A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Chapter One — Culture as a Supervisory Concern

Included in this Section

1.1 – Definitional Ambiguity and Supervisory Hesitancy

1.1.1 – What does culture mean in the supervisory context?

  • 1.1.1a There is recognition among stocktake participants that culture lacks a commonly agreed-upon definition, which makes it difficult to understand or to discuss, let alone to assess.
  • 1.1.1b Some participants argue that supervisors should focus on a subset of organizational culture (“risk culture”) that directly applies to risk and compliance functions and outcomes.
  • 1.1.1c Others define the scope of supervisory interest in culture much more broadly.
  • 1.1.1d Others observe that conflating values and culture may be problematic, as it may conflate supervision with the making of moral judgments.

1.1.2 – How do inconsistent definitions and the lack of a common framework by which to discuss culture impact the practice of supervision, particularly as regards material but qualitative risks?

  • 1.1.2a Many participants note a relationship between culture and governance, but that a lack of shared grammar, frameworks, tools, and training contributes to inconsistent expectations.

1.1.3 – What is the relationship between culture and governance and how does ambiguity about that relationship contribute to uncertainty?

  • 1.1.3a Participants shared differing perspectives on which comes first, culture or governance.
  • 1.1.3b Other participants noted that culture and governance are interconnected and influence one another.

1.2 – The Case for Culture as a Supervisory Concern

1.2.1 – Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

  • 1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.
  • 1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.
  • 1.2.1c Still others see little distinction between cultural drivers of nonfinancial and financial risk, making it an area of interest to conduct and prudential regulators alike.
  • 1.2.1d Some supervisors have suggested that organizational culture has the potential to generate systemic risks, rather than merely idiosyncratic risks isolated to a given firm.
  • 1.2.1e Some participants observed that culture problems can ultimately lead to a loss of credibility for the financial sector as a whole.

1.2.2 – If culture is important to supervision, then what factors make it challenging to assess?

  • 1.2.2a Participants have pointed out that culture risk is typically only explored post-hoc, during root cause analysis, rather than proactively, before adverse outcomes arise.
  • 1.2.2b Participants point to culture as winning attention only in circumstances of remediation and argue that, once the acute pain is passed, the ongoing chronic pain is simply tolerated.
  • 1.2.2c Other participants describe how organizational complexity can make it difficult to assess culture risk and to evaluate success in connection with culture change initiatives.

1.3 – Global Convergence and Divergence

1.3.1 – How does the lack of a common supervisory approach to culture and conduct risk across jurisdictions pose a concern?

  • 1.3.1a Some participants note that, because many financial institutions operate in multiple jurisdictions, a lack of coordination on culture and conduct risk creates challenges for effective supervision.

1.3.2 – What might cross-border coordination regarding culture risk governance and supervision look like?

  • 1.3.2a Some participants suggest cross-border coordination would enable better practices.

1.3.3 – What role do international standard-setters have to play in coordinating culture supervision?

  • 1.3.3a Many participants point to the need for global coordination on standard setting
  • 1.3.3b Participants also emphasize that the goal may not be uniform standards as much so as establishing coherent terms of reference and frameworks of analysis — a “shared grammar.”

1.4 – Legitimacy and Trust as Supervisory Assets

1.4.1 – How do supervisors approach supervision in the absence of clear frameworks and guidelines related to culture?

  • 1.4.1a Many participants point to the importance of supervisory judgment in assessing potential problems related to culture.
  • 1.4.1b Participants also acknowledged how supervisory discretion may be limited.

1.4.2 – If culture is a factor in governance outcomes, should supervisors take stock of their own cultures to improve supervisory outcomes?

  • 1.4.2a Some participants also observed that because culture affects outcomes across all sorts of organizations, that it is also relevant to questions of supervisory effectiveness.
  • 1.4.2b Some participants argue that because the nature of supervision is different from banking, that culture as a matter of supervisory effectiveness should be considered differently than when examining culture as it drives outcomes for industry participants. Often pointed to in this regard is that private industry is profit-motivated while supervisors seek to serve the ‘public good.’
  • 1.4.2c Participants observed that demonstrating attentiveness to supervisory culture is critical to gaining buy-in from the firms they supervise.

1.4.3 – How does a lack of effective tools and frameworks for culture risk supervision impact perceptions of supervisory legitimacy?

  • 1.4.3a Participants described how the lack of a common evidentiary basis makes it difficult for supervisors to demonstrate effective culture risk governance and/or supervision.
  • 1.4.3b Participants also point out that such tools would be helpful in supporting effective governance around supervision itself.

Chapter Questions and Comments

1.1 – Definitional Ambiguity and Supervisory Hesitancy

1.1.1 – What does culture mean in the supervisory context?

1.1.1a There is recognition among stocktake participants that culture lacks a commonly agreed-upon definition, which makes it difficult to understand or to discuss, let alone to assess.

"After the Global Financial Crisis (GFC), efforts to shore up financial stability and confidence in the financial system focused on rebuilding resiliency including restoration of capital levels on bank balance sheets and achieving stronger governance of risk culture. While the need to rebuild capital was obvious, the supervisory work on governance of risk culture is probably least understood, even if it was identified as the root cause of the GFC. Since the GFC, the discipline for supervising risk culture is marked by less consistency and transparency in different markets. Moreover, the prevailing view is that is not measurable.

Currently, there's a strong drive in the US and elsewhere to focus more on financial risk and to de-emphasize the supervision and regulation of non- financial risk or as it has come to be considered, "the soft-stuff". This worries me because the post crisis diagnosis was correct. Namely, a root cause of the GFC was that risk culture was out of whack with the goals of sustaining stability and resiliency. We need to be able to answer this challenge: How do we make it more credible to the outside world — to bankers and policy-makers — that focus on a well governed risk culture is a true north, a key component of effective supervision?"

“Compared to more specific and tangible prudential and conduct rules, ‘culture’ is a woolly mammoth — not an easy creature to define or bring to life."

“[After the Crisis,] everyone talked about culture as important — but they couldn’t define it. That made it impossible to assess or improve in any structured way.”

“Culture is a concept you can't touch, feel, or even see. Yet it has a profound impact on shaping organisations’ identities and ways of working. Because culture is viewed as abstract, this frustrates how we talk about culture as a system, which is intellectually unsatisfying because it seems to avoid the obvious realities.”

“I think the problem you’re getting at is: what is the authority under which the supervisor or regulator can argue that culture is part of their purview?

It’s sort of a soft concept. That’s what people are unhappy with. I get that. I mean, what is culture, exactly? That’s one of the challenges.

Since culture is pretty hard to identify and evaluate — and behaviors are also hard to evaluate — it’s difficult for supervisors to be confident that what they’re doing is going to meaningfully move the needle in terms of outcomes.

