A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Arthur Yuen

Deputy CEO

Hong Kong Monetary Authority

Picture of Arthur Yuen
View Full Report

Contributions to the Supervisors on Supervision Stocktake

What does culture mean in the supervisory context?

1.1.1b Some participants argue that supervisors should focus on a subset of organizational culture (“risk culture”) that directly applies to risk and compliance functions and outcomes.

“We should first define ‘risk culture.’ Over the years, different international institutions — the FSB and the BCBS — have tried to do that.

It’s not enough to say, ‘We act in the best interest of customers.’ What does that mean in deposit-taking? In granting or assessing loans? In selling investment products? It’s very hard to quantify. After the crises of the last 20-30 years, the international community tried to put some structure around this and came up with the concept of ‘risk culture.’

From our perspective, the term ‘risk culture’ is an attempt to put structure around a highly non quantifiable set of parameters that supervisors have long focused on. It should reflect the core values that financial institutions should pursue — things like: when a bank interacts with customers, what values should the bank pursue, and how do you propagate those values to staff?”

What is the relationship between culture and governance and how does ambiguity about that relationship contribute to uncertainty?

1.1.3b Other participants noted that culture and governance are interconnected and influence one another.

“The governance arrangements are the hardware; the risk culture is the software. One encapsulates the core values; the other is how to pursue them.”

If culture is important to supervision, then what factors make it challenging to assess?

1.2.2b Participants point to culture as winning attention only in circumstances of remediation and argue that, once the acute pain is passed, the ongoing chronic pain is simply tolerated.

“As a banking supervisor involved in international bodies, I feel that the further we move from the last crisis, the more detached we become from emphasizing these things. 

The 2023 turmoil reminded us of the importance of proper risk culture and governance structures. But, as time passes, people are less concerned, and it’s easy for supervisors or regulators to give the impression: ‘These problems are fixed; we don’t need to keep reminding institutions.’ 

No. Because it’s difficult to quantify and measure, it takes continuous effort to keep it in check. As we grapple with trade issues and economic challenges, it’s easy to overlook this. Studies like yours are important because they keep people focused on the core issues — how to improve behavioral outcomes and not overlook the pitfalls we saw in April 2023.”

If culture is a factor in governance outcomes, should supervisors take stock of their own cultures to improve supervisory outcomes?

1.4.2c Participants observed that demonstrating attentiveness to supervisory culture is critical to gaining buy-in from the firms they supervise.

“If we keep talking about risk culture statements and core values without doing it ourselves, how can we ask institutions to do it?”

What are the consequences for failing to consider the influence of culture in assessments of governance effectiveness?

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

“When we talk about culture, attention often goes to customer interactions — conduct. Conduct supervisors find it easier to pursue culture because the link is visible. 

But the prudential side is putting increasing emphasis on risk culture too. Think back to March 2023. If a bank sees an increasingly concentrated deposit structure, shouldn’t that be a concern? On the prudential side, you need proper liquidity risk management, with a highly concentrated deposit-base, you need to watch for runs against that.

During that fateful weekend in April 2023, Credit Suisse’s capital adequacy ratio was healthy — no solvency issue. It was liquidity: deposit drainage. If you look at what brought down banks over the past 30-40 years, most cases were liquidity problems. Liquidity brings down banks.  Why is liquidity so relevant? Because it hinges on trust. People keep money in a bank when they believe it’s run properly. Trust is difficult to build and easy to shatter. A risk item so dependent on perceptions is inherently unstable; you need large comfort margins. Conduct issues are highly visible and can damage trust quickly — so they link to liquidity and 
prudential concerns.”  
 

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2a Some participants describe ways in which AI can improve culture risk supervision through the application of sentiment analysis and natural language processing tools.

“With technology we can address culture issues more on an ex-ante basis rather than waiting for problems to happen.
 

  • Speech-to-text, for example: the best place to start is at the supervisory level. Through supervision and enforcement we already collect many recordings — interviews, investigations. We can use these data to develop engines.
  • Product sales are recorded; with speech-to-text, the engine can monitor conversations in near-real time. Choice of words, a change in tempo, forgetting required disclosures — these can all be picked up, and a reminder can pop up on the screen: ‘Don’t do this; you might be breaching requirements.’ This used to be expensive, but it’s becoming feasible.
  • Robotic process automation is another area: supervisors have many repetitive processes. We shouldn’t just ask banks to explore these tools; we should adopt them ourselves. Our experience over the past two to three years with supervisory technology has been positive.”

