Event Summary: Culture and Conduct in Financial Services Investigations

Mohammed Reza and Paul Li from Simmons & Simmons together with Chris Fordham and Jacky Lo from Alvarez & Marsal presented a seminar on why culture and conduct plays a big part in financial services, and what can be done to improve culture in order to minimise risk. The following is a summary of the panel discussion, including key takeaways and practical steps that FIs can take to enhance their culture. If you would like further information on anything covered below, please feel free to reach out to the speakers directly.

Culture reform continues to be a regulatory focus

“A financial institution’s risk culture plays an important role in influencing the actions and decisions of the individuals within,” according to Mohammed Reza, partner in Simmons & Simmons’ disputes practice. “Regulators know that culture governs and directs conduct,” explained Chris Fordham, Managing Director in A&M’s Disputes and Investigations practice. “We saw in the last Global Financial Crisis that all the regulators came together and concluded that there must be something wrong with cultures within financial institutions (FIs). They saw how there can be the best prevention and detection methodologies within compliance frameworks – but if the right culture is lacking, they still fail. We are dealing with humans and humans are fallible, they may commit fraud because greed and need are stronger motivators than fear.” 

Regulatory measures continue to tighten in Hong Kong because the “SFC (Securities and Futures Commission) noticed how culture levels in banks have significantly changed,” observed Paul Li, partner in Simmons & Simmons’ disputes practice. “The concept of individual accountability had virtually disappeared from banks or FIs. Bankers were reliant on compliance teams and expected them to explain exactly what they were or were not permitted to do. This is in marked contrast to before, when bankers were expected to police themselves and know what the regulation parameters are.”

“We see that the SFC is beginning to hand out very significant periods of suspension or revocation of licenses as a result of individual misconduct,” Paul noted. “Back then, the focus was on having direct rather than constructive knowledge of the wrongdoing. If the individual did not have direct knowledge of the wrongdoing, he/she was effectively given a free pass. With the introduction of SFC’s Manger-In-Charge (MIC) regime at the end of 2016, attitudes were changing. Managers are now held responsible if any misconduct took place under their monitoring duties. Although not set out as an enforcement tool, the MIC is actually intended to be such.”

The important thing is to create and retain a culture that is anti-fraud. However, “a culture can rapidly deteriorate”, warned Chris. “Take speeding on roads for example, when everyone else is speeding, it becomes easy to speed also.” 

When designing a compliance framework, the first important thing is to have a strategy. “When we review compliance frameworks”, Chris revealed, “we consider to what extent there is a corporate statement or mission, or an all-encompassing objective. These things don’t stand still – there are evolving risks as the company enters new markets or launches new products, so you must keep these up to date. But if you don’t even have the bedrock for a compliance strategy, it is very hard to hang anything else onto it.”

Setting the tone from the top is paramount

“We want to see that commercial goals are being aligned with compliance and there is clear communication of this,” according to Chris. “No longer can management say one thing and not do it themselves – management must be seen to be walking the talk.” Paul observed “although there is sincerity in that tone (from the top), there is sometimes a mixed message as management often set challenging financial targets that middle management have to deliver. Sometimes these targets are not entirely consistent with a new culture of less risk-taking. It can be extremely hard to strike that balance between the two.” The key to ensuring a culture prevails and to prevent the thought of cheating, explained Chris, is to “set goals and rewards that are reasonable so that people can act ethically to obtain them.”

A poll question to the audience revealed that almost 50% of attendees felt that compliance is embedded only to an average level in their employee performance assessment structure or renumeration. This can result in a culture where employees do not feel that acting unethically would have any detrimental effect on themselves. Chris observed that “similar fraud surveys in the past revealed that many still observed other employees who had acted unethically being promoted or rewarded.”

In a second poll, almost 75% of the audience felt that their organisation maintained the importance of culture during periods of remote working. “This brings us to the point that it’s very important to instil culture and maintain it – and when you’re not together this can be challenging,” observed Chris.