So I've backed away from ‘culture’ as the way I talk about this. I talk about it more in terms of incentives. We need to have the right incentives in the system because incentives drive behavior, and behavior sets the social norms. And then that collection of social norms ultimately defines what we call culture.

So the culture is the end of the road rather than the beginning of the road. And that puts culture as less central. It’s sort of the result of all this.

But the social norms are what we really need to be working on. And the incentives to shape those social norms are what we should be working on. And I think that makes it a lot more tangible.”

“[The work done on culture is] never enough. I sense that professional supervisors tend to be more comfortable with quantitative and prescriptive rules because they are easier to measure and report. Culture is harder; it's subject to interpretation.” 

“Lots of things are hard. But just because this is hard, difficult to engage with, and you can't just tick a box, that makes it all the more worth engaging with.”

“I think culture has become a critical concept in modern corporate governance parlance. Good culture promotes good, objective decision-making, and I think culture plays a critical role in having a sophisticated analysis and conversation about what's going on in an institution. 

There's no one culture that's going to deliver what people think they want. As a generalization, we sort of know when the culture is bad, or at least we think we know because bad things happen, right? Companies collapse, they produce toxic products, they mislead their customers. 

And so we say ‘Aha! There's a cultural problem there because they haven't been able to do A, B, and C.’ And then there are other organizations where things seem to be going well, and sometimes we say about those organizations, ‘Oh, that's a good culture’. 

But in my mind, culture is really a compendious type of expression where we dump all sorts of issues and problems under that umbrella. We say, ‘Well, if X has gone wrong, oh, that's the culture. It's a really bad culture.’ We've got to be careful how we use the concept because it does exhaust its usefulness after a while.”

“To date, discussions of culture have remained abstract. They’ve relied on self-assessment, survey sentiment or reputational proxies. Supervisors have struggled to clearly define what ‘good’ looks like and focus instead on evidence of ‘bad.’That understandably frustrates firms, which then tend to approach the topic as an exercise in window-dressing, designed to placate supervisors.” 

“True to the University of Chicago tradition, what we’ve always tried to do is measure things that don’t at first appear measurable — or apply economics to behaviors people thought it couldn’t touch. Things like the economics of marriage or drug addiction. 

You start with a behavioral model — not a perfect one, but one that gives you a benchmark to test hypotheses or prompt new insights. That’s what intrigues me about this culture conversation. I agree it’s important, but unless we make it concrete — with structure and measurement — it’s hard to get traction.”

“Organizational culture is that intangible thing that aligns each employee's attitudes and behaviors to corporate values. 

We often say that employees are guided by policies, processes, rules within an organization, that is true but it's not the whole truth. More than abiding by policies and rules, employees often choose to do what is acceptable in the eyes of their bosses and their colleagues. 

They do this when interpreting rules and in situations where there are no prescribed rules, and this can happen since rules cannot cover each and every situation. They will ask, ‘what will my boss, what will my colleagues expect or think about this thing I'm doing? What can I do to get me recognized, appreciated, even promoted?’ That is organizational culture at work.”

“While there is no one-size-fits-all culture, a healthy culture shares common elements. 

Employees want to work for organisations whose purpose resonates with their own individual sense of purpose. Consumers want to be able to trust that firms are not only looking after their money, but also looking after their employees and other stakeholders, treating them fairly while engaging in ethical business practices. Shareholders want to invest in firms that can make them money by doing good and by adding value to society.”

“Culture is inherently less tangible than, say, capital ratios or liquidity buffers — so we used substitute words like shared values, beliefs, and behaviors. That makes the work inherently qualitative and, to some extent, subjective.

 If different supervisory teams define culture differently, they will look for different things. 

When I was at MAS, there was no prescriptive definition of ‘good culture’ that could be applied equally across all institutions — given their very different business models, sizes, and operating environments. What’s meaningful for a small community bank in the U.S. may not map to a global institution.

Even if we could have designed a thoughtful methodology, firms understandably perceived it as subjective, which generated resistance — or at least limited buy-in. That, in turn, could undermine the effectiveness of supervisory recommendations. 

So, how do we assess culture without a one-size-fits-all worksheet?”

“There is broad agreement that culture is an important driver of institutional performance. However, for the most part, our assessments are implicit. There is no explicit or quantitative measurement. The question therefore arises as to whether we need to be more systematic and consistent in our assessments of culture (both of our own and other organisations).”

“For regulators, ‘culture’ has often meant creativity, balance, and — critically — understanding the businesses we oversaw. The Fed, for example, has been very good at understanding firms deeply and pushing for improved behavior. 

But we haven’t always framed it in terms of ‘culture’ as you now are in this report.

When we sought to explore culture at FINRA 12 years ago, we didn’t obsess over the label. You could call it culture, or you could call it strategy. What mattered was three things: 

How do firms talk about new opportunities and communicate consistently?

How do they enforce accountability when people move off course? 

How do they respond when things go wrong — especially with their most successful people? 

Those are culture questions, even if you don’t call them that. Culture is a useful shorthand for the norms, strategies, and decision habits that distinguish firms. If you break it into buckets like I’ve just done, it becomes more measurable, less ephemeral. 

Critically, the most important indicator of culture is how a firm reacts when things go wrong. And stuff will go wrong. The question is: are people held accountable? Are changes made that make recurrence less likely? That’s what supervisors should be watching.”

1.1.1b Some participants argue that supervisors should focus on a subset of organizational culture (“risk culture”) that directly applies to risk and compliance functions and outcomes.

“We should first define ‘risk culture.’ Over the years, different international institutions — the FSB and the BCBS — have tried to do that.

It’s not enough to say, ‘We act in the best interest of customers.’ What does that mean in deposit-taking? In granting or assessing loans? In selling investment products? It’s very hard to quantify. After the crises of the last 20-30 years, the international community tried to put some structure around this and came up with the concept of ‘risk culture.’

From our perspective, the term ‘risk culture’ is an attempt to put structure around a highly non quantifiable set of parameters that supervisors have long focused on. It should reflect the core values that financial institutions should pursue — things like: when a bank interacts with customers, what values should the bank pursue, and how do you propagate those values to staff?”

"We have frameworks in certain areas — risk culture, for example. That’s part of culture risk, and it’s easier to define. It includes risk appetite, but also behavioural patterns such as listening to staff or speaking up are included, although these aspects rather belong to the overall culture.”

“Risk culture is a subset of an organisation’s overall culture, but with a specific focus on values, beliefs, knowledge, attitudes, and understanding about risk. The overall culture of an organisation influences its risk culture by shaping how employees perceive and respond to risk.”

“Risk culture is what is influencing decisions that produce different risk-reward outcomes, under the same business model, under the same conditions.”

