold to the markets that they were designed for. This is likely to represent a significant cultural shift for some firms and accordingly it is important to ensure that this change in the regulatory environment is taken into account when designing a firm's Conduct Risk framework.
In addition, the FCA has made clear that it intends to hold senior management to account for Conduct Risk failings and accordingly a strong Conduct Risk framework is an important tool in

protecting senior management from such liability.

How will the FCA hold Senior Management to account? Quite simply by using the recently introduced attestations that are actively sought by the FCA from management of usually the most senior roles. What is the FCA achieving with Attestations? The FCA has declared that attestations are key elements to the new Firm Systematic Framework (FSF) replacement of the ARROW Visits. This movement of emphasis may be overlooked or even dismissed by the foolhardy as the seemingly light touch verifications is designed with the aim of confirming how the firms assessment, management of the risks they create, and how they identify the root causes that leads to these risks. FSF assessment modules will be completed through a series of interviews between supervisors and the firm to look at the various processes in specific and areas considered to be high risk. This is in contrast to detailed testing that the FCA has clarified will not be used unless it is the only way to assess a particular risk and will look to prioritise actions with the intended outcome, being that firms will have fewer Risk Mitigation Programme (RMP) points than at present. A shift of responsibility away from the regulator and directly onto firms senior management to do their own monitoring on some of the less important points and then to self-attest that they have been addressed will be achieved by the use of section 166 skilled persons reports, internal audit reviews and non-executive director reports. The emphasis on accountability and personal responsibility has been echoed in recent speeches both from FCA CEO Martin Wheatley and Tracey McDermott, the FCA director of enforcement: You will probably already have seen an increasing emphasis from our supervisors on getting senior management to attest where remedial action is being taken, and asking questions about exactly who is responsible for what. This is all part of focusing our attention and yours on the responsibility and accountability of senior management. And this is an area where you can expect to see more in the coming months and years. Needing to Up its game the FCA has purposely adopted the attestation approach to senior management accountability as a direct result of the failure of the FSA to do so in the last 5 years. It also reflects the FCAs determination in making judgement-based decisions on matters of individual conduct. New requirements to have a specific and identifiable, suitably senior individual responsible for the satisfactory completion of the work is not only a powerful motivation factor for the senior manager but adds personal accountability to the change. The FCA will expect this individual to attest to any change completion or more generally to the adequacy of relevant controls.

Conduct Risk: The Challenge of Constructing a Framework

It is impossible not to have noticed that recently there have been many examples of failures to deliver fair customer outcomes, resulting in potential detriment and redress, regulatory intervention and fines, and ultimately reputational damage for the firms involved. According to the regulator, at the heart of recent failures were a number of common factors: Unclear governance structures and unclear or poorly defined risk appetite without supporting conduct risk metrics or tolerances. Lack of clarity around roles and responsibilities across the 3 lines of defence (3LoD), resulting in: Lack of robust outcomes testing in the first line of defence. 2nd line assurance often undertaking 1st line activity. Lack of skills and capability. Metrics without clearly defined tolerances or clear audit trail back to source data. Addressing issues proactively. A culture that does not put the customer at the heart of the business, resulting in: A lack of understanding of the required behaviours across the firm. Not undertaking robust root cause analysis and addressing issues proactively. Poorly defined measures of performance in terms of the delivery of customer outcomes. Lack of organisational focus on target market and the design of products. Inadequate skills, knowledge and experience within senior management teams.

Singularly or, more often, a combination of the above factors has represented potential weaknesses in a firms framework for the efficient and effective management of Conduct Risk. To implement a well-defined Conduct risk framework, the firm must articulate the components they have in place to manage Conduct Risk. There must be clear linkage between the components and how they interact with each other, who is responsible for each element and absolute clarity on how the three lines of defence model will operate. The first thing is for a firm to evaluate their own risk profile Most firms have grown organically over the years and have been shaped in the last twentyfive years being shaped by market conditions as well as domestic and EU regulatory change. The almost constant adding and taking away has lead to legacy blind spots where the processes and procedures may work well from a regulatory perspective but have not been tested or indeed measured as a whole to provide an overlay of consumer protection (what all regulation professes to champion), with something like Conduct Risk. Firms need to honestly consider their true risk exposures and not shy away from identified risks. Calling risks events, incidents or exposures, without accepting that the risks are

