A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Clare Bolingford

Executive Director

New Zealand Financial Markets Authority

Picture of Clare Bolingford
View Full Report

Contributions to the Supervisors on Supervision Stocktake

If culture is a factor in governance outcomes, should supervisors take stock of their own cultures to improve supervisory outcomes?

1.4.2c Participants observed that demonstrating attentiveness to supervisory culture is critical to gaining buy-in from the firms they supervise.

“We can't have an engagement-led approach if we're not open to hearing what firms have to say, but we also need to be quite direct and make sure that we're very clear about what our opinion is. If something is wrong, we need to tackle that quickly and consistently. And we really need to role model as supervisors what we want to see, demonstrating transparency, clarity, and good communication.”

What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1b Participants also point to evidence that culture problems frequently influence the effectiveness of governance structures, and serve as a warning precursor of their failures. But the relationship between culture and governance remains unhelpfully murky, complicating efforts to examine or improve either.

“This is where risk management becomes crucial. At the governance level, you set the organization's risk appetite. Is there a high appetite for financial risk? Is there zero tolerance for certain behaviors or regulatory breaches? Defining these tolerances at the governance level embeds a particular kind of culture, which may have unintended consequences.

For example, a zero-tolerance policy for anything can foster a culture of blame. If mistakes occur, and it is not possible to eradicate all error, people may feel they will lose their bonus or their job. This then permeates the organization's culture, causing people to focus solely on complying with that one specific rule rather than adopting a more holistic view of the overall purpose and desired outcome. 

These are the challenges both organizations and supervisors must grapple with when defining what behaviors are observed in practice and what may need to change, especially concerning compliance and risk management.”

2.1.1c Some participants emphasize that culture and governance are fundamental to performance outcomes such that reliance on formal controls and processes without addressing culture undermines risk management.

“If you boil down culture to behaviors, values are an intrinsic part of that. You can't separate [values from behavior]. However, culture itself is perhaps not as tangible because it's a shifting element. People define and measure it in different ways. That's why it's important to understand the drivers of human behavior, including both the formal and informal elements of good governance. This involves examining why people, individually or collectively, behave as they do.

You must consider these drivers and how culture — which isn't inherently a definable, permeable, or measurable thing — impacts day-to-day decisions. This applies at the governance level and as expectations filter through the organization, influencing not just behavior but also what's delivered on the ground.”

2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

“We have spoken to many firms which have strengthened their vision and purposes statements to drive a more customer-centric culture. This is a good starting point, but clear vision statements can only have a limited impact on the lived culture of the firm. We are concerned when we see leaders with an almost evangelical belief in their customer-focused mission statements who have not invested in sound controls and reporting to manage and understand the actual customer experience.

As regulators we obviously need to ensure that firms comply with the law. But good conduct risk management will not be achieved by a compliance implementation programme alone, because it is about how leaders and employees behave over time. For an industry within a jurisdiction that has been used to a more legalistic approach, this requires a change of mindset and a move from the compliance-led programmes that have been implemented in the past to conduct-led programmes that are better able to monitor the real outcomes of actions.

The focus of bank leaders should be on identifying and acting on behaviours that produce poor customer outcomes over time — and the implementation of this approach is ultimately an exercise in change management. Unfortunately we have seen firms spending a lot of time and money developing voluminous compliance manuals and processes that fail to deliver much value for their business or their customers.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“I think there's a real difference in conduct supervision between what you define as a bad culture or one likely to lead to misconduct, which may be intended or unintended. If misconduct is unintended, for example through lack of appropriate investment or capability, it can be understood as much through dialogue and conversation, as through analytics and metrics.

After analyzing the firm's finances and macro environment, engage in dialogue at the governance level: 'Talk to us about your strategy. What are you trying to achieve?' It's about asking key questions: 'How will this serve your customers better? How do you know that? What will your approach to managing the risks and your assurance be?’ Finally, it's about getting into the practicalities: don't just tell us it'll be fine; show us. 

We need to get deeper into the firm to see what's happening in practice, how they're testing, and how controls are ultimately working. We talk about leading and lagging indicators of risk and how often they are monitored. 

Then, of course, you have 'bad actors' — people genuinely trying to rip off customers. Ultimately, we try to prevent such firms from entering the market in the first place. But supervision also means finding those already in the market and ensuring they're either removed or understand that such a business model won't be tolerated within our regime.”

Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs. Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“We must also change ourselves. Many of the regulatory tools and processes we use now remain more suitable to a compliance-led regime and we are seeking new ways to monitor good culture and conduct risk management.”

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“Where a compliance-based approach necessitates a very long list of specific rules, a principles-based approach can condense these into overarching behavioural guides which are easier to integrate into day-to-day decision-making.

[O]utcomes-based regulation seeks to simply prescribe the desired outcome a regulated entity must achieve, whilst giving the entity some freedom to decide on how they will achieve it. 

As with principles-based regulation, it avoids narrow rule making where possible. It is also much better placed to facilitate a market eco-system where potential harms are reduced, as it directly requires institutions to take ownership in preventing them. 

Compliance-based regulation is easier for both banks and regulators to follow and provides a more straightforward cognitive fall-back to guide decision-making. This is particularly relevant when everyday work is demanding and long — a default for many jobs within the financial services industry. 

In contrast, outcomes-based regulation can conceptually be more challenging, requiring more flexibility, creativity and judgement, from both the institution and the regulator. But the opportunities to change banking for good, aided by conduct frameworks, are much more potent.”