“Risk culture is when the board or senior management defines the risk appetite — how much risk the institution is prepared to take — and then sets quantitative benchmarks to stay within those parameters. It’s top down. Culture risk is about whether the board is fully sensitive to the risks the bank is exposed to. It emerges from the bottom up.”

“Quite honestly, if you don't have a risk culture, you have culture risks. That's it. If there isn't a healthy respect for risk in everything that you do, you have culture risk.”

1.1.1c Others define the scope of supervisory interest in culture much more broadly.

“I would focus on a broad definition, encompassing all the internal norms, incentives and mechanisms driving the organisation, at all levels, and determining the risk profile and the conduct of the firm in the medium to long term.”

"Every bank has different internal cultures … So when we look at a bank, we don’t just assess operational risk. We look at how people interact. Even when two German banks merge, they may not share the same culture, the same attitude towards customers, risk and staff. 

For me, culture is broader than risk culture. Culture includes mindset, values, and how you interact with others — not just risk management or business, but how you treat your staff, your clients, your landlord.

You want some basic values: an atmosphere where staff does not fear to speak up, management listening to each other, fostering an environment where ideas thrive, where people are challenged. That’s culture"

“Although I find the concept of culture really helpful, I sometimes wonder whether we put too much weight on it as a bit of a silver bullet when it isn't.

The way we talk about culture, it has a lot of work to do; it carries a lot of conceptual weight across a whole range of topics. So I think it's really important when we think about culture to contextualize it.

It just seems to me that if we think more in terms of what makes an organization successful, then the metrics start to change. A successful organization has a whole range of attributes, and we compendiously refer to them as ‘good culture’."

“Culture is what you learn from your colleagues, and culture is what you get the sense is permitted by checking the reaction of your colleagues.”

“A sound organisational culture strengthens alignment of attitudes and behaviours within an organisation to positive corporate values. It ensures consistency and quality in how financial institutions execute their policies and processes, and how they make decisions on a daily basis at all levels within the organisation. Examining organisational culture has thus been an increasing focus for a number of financial regulators, to minimise misconduct and internal control failures at financial institutions.”

“Social media allows information to flow freely and people to mobilise quickly, which means companies are far more likely to be caught out and face consequences for doing the wrong thing. The consequence is that materiality effectively moves in line with the social license. The way to manage this — and turn it into competitive advantage — is by building a culture of trust right through an organisation. 

When we consider where trust in business comes from, we can draw a direct line from the public perceptions of a company to its corporate culture. Culture is the unwritten rules of how things are done in a business. It shapes employee behaviour and decision-making right through an organisation. As such, it is inextricably linked to a business’s ability to act in the interests of its customers and to do the right thing.”

“One of the best definitions of culture, though it's also used for character or ethics, is: what do you do when no one's looking? What is your ethical state, and how do you then begin to transmit that series of values throughout your organization? 

This culture/ethics question often gets wrapped up in ‘reputational risk’. But it’s a very private decision taken inside organizations. The regulator isn't scrutinizing this right now, activist groups aren't scrutinizing this right now, the rest of the market is not looking at this right now. This is a decision I'm taking inside my own walls. You shouldn't be reliant upon your peers or regulators to set a norm. This needs to be a norm that is understood inside an institution. 

It starts from how the senior leadership, the board, and the owners of an organization want to conduct themselves and what they ultimately believe is the right thing for their customers and clients.”

1.1.1d Others observe that conflating values and culture may be problematic, as it may conflate supervision with the making of moral judgments.

“We often conflate values and culture — using terms like integrity, transparency, inclusivity. This leads to backlash when regulators are seen to impose values. When culture oversight is framed in values-laden language, it opens supervisors to charges of ideology rather than risk governance. In today’s political climate, this undermines legitimacy.”

“Culture assessments often start with how an organisation feels. That is important, but I prefer to start with how it acts.”

This cultural issue should not be about business ethics; it should be about good business practices and how to build a successful business. If you can frame it the latter way rather than the former, you can build something that will have credibility with supervisors across borders and with the industry itself. It's not about moralizing; it's about good risk management.”

“A lot of a supervisor’s business is about stopping perfectly decent human beings who are going about their normal daily jobs from making really bad choices, rather than stopping criminal masterminds. 

The vast majority of people I dealt with when I was at the FCA were often perfectly good, regular people in successful commercial business careers who made some really bad choices. 

It's often when you are chasing just that extra bit of margin, or when you're under commercial pressure to meet your targets, that people do things that, if you had asked them in the cold light of day, they would simply say, ‘Oh no, of course I wouldn't do that. I'm an upstanding citizen.’ That is often the start of people getting into a downward spiral, whether it's trying to rig markets or gouge customers.

“Well-run organizations, run by people that have high integrity, who are honest, diligent, open minded — and other words like that. We'll call them ‘good values.’ Now, is that culture, or is that good values? 

The way I like to think about it is: what sort of organization do you want to be? What sort of values? And then that'll lead to your own culture.”

“Boards — by definition, that includes the CEO and senior leadership — must consider what cultural values are essential to their business model, their clients, and their ability to create shareholder value. They must define those values explicitly, and then ensure the institution is aligned to them. 

Which values? That’s up to them. Not us. We are not here to legislate values. 

When we articulate our expectations around integrity and security, the test we impose on ourselves is this: take the Milton Friedman article from the 1980s, which argues that the manager’s only imperative is to maximize shareholder value. If a board adopted that view as its guiding value set, would our guidance reject it? 

It shouldn’t. Our guideline should say: fine — but how will you measure adherence to that? And how will you steer your organization to live those values? 

It’s up to the board and senior management to define how they maximize shareholder value. It’s not our job to define it. 

Our job is to ensure they are doing so in a disciplined and transparent way — especially if they are a systemically important bank. If they fail, the country’s economic future is at risk. Our job is to ensure the financial system is stable — that funding is available in good times and bad, and that banks don’t disappear at the worst possible moment. That’s our role. We do not define the culture that delivers that. Boards do. 

Accountability starts with the board. The board represents shareholder interests. That’s the board’s job: to articulate values, and to ensure they are lived. Management executes the board’s vision and strategy. It’s the board’s responsibility to define a culture that will achieve that — not the regulator’s. The risk for supervisors is that we take our own values — those we hold dear — and impose them on institutions. That’s not just overreach — it’s illegitimate. We have no right to do that. Our job is to protect creditors, and more broadly, financial system stability. Full stop.”

“I’ve found that once lawyers start talking about ethics per se, we lose our audience. After all, what do lawyers know about ethics? We’re not hired to be philosophers. We’re hired principally because of our knowledge of the law. Our primary functions in an organization are to identify legal risks and advise on how to minimize them (if possible). 

