A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Ian Johnston

past-CEO

Dubai Financial Services Authority

Picture of Ian Johnston
View Full Report

Contributions to the Supervisors on Supervision Stocktake

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.

“I completely understand institutions have to be able to make money. Institutions have got to be able to take appropriate risks, and I'm nowhere near the sort of person that says you should try to regulate all risk out of the system. But I think that it's a case of institutions saying, ‘Okay, we want to be the sort of place that doesn't just have adverts, doesn't just have commercials, doesn't just have slogans that say that we put the customer first.’”

1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.

“I think there's a continuum that's taking us further down the pathway of identifying or displaying just how clearly conduct risk can become a serious prudential risk. The reasons for that are two things that aren't necessarily deliberately related, but they are connected. 

First, you have regulators who are quite properly getting tougher, I think, in holding improper conduct to account. 

Second, running in parallel, is that society as a whole has tended to be more litigious. And the courts appear to be more willing to award significant damages — and I mean not just significant remedial compensation, but punitive damages — against institutions who do the wrong thing. 

So, those two things to me say that institutions need to be really careful about this stuff, and this is where you get to culture. Institutions need to address the fundamental things that might cause misbehavior. There are always going to be rogue elements; there are always going to be people within institutions who do the wrong thing. 

But when you get to significant sums, that generally means there's something fundamentally wrong in the organization. And that, I think, is when you get to the culture question.”

1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.

“As well as the readily identifiable direct financial impacts of misconduct through fines, penalties and investor compensation, there is the ever-present threat, to banks in particular, of misconduct causing investor or depositor confidence to erode.”

If culture is a factor in governance outcomes, should supervisors take stock of their own cultures to improve supervisory outcomes?

1.4.2a Some participants also observed that because culture affects outcomes across all sorts of organizations, that it is also relevant to questions of supervisory effectiveness.

I think that regulators should be spending just as much time in building their own cultures. You should be spending as much time on looking at the fit and the ethos of the people that you employ and not just what the c.v. looks like and their technical capability. 

At the DFSA, we would talk a lot about ‘fit’ when we were bringing people in. We would have as much of a discussion at the senior level in looking at senior people about fit, and not just what have they done, where have they worked, and what the c.v. looks like. And that fit, if you will, was cultural.”

What are the consequences for failing to consider the influence of culture in assessments of governance effectiveness?

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

“The recent case of Credit Suisse is, arguably, an example of persistent conduct of business failings reaching an extent whereby there was a significant loss of confidence in the bank.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“Regulators should set the expectations. Regulators should say, ‘Here's what we require. We will leave it largely to you as to how you get there, except for some major staging posts such as you must have a proper risk management framework, you must have a proper compliance framework,’ but leave it to the institution as to just what that looks like. And then if they don't get that right, if the behavior is wrong and something happens, well, we hold them accountable. 

So I think it's right for regulators to set the broad expectations and requirements for governance. To illustrate the point, I think it's right to say institutions need to have the right compliance framework, but I don't think the regulator should be saying, ‘And that means you must have X number of compliance officers, and you must have this hierarchy.’ I don't think regulators should do that, and I think it's a mistake to do that. So, I'm much more in favor of a principles-based approach there, which puts the onus on the industry to then manage the structures to get to the right end.”

2.2.2a Many participants describe challenges with engaging management teams and boards on questions related to culture risk supervision.

“Regulators are obviously very good at knowing when the regulations have been breached. That's pretty easy. Much harder, in fact, is to make a call that says, 'Well, we can't see any major breaches, but we think your culture's all wrong.' There's a huge responsibility on you if you're going to try to make such a call. 

And if I'm still in the industry, I'm sitting in the firm, the other side of the table, I say, ‘Well, tell me about that. Tell what that looks like and what you think it should look like.’ I think that's why this is so hard, because if you're going to make that sort of statement, you've got to have a pretty good basis for it.”

Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“I do think you've got more chance of impacting the culture of an organization by taking a principles-based approach. I think a more principles-based approach works because you can enforce against breaches of principle.
I think that getting out and doing proper thematic supervision gives you a good snapshot of behavior. At the DFSA, we would sometimes take enforcement action because an individual or firm breached the Regulatory Principle of Acting with Integrity. 