present is self-defeating and pointless, providing a false platform or base line from which to work. Customers segmentation, outsourcing, suppliers, sales, marketing, client service and internal processing need to be understood in the context of their business, their specific market, and what their cultural and a candid behavioural indicators appraisal. Peter Drucker Said "What gets measured, gets managed" and circumstantial conditions can often lead to unintended risk exposures. Ignoring or side-lining risks is worse than not knowing or monitoring, but in all cases can lay as dormant threats until a unique trigger can cascade system, process or people failure. This short sightedness leads not only to costly remedial work, but also loss of clients, potentially irreparable reputational damage and worse still, regulatory scrutiny and intervention. Due to the financial crisis your firm may well have lost experienced staff which has the result of increasing your risk profile. Losing experience and even whole disciplines if outsourcing has been involved, does not create fiscal risks alone, but can easily affect the way the firm develops new products, treats their customers, or manages their processes which all amount to a failure of conduct risk. Although in some firms Conduct Risk is lodged under Operational Risk and Operational Risk is widely accepted to be the Basel II definition that states that operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, the alternative is to create Conduct Risk as an equivalent level one risk that both provides a pillar of risk support to the firm, but also underpins and spreads across the remaining risk pillars to affect their culture.
Raising Conduct Risk to top the firms priorities To raise the profile of Conduct Risk and ensure that conversations are occurring at the board of directors level as well as forming a part of senior managements agenda and risk profiling perspectives can sometimes be a challenge. There is of course a recent evolution called Operational Risk and there are still firms that try to shy away from calling a risk by that name, for fear that the firm may consider them weak or ineffective in their role for the risk to occur. Many people hold the belief that operational risk is not important, especially in smaller firms, as it doesnt really apply. Everyone knows everyone else is a common argument, but everyone in Barings Bank knew Nick Leeson and he lost millions of pounds because there were no checks, no reviews, no trend analysis; no operational risk. The mis-selling scandals and LIBOR rate fixing scandals have shown this false belief to be just that and critically damaging. Damaging not only to the remediation costs, but also the regulatory intervention costs such as S166 and Risk Mitigation programmes borne off the back of skilled persons reports, compounded by the reputational damage of the individual firms and the industry as a whole. Senior Management has to stand up and be counted among the good guys as the FCA is looking for proactive, positive action from all of the people who are occupying these senior positions. It has already started with the Non Executive Director vetting and regulatory visits will become more thorough in questioning of management. It may not be easy in a big organisation to change in this way, but the regulator is expecting then to show some robustness and intelligence and not just go along with things as before. SIMPLY PUT: CONDUCT RISK MUST BE A KEY RISK IN ANY ORGANISATION Managing conduct risk is not a simple case of

issuing dictats or strengthening policies. Although these will help, this involves applying proper risk management principles to the way that firms manage the development of their products. A new fresh look at the governance around those products and services and well as the monitoring and analysis. There also has to be a new thinking around every aspect of the new paradigm of customer centric outcome driven business. As Einstein said; We can not solve our problems with the same level of thinking that created them. Conduct Risk Appetite The Conduct Risk Appetite should consider the full customer journey and conduct risk lifecycle, with each of the appetite statements specific enough, so that it can be accurately measured and is not open to misinterpretation. Firms are traditionally taking one of two approaches to including Conduct Risk within their existing Enterprise Risk Management Framework (ERMF): 1. Establish Conduct Risk as a Key Risk Driver (Level 1 risk), alongside Credit, Market and Operational risk, for example; or 2. Establish Conduct Risk as a sub-risk of Operational risk. The decision on the most appropriate approach needs to take into account the size and complexity of the firm, but more importantly the view of the Board on how Conduct Risk fits into the overall Enterprise Risk Management Framework (ERMF). Irrespective of the decision around the classification of Conduct Risk, it will remain a key risk objective with the elements of the Conduct Risk lifecycle as the Risk Dimensions (Product design, sales process, after-sales and culture in the example below)

Threshold Conditions The regulators approach to Conduct Risk is not simply a matter of making rules as the relevant powers for their approach can be found in section 55B and Schedule 6 to the Financial Services & Markets Act 2000. This section deals with the threshold conditions and whenever the FCA gives or varies permission to a firm to carry on one or more of the regulated activities, the FCA and PRA must ensure that the person concerned will satisfy, and continue to satisfy, in relation to all of the regulated activities for which the person has or will have permission, the threshold condition for which that regulator is responsible. Threshold Conditions are set out in an order made by the Treasury under the Act and are important as the regulators derive their authority to consider a firms capacity to meet the stated condition on an ongoing basis. For any firm considering implementing Conduct Risk or any other risk framework needs to understand what the Threshold Conditions cover and mean to them. The threshold conditions deal with the following matters.