We as lawyers may have a monopoly on legal advice, but we do not have a monopoly on ethical advice. It would be dangerous and counterproductive if the lawyer’s monopoly on legal advice ended up shutting down other viewpoints on ethical quandaries — particularly where a diversity of viewpoints and backgrounds can lead to better and more informed decision making.”

1.1.2 – How do inconsistent definitions and the lack of a common framework by which to discuss culture impact the practice of supervision, particularly as regards material but qualitative risks?

1.1.2a Many participants note a relationship between culture and governance, but that a lack of shared grammar, frameworks, tools, and training contributes to inconsistent expectations.

We know how important good governance is, but can we measure it in a consistent manner and ultimately craft a regulatory standard that, (i) recognizes the risk of loss arising from poor governance, and (ii) provides incentive for a firm to improve its governance? 

As the expression goes ‘If you can’t measure it, you can’t manage it,’ and if you can’t measure or effectively manage a risk then the prospects of regulating it are even more challenging. This is where we are today with risks related to poor governance.”
 

“How do you measure incremental progress in building a desired culture? How do you do that in a way that is consistent and replicable across a number of institutions? How do we support that from the official sector side? To the extent that this can be operationalized, there would be a huge benefit to having a data driven, analytically rigorous process that provides reliably comparable metrics by which to assess incremental progress on culture improvement.”

“A challenge may be the lack of any meaningful metric to evaluate governance and culture in a bank examination as this requires taking a holistic view of all aspects of the risk governance framework rather than looking at each facet in isolation.”

“Culture isn’t a ready metric; judgment is involved even when anchored to evidence. Conversations about ‘tone from the top’ and ‘walking the talk’ quickly prompt precise questions from boards: ‘What exactly is missing — and why?’ 

We found it easier to embed culture into tangible things: remuneration and performance management systems, and how those might drive good or bad behavior — citing a few incidents without overgeneralizing (especially in banks with large footprints). We relied heavily on audit (internal and external). How management treats auditors tells you a lot. 

So we bundled multiple strands — governance structures, design, incentives — rather than saying ‘your culture is good/bad’ in isolation. A holistic embedded approach worked better than treating culture as a standalone rating. 

What we wanted [at MAS at that time] was something sharper and more consistent — a kind of quality control — so ‘good/bad culture’ judgments weren’t just personal impressions. 

It is important for supervisors to be able to state clearly and to defend their findings or observations with respect to their assessment of a firm’s culture. Board members in financial institutions take their responsibilities and fiduciary duties seriously. They will understandably seek to understand any supervisory concerns — and sometimes, to even challenge or offer other perspectives. So explainability by a supervisor of its findings is important.”

“When it comes to issues of behaviour and culture, data and metrics as a means of understanding risk are much more scarce [than financial data and metrics].”

“Culture is the cumulative effect of a whole range of things. I find myself, when I talk generally, saying things like, ‘I like a culture of challenge. I like a culture of curiosity.’ But you see my ambivalence with the use of the word. It's very ubiquitous — it's all over the place.

It's a really critical concept to explain when things go wrong and to illuminate how to make them better. Maybe someone clever can inject some science into that and say, ‘Well, here are the 10 key features of culture and how you measure it’. We all instinctively believe that it's a critical concept, but injecting science into it is a bit challenging.”

“If we had a common evidentiary basis, life would be easier. 

We don’t — at least not yet. We’ll keep looking for possibilities. I don’t know if one is possible, but I’m open-minded and would welcome it.”

“I’m curious but skeptical about how far supervisors can lean into this field. 

For me, it’s less ‘culture’ and more about judgment and subjectivity in the supervisory risk assessment process — how decisions are made, the tools and methods supervisors use, how quality control is formalized, how leadership supports or undermines work at the operational level, and how institutions are involved in finalizing courses of action. 

That’s all fair game; there’s greenfield there. But going directly at culture? I’m not sure.

Maybe machines can help — digitizing behavioral performance at scale. Supervisors don’t suffer from lack of data; we have a bandwidth problem. Perhaps machines observing machines will help. In short: culture risk supervision remains a bit of a mystery.”

“I have the feeling that we supervisors don’t do very much of that kind of training [e.g., in culture risk governance], as a rule, because it is hard, and because we lack frameworks for that. 

Instead, we try to identify problematic constellations that lead to bad culture: dominant leadership figures without checks and balances; non-diverse boards, unchallenged decision making among senior leadership, and the like.”

“Culture is clearly important not just for conduct but for the safety and soundness of banks. 

I think Andrew Bailey said a while back that pretty much all bank failures have a behavioral driver somewhere. So the idea we can ignore this is hard to sustain.

We’ve seen failures — Credit Suisse being the most obvious — driven primarily, I’d say, by persistent cultural problems. Credit Suisse’s issues went back decades — immorality, turning a blind eye as long as someone made money; semi-independent businesses with no challenge if profitable. That’s cultural memory.

On the other hand, I struggle with how supervisors get their arms around it. At worst, it becomes vague — ’he-said/she-said’ — with supervisors giving opinions that management don’t understand or disagree with.

The challenge isn’t importance [of culture]; it’s whether supervisors can actually make a difference — and whether, given limited time, this is the best use of effort versus things easier to measure and change. 

To avoid that counsel of despair, you have to believe you can assess culture with some objectivity and then respond rationally — either encouraging or requiring change, or, recognizing the culture for what it is, and compensating with additional financial resilience.”

1.1.3 – What is the relationship between culture and governance and how does ambiguity about that relationship contribute to uncertainty?

1.1.3a Participants shared differing perspectives on which comes first, culture or governance.

“We’ve called for changes to governance, to bring about more stringent leadership, but the biggest things we’ve had to change at problematic firms have been about the culture. If you’re going to change an organization, you have to understand its culture and work out what kind of culture is consistent with your mandate.

Of course, regulation — and codification via governance codes — tends to show you ways to be formally compliant with what law, regulation, or supervisors expect. That’s the ‘hardware’ of governance: independent directors on the supervisory board; separate audit and risk committees; the right people chairing them; CEO/Chair roles handled appropriately; all that.

These things can be codified and are codified differently across jurisdictions and corporate forms. 

If you stop there, though, you don’t get to an assessment of the culture of the firm. There are different interpretations of formal ‘good governance’ around the world — the U.S. is more comfortable with a double-hatted Chair/CEO than Europe, for example. But under formal compliance, you can still have widely divergent corporate cultures and risk cultures. I’ve certainly seen that as a supervisor.”

“Organizations don’t materialize out of thin air; they’re constituted for a purpose. Governance serves to affect the stewardship of an organization. 

It’s not a passive ‘people will be people’ shrug. Governance is an opportunity to signal, check, align, and pursue a path. 

Behaviors are in scope for governance; they’re a consequence of choices and incentives aligned to the strategy. So, yes, culture is a governance matter to the extent that culture drives performance, which I believe it does. 