In light of the pandemic’s new normal, “the way we are doing things is very different now,” according to Jacky Lo, Senior Director of Alvarez & Marsal’s Disputes and Investigations team. “Travel restrictions are hindering compliance teams, and this leaves only local resources to manage compliance efforts. The issue is they may not have the right or adequate skillsets required for the job. Externally, third party risks are heightened as a result of delayed or reduced co-operation from clients or business partners. Consequently, compliance officers may be restrained from being able to review KYC data as frequently as required.” 

Management need to re-visit policies in a timely manner to ensure they continue to remain effective in current circumstances. Paul revealed that entrenched policies and practices are potential roadblocks. “When we conduct investigations, many times we have been told this is the way it has been done for many years. We don’t doubt that, and when it was first done it may have been entirely acceptable. But the attitudes of regulatory authorities have moved on significantly since these practices were introduced.”

Take action now to minimise risk

There has never been a better time to upgrade compliance tools in FIs. “Many have already incorporated data analytics to overcome manual-intensive processes,” observed Jacky. “But the current times provide an ideal catalyst for banks, helping them to speed up technology integration into their compliance systems.”

The red flags lie in the data of an organisation. “We have evolved to the point where technology is able to cope with large volumes of data, with the help of human expertise to define risk parameters and interpret results,” according to Jacky. “However, the challenge lies in bridging the understanding gap between data analysts and compliance experts. Overcoming this may require the management board to integrate the required resources with the right initiatives.”

Individual choices are governed by how others behave. “The question then is how can a company enhance behavioural standards?” raised Jacky. “Every organisation has its own structure and there is no one-size-fits-all approach. Ultimately it is up to each bank to design one that suits its purpose.”

Practical steps banks/FIs have taken to enhance their culture and minimise risks:

1. Integrate non-financial incentives into the system: Implement a scoring system to recognise positive behaviour where individuals are awarded points when they meet pre-determined criteria and these points are eventually factored into the annual performance review process. Referencing the HK Money Authority’s Bank Culture Reform, Jacky explained “the incentive system is one of the three pillars that can foster culture. For management and employees to buy into this, you will need a transparent and structured renumeration framework.
2. Implement a red flag system: Non-compliant activities, for example failing to complete compliance training or filing inaccurate declarations of investment portfolios, would be recorded in a system which is correlated to the individual’s performance rating. Consequentially, compensation may be adjusted downwards.
3. Enhance employee training & communication: The pandemic certainly impacts the effectiveness and attendance of compliance trainings. Some banks have come up with innovative approaches to make use of social media platforms to capture the interests of employees.  In one instance, a bank featured celebrities in videos that promoted a compliant culture and made use of real-life examples. This approach enables employees to relate better to the training as they mirror their daily work activities.
4. Adapt policies to local needs: Often, materials prepared by global headquarters may need to be tailored to meet regional benchmarks or environments. For example, the practice of gifting red packets in China and some South East Asian countries should be taken into account, and properly recorded to ensure local regulations are not breached.

Further steps banks/FIs can take to enhance their culture:

1. Check response plans: In the face of compliance failures, organisations often lack detailed incident response policies and plans. Chris observed that “if they do have a plan in place, they often find it challenging to adhere to.” Careful consideration needs to be given to incident response plans, ensuring they have incorporated multiple scenarios and possible outcomes, with practical steps banks can adhere to and implement.
2. Ensure open and trusted whistle-blower channel: There is now a more sophisticated level of technology banks can utilise to ensure whistle-blowing channels are completely anonymous and highly secure. Despite this, employees may still fear negative repercussions for whistle-blowing, hence they may hold back from reporting unethical behaviour. Many may also be unaware of how to access these whistle-blowing channels due to insufficient training. Banks need to ensure that whistle-blowing channels are trusted by all and employees can make use of them without any fear of retaliation.

In times when internal investigations are increasingly being conducted almost entirely by in-house resources, it is important to remember that there is much value in engaging external consultants in the process. Paul explained the reason for this being that “it is easier for us to remain dispassionate, and to ask the difficult questions. We also find it easier to spot entrenched practices which are past their sell-by date. Even if there is no ultimate wrongdoing, a thorough investigation puts everyone on notice. The investigation process itself reinforces the culture and message that misconduct will not be tolerated.” Chris also pointed out that “regulators are increasingly going to expect investigations to be done or reviewed by external consultants.”