 

2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee. Other participants described the importance of collaborative engagement with the management team of the firms they oversee.

“We say we have an outcomes-based approach, and we also say we have an engagement-led approach. Engagement doesn't mean being nice or simply accepting what the firm says. It's about having the confidence to enter into a dialogue on how things can be improved, or if we believe something is wrong or have concerns, having a direct and straightforward conversation.
We're not consultants; we're not there to tell them ’the answer’. It’s for firms to decide how best to meet expectations. But we can be alongside them as supervisors to say, 'Well, you might say that that's what you're trying to do, but we need some evidence that that's actually working in practice.'

Our engagement means actively working through the challenges with firms: 'Okay, if this is a risk, how are you tackling it? How are you going to manage and mitigate it? And how are you going to assure yourself it's actually working in practice?' 

They're not our clients. We regulate them, we supervise them. But we think we get the best results through having an open relationship with the firms that we supervise. 

This is because you can't have difficult conversations about what's gone wrong or what is really needed to move the dial from a cultural and conduct perspective if they're defensive and feel that you are out to get them.”

 

2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee.

“From our point of view, the culture we try to instill within our people means we come from a very purposeful place. We're a conduct regulator. We need to act with integrity and professionalism with the firms that we supervise. We're trying to make it easy for them to comply, and we're not out to get them.

We want to see good outcomes for customers; we want to see good outcomes for New Zealanders. So the culture is not to find something wrong. The culture is to enable firms to comply well and to get the right outcomes. And ultimately, my belief is that we achieve that by communicating well.”

What are the informal challenges with integrating culture supervision into regulatory bodies?

3.3.3a Still others describe cultural barriers to trialing new approaches and encouraging the internal risk taking that innovation demands, making it difficult to drive change in practice.

“Over the last decade, I would say, we've been moving from a more compliance-based approach into one that's more outcomes-focused and risk-based. That shift requires different skills from our supervisors. 

It's comfortable for supervisors and firms to have a more prescriptive idea of what 'good' looks like — to go in and say, 'Okay, if you meet these criteria then that's fine, you guys carry on.' The conversations we're having now, and have had for the last few years, are very different. They revolve around how firms assure themselves that they have set themselves up well to be sustainable, to manage their risks effectively, and to achieve their strategic outcomes, particularly customer outcomes from our perspective. 

It's about supporting people to ask the right questions, and having the confidence not to feel you always need to have the answers as a supervisor, or indeed to always expect the firm to have them. Sometimes these challenges aren't binary or straightforward — it's not just 'do this, do that.' It's sometimes about working through them together.”

What steps should regulators consider to enable more effective culture risk supervision?

4.1.1a Some participants described the importance of establishing a firm legal basis for supervising culture.

“Late in 2017, the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was established. As the biggest New Zealand banks are Australian-owned, questions were asked about whether similar misconduct was occurring here. There were calls for a similar commission to be established to investigate activities in New Zealand. 

In response, the FMA and the Reserve Bank of New Zealand (RBNZ — the prudential supervisor and licensing agency for banks and insurers) agreed with the Government that a more proportionate response would be to conduct a joint review of culture and conduct within the retail banks and life insurers. 

The findings from this review were published at the end of 2018 and did not find egregious misconduct. They did, however, identify significant weaknesses in the governance and management of conduct risks which could have led to widespread harms over time. Banks lacked proactivity and had been slow to address culture and conduct issues. 

The report made a number of recommendations, including the introduction of a direct legislative mandate for regulating the conduct of providers of core retail banking and insurance services.”

4.1.1b Other participants noted the importance of addressing culture across both conduct and prudential regimes.

“The 'Twin Peaks' model exists for a reason: it's not about entirely separate mountains. They are distinct parts of one landscape. Whether supervising individual entities or the sector broadly, you must consider how these elements interact within one system.

Culture is crucial for both prudential and conduct supervisors. For conduct supervisors, it's especially important because culture ultimately defines how people conduct their business. It's about how people behave, and behavior directly impacts conduct. Therefore, as conduct supervisors, we must understand the drivers behind people's actions and why misconduct occurs. 

We don't want to be merely the ambulance at the bottom of the cliff, cleaning up the mess that results from misconduct and trying to set things right. If we aim to be more forward-looking and prevent misconduct from occurring in the first place — to 'build a fence at the top of the cliff' — we must engage in dialogue about why misconduct happens initially. 

This is where the intersection with prudential supervision becomes clear. Prudential supervision, like conduct supervision, focuses on business sustainability: does the business have a viable model? Can it meet its financial obligations as they become due? It's about good risk management, just as conduct is, but viewed through a financial rather than a non-financial lens. The key point is that they all intersect.”

What steps should supervisory bodies consider to help drive their own culture change?

4.2.1a Participants noted the importance of supervisory cultures supportive of innovation and a readiness to adapt to change.

“We've got to adapt the financial services sector and regulation to the future needs of today's and tomorrow's customers. And honestly, we're not there in New Zealand at the moment. We've got people looking for products that just don't exist at the moment. We've got people looking for services that are quite nascent in this country and there are plenty of opportunities and risks to developing those products, both from a regulator and a supervised perspective. 

We've got to have a mechanism to think our way through those challenges and ensure we aren't restricting what customers can access by either our regulations or the way we supervise while also still balancing appropriate protections. We also must avoid influencing the cultures of these firms to be so simple and safe that they are not ultimately sustainable over the long term and capable of providing the products that people want in the future."