(a) Location of offices Generally speaking, a regulated firm that is incorporated in the UK must have its head office in the UK also. (b) Effective supervision Under this condition, the firm must be capable of being effectively supervised by the FCA. There are a number of additional circumstances to consider, such as the complexity of the firms business or products, the way in which the business is organised, the firms membership of a group of companies, and the links the firm may have with other persons. (c) Appropriate resources The firm must have appropriate resources, as judged by the FCA, to carry on the regulated activities that the firm carries on. Relevant considerations include the nature and scale of the business and the skills and experience of the firms managers. (d) Suitability

The condition here is that the firm must be a fit and proper person having regard to all the circumstances. Considerations include: The nature and complexity of the business. Whether the firm is complying with requirements imposed by the FCA in the exercise of its functions, or requests made by the FCA, relating to the provision of information to the FCA, and where [the firm] has complied or is so complying, the manner of that compliance. Whether those who manage the firms affairs have adequate skills and experience and have acted and may be expected to act with probity. Whether [the firms] business is being, or is to be, managed in such a way as to ensure that its affairs will be conducted in a sound and prudent manner. The need to minimise the use of the firm for a purpose connected with financial crime. (e) Business model The firms strategy for business must be suitable for a person carrying on the regulated activities that [the firm] carries on or seeks to carry on. In assessing the business model, the FCAs consideration must include: Whether the business model is compatible with the firms affairs being conducted soundly and prudently. The interests of consumers. The integrity of the UK financial system. It is evident that the threshold conditions give the FCA significant powers to assess the firms future behaviours. If the conclusions are adverse to the firm, the FCA has the power to vary the firms permissions on its own initiative, or indeed to remove permissions altogether from the firm. Managing Conduct Risk To manage Conduct Risk, every individual firm must understand the risks facing it and

although these will vary from firm to firm, across the various sectors, the FCA helpfully publishes an annual Risk Outlook which sets out how the FCA views the distribution of risks across its regulated sector. In 2013 the FCA also published its business plan alongside Risk Outlook. The two documents are closely linked; the business plan sets out what the FCAs proposed plan of action is for 2013/14 to deal with the risks described in the Risk Outlook. It is critical that every member of senior management reads, understands and raises discussions around the issues within the Risk Outlook and the accompanying business plan. A firm that is unprepared when challenged by the regulator really needs to be prepared for the potential of unwelcome and possibly Deep Dive review attention from them. Conduct Risk: Building Your Framework Fortunately, we do not have to look toward a raft of new jargon or terminology to build our framework as many aspects of Conduct Risk resembles operational risk so closely, we can leverage the tools of operational risk and adapt them to conduct risk management. Risk Matrix Within their operational risk plans (and yes, these can be developed together if you do not already have an Enterprise Wide Risk management Scheme or Framework) firms will use the typical risk matrix approach to prioritise and identify the risks that impact their business areas. For a small or medium sized enterprise that is not yet ready to spend out on software to manage their operational or Conduct Risk, can purchase our ARMS Analysis & Risk Management System from http://www.complianceconsultant.org/arms/ or if you are an IFA then get the IFA Risk Management from http://www.complianceconsultant.org/ifarm in PDF form. Regulatory Documentation As mentioned earlier in this document, adhering to regulatory rules are also of immense importance in the management of conduct risk. There are countless rules in the FCA Handbooks that deal with the conduct of firms and their officers and employees. Many of them are expressed at high-level, with the FCA Principles themselves at perhaps the highest level of all. In addition to monitoring compliance with those rules after the event, firms should also consider how they will comply and continue to comply with them in their future offerings and developments. The strongest challenge from the FCA is likely if they believe there is any hint of doubt over whether a firm will continue to be able to comply with conduct-based rules. In 2007 the FSA published Treating Customers Fairly Culture, as part of its range of publications on treating customers fairly. The document remains accessible from the archived content of the FSA website. Although the document is now quite aged, it still remains useful in terms of the specific issues and matters that the FCA are likely to consider in their threshold condition view of firms.

