A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Asia-based past supervisor

Picture of Asia-based past supervisor
View Full Report

Contributions to the Supervisors on Supervision Stocktake

What does culture mean in the supervisory context?

1.1.1b Some participants argue that supervisors should focus on a subset of organizational culture (“risk culture”) that directly applies to risk and compliance functions and outcomes.

“Quite honestly, if you don't have a risk culture, you have culture risks. That's it. If there isn't a healthy respect for risk in everything that you do, you have culture risk.”

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.

“Even though everything was under my roof, I have to tell you about a situation that arose because of the Global Financial Crisis. In Singapore, the biggest issue we had for the domestic consumers was originally thought of as a conduct issue, not a prudential issue. Our banks were rock solid. It was a conduct issue because of something called Lehman Brothers Minibonds. These were CDOs that were packaged and sold like they were bonds.

Mea culpa: we really should not have let them be called ‘mini bonds.’ People were buying them thinking they were bonds, but they were actually CDOs. As the assets in the reference basket started collapsing, so did the value of these instruments. 

Is this a conduct issue or a prudential issue? On the surface, it's a conduct issue. But many of these instruments were sold by banks and insurance companies. Because of the blowback, it cost them many millions in fines and restitutions. There were also reputational risk issues. Then it became a prudential issue, didn't it?”

1.2.1d Some supervisors have suggested that organizational culture has the potential to generate systemic risks, rather than merely idiosyncratic risks isolated to a given firm.

“The most important thing we need to tell the private sector is that you need to know where your inner true north is so that you follow your own principles, regardless of what others say. You have to decide. Do you really have to keep dancing while the music's still playing, or do you have to dance every dance? That's on you.”

How does the lack of a common supervisory approach to culture and conduct risk across jurisdictions pose a concern?

1.3.1a Some participants note that, because many financial institutions operate in multiple jurisdictions, a lack of coordination on culture and conduct risk creates challenges for effective supervision.

“Sometimes I get the impression there is too much red tape. It's not just one regulator; it's several. It's throwing out a lot of red herrings and sand in the wheels that may not be necessary. 

There's also an unevenness in regulatory oversight across jurisdictions. I think the regulatory community needs to bring some regulators up to best practice as well. Some jurisdictions tend to take their eye off the right ball and try to make you do things that may not be in the best interest of the bank. More can be done in the international regulatory community to raise the baseline level. 

It boils down to supervisory practice. This is hard to put science around, though you can to an extent. You must have structures and the right incentives in place. Over and above that, regulators can do more to share best practices amongst the industry.”

What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1b Participants also point to evidence that culture problems frequently influence the effectiveness of governance structures, and serve as a warning precursor of their failures. But the relationship between culture and governance remains unhelpfully murky, complicating efforts to examine or improve either.

“Some financial institutions are inherently very compliant. In those cases, you start from a much higher and easier base, but you can have another type of risk because they can be too compliant, in the sense that they abdicate their thinking. They only do what the regulators tell them, and that's not an ideal situation. Those types of institutions, frankly, don't do so well in the long term, because they don't really innovate and they don't think for themselves.”

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

One of the pillars of how risk-based supervision will work is if you are more forward-looking and more anticipatory, rather than reactionary.

I think [the reason for the SVB collapse was] because supervisors were too backward looking. Because you came out of the Global Financial Crisis where credit risk was all consuming, everybody was doing every kind of stress test on credit risk — left, right, center, up, down, across, diagonally — and people forgot about interest rate risk. Interest rate risk was benign for a good 10 years, so supervision was too backward-looking. 

Silicon Valley Bank was also another example related to risk-based supervision. We all drank the Kool-Aid that you should focus on G-SIBs and large banks. Silicon Valley was a small bank, so the thinking was you don't need to be so tough on them because systemically they don't cause much of a problem. But the supervisory community forgot that while it's one small bank, as a class of small banks, and they can cause systemic risk.”

3.1.2d Some participants discussed the role of judgment-based supervision versus rules based regulatory approaches to culture risk assessment.

“In the past, a lot of the emphasis was on regulation; we set the ground rules, and everybody played by them. Everybody was very compliant. But of course, as the markets and the industry evolved, and as firms started hiring rocket scientists, we looked to give them more autonomy in things like modeling and self-assessments. 

We found that supervision actually became much more important than just the regulations. It's the same old adage: you can have the traffic code, but you still need policemen to police that code. That's where we started getting more interested in the culture of an organization. 