I think that that gives you far broader scope in being able to impact the culture and behavior in the organization. You can say, ‘Our finding is that you breached the principles of integrity.’ It's not that you breached these 27 small things, and we're going to take 27 small bits of action against you, but we think that taken as a whole as an organization or as a person, you haven't acted with integrity, and that's a requirement under DFSA legislation.”

2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee. Other participants described the importance of collaborative engagement with the management team of the firms they oversee.

“It's really important for the regulator to talk to the industry and to listen. 

It’s incumbent on the regulator to engage and to be approachable and be able to have someone actually speak to people. 

If a firm wants to come and speak to you, you should meet with them. You should listen to what they have to say. Some don't do that, believe it or not. There are some regulators who won't meet with the industry unless there's an actual matter that needs to be addressed. I think it's nuts to say that you're going to regulate an industry but not actually get out and about. You’ve got to engage with the market.”

What are the structural challenges to integrating culture supervision into standard oversight practices?

3.1.2c Some participants noted that questions as to whether and how culture should be approached by conduct regulators vs prudential regulators can create organizational challenges.

“Is it easier as an integrated regulator to see this? Yes, I think it is, because the prudential team has access to data that a conduct regulator doesn't typically get. As an integrated regulator, you see more, and it's probably easier to engage.”

3.1.2d Some participants discussed the role of judgment-based supervision versus rules based regulatory approaches to culture risk assessment.

“When you see outbreaks of misbehavior or something happening in the industry, often the knee-jerk response from regulators is to put in place more regulation. But in fact, I think often the answer is not to do that, because you're just slowing down the people who are doing the right thing. But often the better response is to see where the bad behavior is, take enforcement action, hit those people hard, and let the people who are doing the right thing get on with business.”

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2b Participants highlight the potential offered by analyzing latent data sets in innovative new ways.

“Regulators these days have a lot of data, and it needs to be interrogated intelligently. But you also then need to be guided by that. A regulator needs to be out there looking at the institutions on a rotational basis, on a risk basis, and seeing what's actually happening inside. 

I think that's the sort of magic little bit. It's not just trusting it to everyone doing the right thing and then seeing whether it happens, but when you go in and visit the institutions, you should be testing those things.

I think using the data intelligently, using the enforcement outcomes that you're getting, allowing those to guide you into, if you like, the main body of your work, which is supervising what people are doing and actually getting in there and testing compliance, testing that approach to risk.”

3.2.2c Participants point to the value that would be achieved were we able to conduct reliable horizontal peer reviews and benchmarking exercises in the realm of culture risk supervision.

“I'm a huge believer in doing thematic supervisory visits. You can go either institution by institution and look at what they're doing or you can test a topic across the regulated population. And that can give you a good idea of what behavior is like across the market on specific issues that can be indicators for overall behavior, and that's where you can spot gaps in culture 

The way that I've tended to oversee their use has been not to try to identify enforcement outcomes, but to actually go in and understand what's happening. And in the most egregious cases that you see, you might take some enforcement action, but the purpose is more to be able to test what the market is doing and then provide a report at the end of it and say, ‘Look, this is what we saw in your industry. Here are the examples of good behavior. Here are the examples of poor behavior and their likely outcomes.’ 

The other sort of reason that I like doing thematic work was that we would announce it ahead of time. So, if we thought there was an issue, we would announce ahead of time, ‘We're coming in to look at that, but that's a topic we're going to focus on, and we'll be selecting a certain number of firms.’ 

And they know that it's not enforcement-focused. They know that it's a genuine, ‘We want to understand how it works.’ Guess what tends to happen? You say you're coming in to look at it. Firms at that stage don't know whether they're going to be in the sample or not, but everybody then has a look at their practices. 

The whole industry then lifts because they want to put on a good show when the regulator does turn up. Then we publish a report and say, ‘Here's what good behavior looks like, what bad behavior looks like. Here's what we found.’”

What steps should supervisory bodies consider to help drive their own culture change?

4.2.1b Other participants noted that training and upskilling is required to incorporate behavioral science and culture assessments into supervision.

“These days you can get a lot of data, and that has to be intelligently interrogated. So, regulators need better skills in that area. Some regulators well understand that and are taking steps to get data analysts, data scientists, people like that into the organization that can properly interrogate data. 

Regulators also need people who understand the business model, and this is where AI won't replace people. You need people who can actually go in and know what the institution is trying to achieve because of its business model. So, you need to have the right sort of people in the regulator.

I think career regulators are really valuable, and you need them, but you also need up to date market expertise.”