Culture risks are a board responsibility to understand and mitigate where they impair strategy or risk control.”

“I would define governance, basically, as managing complexity and credibility. You only can go into a regulator and say, ‘we’re complying with the laws,’ if in fact you have a governance structure that does that. And you can only go to a shareholder’s meeting and say, ‘our product/business is safe, reliable, etc.,’ if you have a governance program that ensures that.”

If society could only have one of two things — a set of rules or a strong culture — which would you choose? I would always choose culture.”

“I would always put culture at the top of that flow diagram. I would definitely put governance next after culture. 

Culture isn't just a normal preventative thing; it's not a preventative control in the way you might introduce systems or processes. It's the stage before that. 

You can say, ‘This is our culture, these are our ethics,’ but if the way you behave as a board and a leadership team constantly undermines that, or stands in paradox to it, then you have a problem. The old saying is, ‘Culture eats strategy for breakfast.’ If the actual culture is demonstrated by leadership chastising middle managers for not hitting weekly targets, then all your middle leaders will ever focus on is that.

There is also a question around thinking really carefully about your systems and your controls, not in the sense that each is designed to completely reinforce your culture, but ensuring at least, that they don't work against it.”

“They’re clearly interrelated. Governance, as I see it, involves setting incentives, managing information flows, and implementing control mechanisms. Culture is an essential part of that, especially when it comes to how those incentives and flows play out. 

You could argue it either way, but I tend to see culture as a subset of governance — a particular set of behaviors and reward systems embedded within the broader structure.”

“Culture feels more fundamental than governance; governance is the outward-facing mechanism, while culture accounts for attitudes toward responsibility and accountability — for instance, do individuals truly own outcomes, or do committees diffuse that?”

“Risk culture, which is an important component of effective governance, has long been recognised as a key driver of effective risk management at the level of regulated financial institutions and in supervisory authorities. 

Throughout its 50 years history the Basel Committee has put great emphasis on this concept — most notably through the recently updated Core Principles for effective banking supervision.”

“Risk culture is supposed to reflect the core values the institution should pursue — chosen by the board, executed by senior management, properly propagated within the organisation, and then measured: how well are you doing when frontline colleagues act on those values? The collection of risk appetite and tolerance (in the form of a statement), the propagation mechanisms, and performance measures. Collectively I would call that ‘risk culture.’ 

Governance, on the other hand, is the structure with which you pursue those values: how the board discusses these risk values, how they review institutional performance, what mechanisms they put in place to collect feedback on what’s happening on the ground, how accountability is built, and how remuneration reflects the values.

Rules shape behavior. But, particularly for institutions engaged in complex activities, there’s potential for trouble when you try to operate with too many rules and not enough buy-in to those rules. So, rules, and the enforcement of rules — both within the institution and from supervisors outside of the institution — remain important. 

But culture is of central interest because rules will never take you all the way there.”

“Ethics in finance is not a mere regulatory requirement; it is the foundation upon which trust is built. As custodians of the financial system, we securities regulators recognize that public confidence is correlated to the ethical behaviour of market participants. 

Experience shows that robust governance and trusted institutions are prerequisites for long term competitiveness. Capital flows toward markets where investors feel confident that their interests are protected and that rules are applied consistently. Weaknesses in corporate governance or supervision may attract short-term gains but can deter long-term investment.”

“In any organization, unwritten rules, norms, and expectations exist alongside written rules and procedures. These unwritten rules, or what we call an organization’s culture, refer to the commonly held values, mindsets, beliefs, and assumptions that guide both what is important to an organization and how its people should behave. 

Culture can reinforce established rules and risk management disciplines, or it can lessen the effectiveness of them. Culture can be a competitive advantage, or a weakness. It can affect every aspect of an institution from its compensation practices to its control framework.”

1.1.3b Other participants noted that culture and governance are interconnected and influence one another.

“Culture only happens within the governance framework you have in your backpack. It’s very difficult to try to change culture if the governance framework all the time works against you.”

“The governance arrangements are the hardware; the risk culture is the software. One encapsulates the core values; the other is how to pursue them.”

“The culture gets affected by how people perceive the governance and the outcomes of the governance. So if someone who is, for example, a very high revenue producer but an asshole gets kept on and promoted and well-compensated — that's a governance issue. The governance let that happen. But it has cultural implications. Good governance is going to affect the culture outcome, for sure.

So the two are definitely related. I mean, good governance is going to affect the cultural outcome for sure. If you have a bad culture, you're probably going to have poor governance. You're going to have gaps in governance. You're going to have a lack of accountability in governance, presumably. So it probably goes both directions.

Governance is something that’s more tangible. Culture can be regarded as being too soft to be actionable, but we can do something about governance.”

“Governance is at the heart of supervision. It is a common saying in banking supervision that ‘well-run banks do not fail.’ And it is true. Inadequate governance and risk management are a recurrent theme underpinning virtually all bank failures. 

The events of [2023] show how ‘intangible’ nonfinancial risks can result in very tangible financial losses. Indeed, throughout my career, I have seen that strong governance is the true north guiding a sound bank, and hence a sound banking system. 

Bank governance and risk culture are closely intertwined. Risk culture refers to the collective mindset and the shared set of norms, attitudes and behaviours related to the awareness, management and control of risks at all levels in a bank. This is what shapes the day-to-day decisions of management and staff and affects their risk-taking behaviour.”

“We see a strong link between governance and culture in our day-to-day supervision. Personally, I'm a little bit careful to focus too much on the culture part. Ultimately, this is about behaviors, and governance affects behaviors. We shouldn’t be too philosophical about this.

For example, if you have a dominant shareholder who is also playing an important executive role — or is the CEO — there can be a bigger risk of people in the financial institution not speaking up when they observe negative developments that may affect performance. 

The governance — for example a CEO that also has a dominant shareholding — can influence the day-to-day operations of the financial institution. Therefore, it has prudential consequences, and that brings it into our remit as a supervisor. 

If you have a governance where the top management team’s formal governance rights are different among its team members, that can influence the dynamics in the board. We sometimes have cases where you have an executive board that formally tries to function as one board — but if you look at the small print, it appears that some members have more governance rights than others. These formal differences can affect the culture and dynamics in the board.”

“In governance, we tend to focus heavily on the inputs — rules, structures, and processes — and then wait to evaluate the outputs, such as performance, compliance, or outcomes. But what’s often missing is a systemic framework to assess the throughputs, which is the culture that connects the two.