What have we learned from past approaches to culture risk governance and supervision?

3.3.2b Many participants reflected on how a focus on Tone-From-The-Top, while necessary, has had limited success.

“To know whether employees understand the board’s desired values and behaviors, you need mechanisms to monitor and measure behavior on the ground. 

Many jurisdictions, including ours, make sure institutions — banks in my case — have feedback mechanisms to collect what’s happening on the ground. Some banks do short employee surveys on a regular basis to monitor aspects of risk culture and to understand whether frontline colleagues grasp what senior management or the board ask them to do — or not to do. 

If there are whistle-blowing cases, you need a positive speak-up culture. If someone sees something wrong, they should feel comfortable to speak up, and there must be a mechanism that allows it. You need these feedback loops so that senior management can periodically form a view of how well colleagues understand the expectations. 

That’s an outcome-driven way of looking at whether the core values are being propagated. It’s easy to say, ‘We’ll hold regular town halls,’ but that’s just a mechanism. The important point is making sure town halls are effective — and that people act accordingly afterwards. You can only do that with proper feedback loops built into the framework. 

Of course, it’s difficult to gauge the accuracy of surveys, and whistle-blowing can sometimes be the expression of a disgruntled colleague. But you only need one useful case out of a hundred to understand what’s happening. So those mechanisms remain important — but quality control is key. The fact that people may not speak up is not a reason to forgo them.”

How do supervisors need to adapt in order to accelerate progress in culture supervision?

3.4.2a Participants highlight the importance of effectively embedding challenge in their engagements with firms related to culture.

“If lack of trust between supervisees and supervisors is getting in the way of effective supervision, something is very wrong. We have to bridge that gap. 

Supervision can be antagonistic by nature, but we shouldn’t let that undermine effectiveness. We keep telling banks that, and banks should be able to challenge us — openly, not behind our backs. 

Supervisory powers should be challenged — healthily — if it leads to better outcomes. That’s why we’re building processes that let the banks tell us where we’ve been unwise or unclear, so we can find solutions together.”

3.4.2b Participants note that supervisors should build trust into their approaches.

“About two years ago, we did what we call a ‘bank employee survey.’ We surveyed a large number of frontline staff at 28 retail banks in Hong Kong. The response rate was surprisingly over 70%. It wasn’t compulsory — we, as supervisor, engaged a consultant and sent the survey to frontline staff across those banks. Because it was anonymous, people felt comfortable speaking up, and we gleaned a lot of useful observations. 

We could have asked banks to run their own surveys, but we would lose cross-bank comparison value. At the supervisory level, we have to think about how we help banks assess accuracy and get useful insights into what’s happening on the ground. 

Now this is an important point: if you tell banks, “We’ll use this employee survey data as supervisory input, and if your employees say you’re poor on risk culture, we’ll take action,” then there’s no hope — the management will discourage candid responses. 

We told banks we were not using the survey results as supervisory input, but as supervisory output: we’d feed results back to them and, if we saw weak spots in the risk-culture chain, we’d expect them to act.”

What steps should regulators consider to enable more effective culture risk supervision?

4.1.1b Other participants noted the importance of addressing culture across both conduct and prudential regimes.

“Having both conduct and prudential responsibilities under one entity [at the HKMA] helps us pursue risk-culture efforts holistically. If two separate agencies handle it, you need coordination to ensure consistent outcomes.

And repeated conduct failures erode trust and can lead to adverse prudential outcomes. We’ve seen that multiple times. That’s why supervisors and regulators care more about repeated findings. And that should be a core value for institutions: if you see the same problem again and again, don’t just double down on past approaches — ensure it doesn’t happen a third time.

Some of the issues people cite — failure to hold anyone accountable for limit breaches; undue frontline influence over risk processes; bending risk metrics to fit customer profiles — these are not merely conduct problems. They’re failures of the accountability framework; they’re risk-culture failures. And if they’re not the first occurrence, supervisors should look at them accordingly.”

What steps should supervisory bodies consider to help drive their own culture change?

4.2.1b Other participants noted that training and upskilling is required to incorporate behavioral science and culture assessments into supervision.