The document singles out the following matters as being important: Leadership. Strategy. Decision-making. Controls, including management information. Recruitment, training and competence and Reward. Where TCF Ranks When TCF was launched as one of the FSAs flagship projects it ranked so highly on the list of initiatives that it had its own Director responsible solely for it. As with all mature models, more recently it has become part of normal supervision. This should not be seen as an indicator of the lesser importance of the measures as TCF remains vitally important to the FCA and they are likely to continue to look at firms compliance with the TCF Outcomes. The 6 TCF Outcomes The TCF Outcomes sought are as follows: Outcome 1 Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture. Outcome 2 Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly. Outcome 3 Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale. Outcome 4 Where consumers receive advice, the advice is suitable and takes account of their circumstances. Outcome 5 Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect. Outcome 6 Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint. Decision-Making Although the list of important issues are all relevant and fundamental considerations as underpinning the conduct risk, decision-making is probably the key element and worthy of special mention.

Conduct risk is simply about the conduct of individuals and how, within firms, they are organised, directed and lead according to the management principles. The Board, and the Executive, run the firm, but the authority to make decisions cascades through the firm with differing levels of governance and managerial responsibility. The firms decision-making framework is a key matter for conduct risk. People who make decisions for the firm need to be identified and accountable for the decisions they make. Firms must ensure that decisions are not buried in committees where it is more appropriate for them to be made by identifiable individuals. What is expected is that decision makers must make decisions whilst in possession of all the relevant facts, and they must seek to avail themselves of all of these facts. Decisions must be made at a level in the organisation that carries appropriate authority to make that decision. For example, if a firm faces a matter where customers may not have received a fair outcome, or in old parlance, they were not treated fairly, the decision maker may well need to be empowered to sanction a loss for the company in recompensing customers, if that is the right thing to do. If the decision maker is too junior, so cannot consider that option, the decision must be pushed escalated appropriately or run the risk of the wrong decision risks being made. Summary Conduct Risk is not only here to stay as an extension of the TCF Outcomes, but is also going to ramp up as the FCA get a deeper and fuller understanding of what is missing in the retail distribution world. Focussing on your exposure and level of risk is critical to your firms survival and escaping close regulatory scrutiny, supervision or worse.

Conduct Risk: Building Your Framework

Building your own framework takes a large amount of thought and considerable effort to get it right. At Compliance Consultant we can assist your firm, but there has to be a desire from the firm to make it work; the tone from the top has to be consistent and loud. The elements you need to consider are;

Don't forget, Compliance Consultant can provide a whole range of services including:
Initial Risk Assessment or audit an initial analysis to identify higher risk areas of the business and weaknesses in procedures. Design Risk Management build a system with your business, for your business showing complete audit trail of risk areas of the business and identifying any weaknesses in procedures. Business Development business analysis advice or advice on particular issues for example, how your firm is Treating Customers Fairly and an action plan for implementing TCF across your business. Governance Templates Policies, Logs, Minutes, Terms of Reference and other items available from our IP library. Help with setting up procedures for example procedural manuals for recruitment, training and competence, complaints handling and anti-money laundering. May also include templates for disclosure documents, fact-finds and registers. File audits checks to ensure that procedures are being followed and identify good practices and weaknesses Complaints Handling cost effective and project managed from start to finish making your response robust and consistent Technical support may include advice on particular products or regulatory reporting. May be available in various formats, including website, helpdesk and individual technical advice. Training for example competency assessments, training opportunities or product risk guidance. May be online support, regulatory updates or seminar based. Support on individual issues for example in dealing with a complaint, a financial promotion or a particular suitability letter. Financial promotions (all areas of advertisement) - full support which would include websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing clients and so on. Remedial work helping to action remedial work required by the FCA.

Ensuring you are aware of Handbook changes and the specific impact on your business. Your responsibilities and liabilities under SYSC and the recent changes. And

much more ... just ask! Email info@complianceconsultant.org