Culture is the lifeblood of an organization; it shapes how decisions are made, how risks are managed, and whether the values on paper are actually lived in practice. Without a mechanism to evaluate and influence this critical middle layer, we risk overlooking the very dynamics that determine whether governance structures succeed or fail in achieving their intended goals”

“All our efforts at codification tend to show you ways to be formally compliant — that’s the ‘hardware’ aspect of governance. But underneath that formal compliance, you can still have widely divergent risk cultures — that’s the ‘software’ element. 

When you’re trying to get hold of a kind of slippery topic like culture and need a framework for doing that, it fits under governance and risk management. That’s the right way to insert culture into a supervisory program — it gives you the permission to delve into the topic. 

But you could also reverse it and say you’re really looking at culture, and one sub-aspect of culture is the formal governance of the firm. I include with governance the whole fit-and-proper framework. That’s where culture starts.”

1.2 – The Case for Culture as a Supervisory Concern

1.2.1 – Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.

“Behavioural science teaches us that culture is the unwritten code of how things are done in a business, and so, it is a good predictor of poor conduct.”

“I think the evidence, if you look back at the Global Financial Crisis and many other things that have happened in banks since then, including SVB and other failures in Switzerland, shows that issues around culture and governance are very much a root cause.

My own personal experience with the Financial Crisis in Ireland makes it absolutely clear that this was the case. The remedies were put in place after the Crisis, but before the establishment of the [Single Supervisory Mechanism (SSM)]. So there was a period where Ireland was dealing with the Crisis on its own. 

Even after the SSM was established, which shows how difficult governance and cultural issues can be to address, we had the tracker mortgage issue related to consumer protection. With the caveat that consumer protection is not part of the ECB's mandate, a root cause of that issue was culture. 

It prompted the Central Bank of Ireland to do a large study on cultural factors in banks and how it led to a big scandal that negatively affected consumers. These are cases where you can see the evidence that culture is at the root cause of many things.”

“Regulators have been saying consistently that culture shapes conduct. The protections of a strong risk and compliance culture are clearly even more important in the supervisory context today. So, it just stands to reason that, going forward, regulators will pay even more attention to these cultural issues in the current [Covid-19 Work from Home] environment.”

“I completely understand institutions have to be able to make money. Institutions have got to be able to take appropriate risks, and I'm nowhere near the sort of person that says you should try to regulate all risk out of the system. But I think that it's a case of institutions saying, ‘Okay, we want to be the sort of place that doesn't just have adverts, doesn't just have commercials, doesn't just have slogans that say that we put the customer first.’”

“Culture is crucial for insurance supervisors because it underpins the decisions, behaviours, and practices that influence an insurer’s financial soundness, customer treatment, and overall integrity. 

Supervisory focus on culture helps identify vulnerabilities, mitigate misconduct risks, and promote public trust in the insurance sector. 

There is strong recognition of the need to ensure a robust supervisory framework for the insurance sector — one that promotes the financial soundness of individual insurers and the stability of the sector, as well as a culture of fair treatment of customers.”

“The Financial Crisis got me going because you saw so many egregious things that were clearly not in the gray area. They were well over the line into what I thought was very bad behavior. The most obvious one was the manipulation of LIBOR. That is blatantly criminal; that's not in the gray area. 

You remember Charlie Prince's famous ‘when the music is playing, you've got to get up and dance’ line? That really got under my skin, because it implied that people lack the free will to actually decide what they want to do.”

“In our surveillance, we increasingly used indicators of poor culture — which was normally correlated to poor conduct — to direct us to the companies we would visit.”

“As fee and non-interest income have become more important for banks, and as the community needs help managing its wealth, culture has become very important. 

The bank isn't just risking its own capital; it's advising or enticing customers to buy products to earn a fee. The more volume they generate, the higher their income, which creates an inherent potential for mis-selling.

We introduced many reforms to ensure banks would not sell financial products to unsuitable customers, including complicated processes and safeguards. But to me, in my heart, it's still about the culture.

Conduct supervision is very simple. It’s ensuring your staff adhere to a single principle: is this a product you would be prepared to sell to your grandmother or your brother? If you have doubts, you should think twice. Beneath this simple, almost joking, principle is a very profound philosophy. It's culture. If you don't know what you're selling, don't sell it. If you know a product is very risky, you wouldn't recommend it to your close friends or relatives. 

A culture based on the simple logic of not selling something to a customer that you wouldn't sell to your own mother or brother is timeless. It doesn't matter if it's Bitcoin or some new product 20 years from now; the philosophy remains the same. 

Would a bank's management be willing to use the common-sense "grandmother" approach? If they do, then the bank won't do enough business, it won't generate enough profits, and people won't get paid bonuses. That's the difficulty.”

“Sound organizational culture will align employee behaviors to positive corporate values. Be it to treat customers fairly or manage risk prudently, it strengthens the consistency and quality of how financial institutions execute their policies and processes, and how they make decisions on a daily basis at all levels within a financial institution. So this helps to minimize misconduct and internal control failures even when the supervisor is not watching. And that's why it's so important for us.”

“The Financial Crisis of 2008 exposed deep seated flaws in the financial system and highlighted the importance of governance and ethics in finance. In the wake of the Crisis, a series of scandals ranging from mis-selling to market manipulation undermined trust in the financial system. In response, policy makers sought to promote higher standards of corporate governance, industry culture, ethics, and trust. Despite those reform efforts, incidences of misconduct and mismanagement of risk continue to plague the industry.”

“Governance and culture are also crucial in managing operational risks.”

“I’d point to couple of really simple examples. 

First, is a loan being made outside the firm’s stated risk appetite? Is risk being taken outside stated tolerances, exposing the organization to greater risk than intended? 

Second, is an employee behaving toward clients or colleagues in a way that violates behavioral expectations? 

If so, crucially, how does the organization respond? If a salesperson extends a profitable loan outside risk appetite, are they rewarded or penalized? If someone behaves inappropriately, does local management act? Are violations ignored — or even rewarded? 

Reactions can be very different to similar events. That reaction sets the tone. So leadership needs controls to know whether risk appetite — risk and behavioral — is actually being delivered; and they need to help set the tone for how the organization responds when things go wrong. The latter can be even more instructive than the former.”

“The Federal Banking System holds more than $14 trillion in assets and has more than $60 trillion under its fiduciary and custody control. With all that money, you would think that the most of risks facing the banking system would be financial. 

But, as our most recent Semiannual Risk Perspective points out, three of the four top risks facing banks are not financial at all, they involve strategic, operational, and compliance risks. 

These are the risks that tend to challenge bankers and require a great deal of examiner attention. We dedicate a significant amount of human resources and have an entire function within our organization identifying, assessing, and sharing our perspectives on these risk with the industry so they can sharpen their risk management and operate more soundly.”

“The fact that misconduct continues to occur all too frequently across financial institutions shows that more needs to be done.”