“Supervisory culture is important, and we should work on it day in and day out. 

We’ve incorporated culture into training. A core value we pursue is ‘supervisory certainty’: the same conditions should lead to the same supervisory outcomes — consistently. We have to demonstrate to banks that we have systems to deliver that certainty and consistency. 

I run a prudential department with about 150 people and a conduct department with about 70. If those 220 people go out and say different things under the same conditions, we’re in trouble.
We’ve built regular dialogues with banks — a balanced and responsive supervisory process — to get feedback. We have a small team that goes out to talk to banks individually on a regular basis: are our colleagues doing what we preach? If banks think we’ve departed from consistency — ‘How did these similar cases lead to different outcomes?’ — we bring those cases into the dialogue with groups of banks, see if there are problems we need to fix, or explain why approaches differ and how we’ll ensure consistency going forward. 

If banks say, ‘The US handles this more smartly,’ we look at that and maybe we adjust. We have systems to pursue the supervisory values we espouse.”
 

4.2.1c Participants also recognized the need to develop new capabilities and frameworks

“Over the past five or six years we’ve found that peer comparisons are very helpful — and that can only be done at the supervisory or system level. 

Supervisors have to step in. Supervisors and regulators should specify the structure of what we want to see. You can’t let institutions design completely different risk-culture frameworks. So we set the headline elements: have a risk-culture statement and tolerance levels; communicate properly with employees; measure feedback and understanding regularly; set an accountability framework. 

Within that, institutions have a high degree of freedom to design the core elements. We tell banks: design it, show us how it goes, and if we see problems, we’ll tell you. It becomes an iterative process.”

What systems and structures are needed to help supervisors and firms alike to find, evaluate, and easily adopt new technologies and methods as they come available?

4.3.1b Participants note the value of digital ‘sandboxes’ and similar structures for both firms and supervisory bodies to test and evaluate new technologies and approaches to culture risk governance and supervision.

“Take speech-to-text. If you ask each bank to build its own engine, they can only train it on their own data. In some jurisdictions that may be enough; in many, it isn’t. We have 28 retail banks. If each builds an engine alone, they may not have enough data points to train it. Supervisors may need to collate data and help develop a ‘public-good’ engine. The biggest banks can build their own; smaller ones can’t. In those cases, supervisors need to step in.”

What would a global initiative to transform culture risk governance and supervision in the financial sector look like?

4.4.1a Participants noted that global standard-setters have yet to prioritize culture risk governance and supervision, and urge that greater attention to such would be helpful.

“The last time this culture question was really examined closely was when Julie Dickson chaired the Supervisory Intensity and Effectiveness group under the FSB, after the Financial Crisis. That was around 2010 or 2011, so some 15 years ago. Even then, there wasn’t a proper cross-sectoral comparison; it was more of a theoretical look at the core features of proper risk-culture efforts: risk-culture statements, communication, accountability, etc. We haven’t taken a hard look since at how we’re actually faring since. We should benchmark and learn from each other.

A benchmarking exercise, or even a list of parameters supervisors should look at when thinking about outcome measurement, would be useful. The difficulty is data sensitivity: benchmarking behaviour requires data, and extracting that from a jurisdiction can be sensitive. 

A body like the BIS — given its experience anonymising and standardising data — could help make it less sensitive.”

4.4.1a Participants noted that global standard-setters have yet to prioritize culture risk governance and supervision, and urge that greater attention to such would be helpful.

“International bodies have scarce resources, and priorities shift. If members think there are bigger fish to fry, this culture topic falls down on the list. But if we can round up like-minded supervisors around the world — even for a pilot, as a public-private collaborative initiative — that would be worth pursuing. 

International processes of this sort do two things. First, they help ensure we pursue a problem along a similar wavelength — using similar structures — so there’s consistency. US banks operate in Hong Kong, Singapore, Tokyo; cross-border benchmarking is needed. Multilateral benchmarking beats a patchwork of bilaterals. 

Second, major jurisdictions have already invested heavily in this space. It’s in their interest that what they’ve done is exported elsewhere. That makes life easier at the group level — easier to measure performance — so I would expect major jurisdictions to step forward to influence the process and export their values through international work. 

There will be pushback: each jurisdiction is different, with local specificities. Still, if designed properly, it would help — at least around core values, communications, and measuring frontline understanding of risk culture statements.”