The problem is that, whenever something happens, we just layer on prescriptions and rules. That sometimes has the unintended consequence of making people switch off their brain.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1c Other participants note that culture drives impact well beyond risk and control functions, and that it therefore requires supervisory attention for these reasons as well.

“What we wanted to do [at the regulator] was to get institutions to take responsibility. They're the frontline, and they take responsibility. We would say, "This is the base, and then you go and decide what you need for yourself. But this is the base, and it's a base, not the maximum." 

That's how we started looking at how management and the board looked at this, and that is how I would define culture. How do they self-reflect and think about the risks and profiles of their company? How do they mitigate and navigate those risks? How do they look forward? How do they take advantage of some of these challenges and then move ahead? All of that is culture.”

How is supervision made more challenging by a reliance on judgment?

2.2.2c Participants discussed how a lack of trust between supervisory bodies and the firms they oversee can be detrimental Participants discussed how a lack of trust between supervisory bodies and the firms they oversee can be detrimental

“If I may say, we're always hitting them with black marks. You should get some brownie points if you've gone above and beyond the regulatory minimum and have shown self-awareness in your company. Even if it's just a pat on the back or you tell the board, ‘Your management voluntarily did this.’ We don't do enough of that. We go out there with a stick all the time.”

Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2c Some participants note that data is sometimes collected but then it may be unclear how it may be properly used for risk assessment or enforcement.

“If you ask for too much information that you don't use, guess what? That information is sitting in your system. If something happens and people say, ‘Well, you had all this data and you didn't analyze it and you didn't see this coming,’ it is also a risk for the regulators.”

Why have some jurisdictions invested in and leaned into culture supervision while others have not?

3.1.1a Several participants noted that many of supervisory agencies have typically increased their culture risk supervision efforts in response to some crisis. Several participants noted that many of supervisory agencies have typically increased their culture risk supervision efforts in response to some crisis.

“We lived through the Asian financial crisis. The Asian tigers were the ones that were badly hit. We were so lucky in Singapore; we were actually a safe haven and, in a way, beneficiaries of the Crisis, because there was a flight to quality.

But having said that, one of our very small local banks had an inordinate exposure to Indonesia. They didn't go bust, but they were bought over, and there's a reason people get bought over sometimes. We did have that as a lesson. Luckily, it was not a fatal blow, but it was still a lesson to us as to what can go wrong. Even with tight regulation, and even though it was our smallest bank, it still got into trouble. That taught us that we needed to change our thinking. 

We were moving away from very tight regulation to more risk-based supervision, we had to then rely on the players and their in-house ability. We weren't clever enough to give it the label ‘risk culture,’ but that was what we were looking at. 

When the Global Financial Crisis came, it was an even better result for Singapore. A lot of foreign banks were going down, but the local banks didn't even have a loss. We credit that to having gone through the earlier crisis. 

The Asian financial crisis made our institutions very risk-aware. It made us think about following fads and about too much concentration risk. So, when all these CDOs came along and became a very sexy thing, we used to just say to the banks, ‘You have to understand it first before you get into it. Why are you getting into it?’”

What are the structural challenges to integrating culture supervision into standard oversight practices?

3.1.2c Some participants noted that questions as to whether and how culture should be approached by conduct regulators vs prudential regulators can create organizational challenges.

“In Singapore, conduct regulators and financial stability [shared common leadership], so it was all under one roof. But in many other jurisdictions, it's more balkanized. That is also a problem. Conduct and enforcement people tend to set really strict rules, and if they're broken, you want public hangings. But prudential regulators want to be more anticipatory. Especially if you're in charge of a bank, you do not want to precipitate a bank run. Public hangings are really not the way to go. It's a different philosophy, so it's a different culture. 

The conduct regulator will have to look at culture from a particular perspective. The prudential regulators will look at it from a particular perspective. But there must be somebody joining it all up at the top for large institutions that have both prudential and conduct risk.”

How can supervisory bodies move to embed culture risk into supervision and governance frameworks?

3.4.1b Participants also described the role of the supervisor in making culture risk governance tangible for supervised firms through training, tools, and targeted frameworks.

“I’ve also seen this in staff rotations. You don't just rotate to give someone an all-rounder experience. The ones who go in, find practices that need changing, and actually change them — that's good risk culture. You're not just stepping into the old shoes for three years to get a tick and the next promotion. You go in with a fresh pair of eyes, and that's what these rotations are meant for.”