“We took a deeper dive into how firms thought about setting the tone for the conduct that would be tolerated, how that is messaged to employees, and then dove deeper into whether firms recognized that corporate culture, in turn, sets the tone for what acceptable level of conduct is within an institution. 

The discussion with executive leadership at the firms sparked interesting realizations and helped us understand how the firms were thinking about that tie-in between conduct and culture. Some were quite sophisticated in their thinking around the topic, and clearly our inquiry was not the first time they had thought about this. Others were less advanced. Another interesting part of the dialogue was, when two firms merged, which culture dominated in the combined entity and what drove that result?”

1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.

“I think it's getting a lot better, as prudential regulators realize that poor conduct risk can result in prudential risk. Prudential regulation is protecting the entity, while conduct regulation is generally protecting the individual. But they are both dealing with institutions that, if they behave badly, could become financially unviable because they'll lose their customers and face fines.”

“Even though everything was under my roof, I have to tell you about a situation that arose because of the Global Financial Crisis. In Singapore, the biggest issue we had for the domestic consumers was originally thought of as a conduct issue, not a prudential issue. Our banks were rock solid. It was a conduct issue because of something called Lehman Brothers Minibonds. These were CDOs that were packaged and sold like they were bonds.

Mea culpa: we really should not have let them be called ‘mini bonds.’ People were buying them thinking they were bonds, but they were actually CDOs. As the assets in the reference basket started collapsing, so did the value of these instruments. 

Is this a conduct issue or a prudential issue? On the surface, it's a conduct issue. But many of these instruments were sold by banks and insurance companies. Because of the blowback, it cost them many millions in fines and restitutions. There were also reputational risk issues. Then it became a prudential issue, didn't it?”

"Look at Credit Suisse. A single bank failed inter alia because of cultural issues. And it’s not just conduct — it’s broader. Conduct risk eventually moves into financial risk. That affects the bank's risk-taking capacity, and in severe cases, even its stability."

“There can be direct risks to financial soundness and the community’s trust and confidence in an institution from poor customer outcomes as well as indirect impacts from the root causes of those outcomes, e.g. systemic deficiencies in governance risk management or risk culture.”

“The failure of Lehman Brothers had led to significant losses for the general public on complicated structured financial derivatives. People lost their shirts and didn't know what they were buying. Even more seriously, the bank staff who marketed these products didn't know what they were selling. This is a culture problem.”

“I think there's a continuum that's taking us further down the pathway of identifying or displaying just how clearly conduct risk can become a serious prudential risk. The reasons for that are two things that aren't necessarily deliberately related, but they are connected. 

First, you have regulators who are quite properly getting tougher, I think, in holding improper conduct to account. 

Second, running in parallel, is that society as a whole has tended to be more litigious. And the courts appear to be more willing to award significant damages — and I mean not just significant remedial compensation, but punitive damages — against institutions who do the wrong thing. 

So, those two things to me say that institutions need to be really careful about this stuff, and this is where you get to culture. Institutions need to address the fundamental things that might cause misbehavior. There are always going to be rogue elements; there are always going to be people within institutions who do the wrong thing. 

But when you get to significant sums, that generally means there's something fundamentally wrong in the organization. And that, I think, is when you get to the culture question.”

“As well as the readily identifiable direct financial impacts of misconduct through fines, penalties and investor compensation, there is the ever-present threat, to banks in particular, of misconduct causing investor or depositor confidence to erode.”

“Non-financial risks will eventually have financial consequences for the banks. Reputational damage can have very real and significant financial consequences. It could be misconduct, mis selling, or IT insecurity. If a bank's system is attacked by hackers, even if it recovers, depositors may move their money, and that could cause a run on the bank.”

“When reputational risk crystallises in a big way, customers can flee the business in a manner not dissimilar to a financial run. Sometimes, no one wants to be seen dealing with a firm after disgrace precisely because others are walking away. Such business ‘runs’ can, today, be triggered by whatever catches the moral spirit of the times. Like a bank run, no one sees it coming until it’s too late.”

1.2.1c Still others see little distinction between cultural drivers of nonfinancial and financial risk, making it an area of interest to conduct and prudential regulators alike.

In recent years there has been increasing recognition that governance and culture relating to financial risks cannot be separated from governance and culture of firms’ activities considered more broadly.”

“I am a prudential supervisor, so I look at culture with the perspective of its influence on the build-up of risk at a firm and on its safe and prudent management. 

The distinction between financial and non-financial risks is misleading in this context. If something is wrong in the culture of a firm, it will sooner or later materialize in financial consequences in ways that might be difficult to foresee. 

My belief is that, by looking at cultural aspects, we can identify at an earlier stage signals of behaviours that could, at a later stage, impact on the financial situation of a firm.”

“An insurer’s culture is a key determinant of how effectively it manages both prudential and conduct risks. 

[The IAIS] 2021 Issues Paper on Insurer Culture explored the role of insurer culture as a point of intersection for managing prudential and conduct risks and mitigating misconduct.”

“We supervise banks of all sizes, down to the smallest financial institutions — there are hundreds. So why is it that, of our hundreds of banks, over the last 18 months, say, only about four of them have kind of gone off the rails? What was it about those firms and not the others?”

“Think of the supervisory toolkit: upstream are regulations, then supervision, then supervisory actions, culminating in enforcement. We reviewed our enforcement actions and asked: why do some firms fall afoul more often than others — even among peers of similar size in similar environments? Is it about the quality or competence of people? Or is there something about a firm’s culture that incentivizes or drives certain behaviors? 

It is my view that bad culture can be a key contributor to both conduct and prudential risks.”

“All the financial metrics we require as supervisors are aimed at ensuring that confidence in institutions remains solid, and justifiably so. For institutions that rely so heavily on that confidence, the success of a firm’s culture in contributing to that confidence is of critical importance.”

“It has long been recognised that deficiencies in governance and risk culture can be early indicators of potential financial risks.”

“The global financial community has made good progress in raising prudential standards, enhancing risk management, and strengthening controls. But reform of the financial industry — to make it safer and more purposeful — will not be complete until the industry ‘gets the culture right.’”

“Prudential non-financial risks related to governance and culture, if left untended, could become financial risks.”

“In examining the lessons of the Global Financial Crisis prudential supervisors quickly recognised that risk culture had been a critical determinant of financial success or failure.”

“What we label ‘non-financial’ risks — culture, conduct, accountability — are often deeply financial in impact. The problem lies not in the risk, but in the measurement.”

1.2.1d Some supervisors have suggested that organizational culture has the potential to generate systemic risks, rather than merely idiosyncratic risks isolated to a given firm.

“The Global Financial Crisis highlighted the importance of supervisors not only focusing on microprudential supervision of the financial soundness of individual insurers, but also the potential build-up of systemic risk arising from sector-wide activities through macroprudential supervision.”

“If you look at where things go wrong, it's where there's an incentive to break from the norms of the pack for commercial advantage. One of the bigger deterrents to that is not necessarily what the rules say or what the regulator is going to do — although that is obviously very important — it's often, ‘Well, is anyone else in the market doing that at the moment?’”

"You're driving down a highway. Now people say there are no more rules, no more speed limits, no more lane markings. Hooray. Really? Is it safer driving down that highway now? You're going to have to rely on your own driving skills to avoid crazy drivers and do the right thing. You have to have your own true north inside you to tell you where your speed limit is, not just follow what the car next to you is doing.”

“The one quote that always comes to mind is from Chuck Prince at Citi, who said, ‘As long as the music is playing, you’ve got to get up and dance.’ So, if bad culture becomes the accepted norm for the industry, then it's a systemic risk.”

“The most important thing we need to tell the private sector is that you need to know where your inner true north is so that you follow your own principles, regardless of what others say. You have to decide. Do you really have to keep dancing while the music's still playing, or do you have to dance every dance? That's on you.”

“We have seen what happens when large banks become unmanageable and need government support to avoid disorderly failure. The negative impacts of [too-big-to-manage] and too-big to-fail on households and communities, on the banking system and economy, and on trust are immeasurable and can take years to mend.”

“Often, people move around within the same sector, so you end up having sectoral cultural problems, which is what we had in the Australian banking industry. It doesn't just affect one firm; it can often affect the whole sector because people move around and bring their bad habits. Sometimes competition in a sector creates a bad culture. The banking Royal Commission [in Australia] was largely a result of the poor culture in the banking sector, where people didn't really care what they were doing to customers.”

“As threats to the financial system continue to evolve, and operational or reputational risk events in individual entities have the potential to migrate ever faster into financial losses, a sound governance and risk culture are essential foundations for a more resilient system.”

“Trust, culture, and legitimacy are not abstract ideals… They are systemic inputs that determine the confidence enjoyed by institutions and markets.”

“Coming out of the Global Financial Crisis, you could fairly use ‘cultural problems’ there too. So I think culture is the cumulative effect of a whole range of things.”

“Conduct regulation tends to be viewed as consumer protection... But I think [culture is] really a prudential matter, as opposed to a conduct matter as typically understood. These issues have obvious implications for consumer protection, but what we’re talking about here is really more concerned with the safety of the firm — and, perhaps, the financial system itself. That’s a real challenge for the official sector. And it’s something critically important — particularly since financial institutions depend fundamentally on confidence.”

“[W]e see our overall mandate as focused on four safeguarding outcomes: financial stability; safety & soundness; consumer and investor interests; and integrity of the system — which are all highly inter-related and often interdependent. 

Culture and behavioural risks are a perfect example of this. What may manifest itself in the first instance as poor conduct, or weak anti-money-laundering controls, often leads to — or is also uncovered as representing — prudential risks in the firm. 

It is not for nothing that we focused on strengthening the governance framework in the aftermath of financial crisis, or that governance remains a key focus of all supervisors, including prudential ones. We only have to look back to [March 2023] to see the risks to capital and liquidity — and indeed the very survival of firms, with potentially systemic implications — that can emanate from badly run entities or historic instances of poor risk management and governance…  

[T]he importance of supervising governance, risk management, and culture is one of the key takeaways from the banking turmoil [of March 2023].”

1.2.1e Some participants observed that culture problems can ultimately lead to a loss of credibility for the financial sector as a whole.

“Supervisors must strengthen their cultural oversight, not just for institutional efficacy, but to preserve public confidence in their relevance and restraint.”

“When public expectations go unmet, the result is not confusion — it’s disillusionment. And disillusionment corrodes legitimacy.”

“If you have good behaviors, good outcomes, that creates credibility about and confidence in the regime. And if you don't, then — look what happened in the outgrowth of the Great Financial Crisis. People were so angry about the firms that were rescued versus what happened to people as individual mortgage holders. That asymmetry of treatment caused tremendous loss of confidence in U.S. institutions. 

Loss of confidence in U.S. institutions really has a very pernicious effect on the ability of the system to perform well. And when a large number of people in the United States are deeply alienated that’s an erosion of trust and is not a good outcome.”

1.2.2 – If culture is important to supervision, then what factors make it challenging to assess?

1.2.2a Participants have pointed out that culture risk is typically only explored post-hoc, during root cause analysis, rather than proactively, before adverse outcomes arise.

“Assessments of management should serve as a leading indicator of expected results, not a trailing indicator of obvious problems. 

We do expect to act to pre-empt and anticipate poor conduct, and society has a right to expect this.”

“I believe the idea that supervisors should just intervene when financial indicators are deteriorating would simply mean that they would be entering the picture when the problem is beyond repair.”

“We still struggle to define what good is and what bad is, except in hindsight. We analyze failure rather than anticipating it. 

Almost all our examples are retrospective — Lehman, Enron, Wells Fargo. This reinforces the myth that culture is ineffable — only visible in retrospect.”

“Supervisors operate with imperfect information and a time lag. Often you only see it after something happens.”

“We have to be on the front foot about it. 

But culture is amorphous, qualitative. It’s hard for outsiders to spot dysfunction. We’re still sharpening our sense of smell. And frankly, we’re still figuring it out. In some cases, we’ve learned the hard way.

We’ve had cases where we didn’t do as well as we should have in assessing how values and principles — unique to a specific institution — actually flowed through the organization. When we’ve missed something, it’s usually because we missed something in governance.”

“There must be gallons of digital ink spilled on trying to give structure to what we mean by culture. It's definitely a useful tool for regulators, I think, because it helps explain why things go wrong. And it's also a nice vehicle for how to make things go better, because we start describing the culture we'd like to have. 

But then there's a causation question: if we had the culture that we think we want, would that lead to good things?
As we know, there are skeptics. I remember when culture first became a hot topic, some individuals from more of an old-school way of thinking said, ‘What the hell are you talking about? I make brilliant widgets. Culture is irrelevant. The fact is, I make brilliant widgets.’"

“Particularly at this moment, there’s a lot of focus — appropriately in my mind — on the culture of institutions. Firms spend a lot of time, attention, and money in seeking to establish and maintain a strong culture. They expect to see the reward for that investment in their firm’s subsequent performance. 

But from my point of view, and in the official sector roles I’ve held, it’s been very difficult to think about how we might measure management’s success at shaping desired culture effectively — apart from either, ‘oh, the company is performing well,’ or ‘wow, the company has blown up.’”

1.2.2b Participants point to culture as winning attention only in circumstances of remediation and argue that, once the acute pain is passed, the ongoing chronic pain is simply tolerated.

“Supervisors are overwhelmed by tasks linked with checking compliance with a very complex regulatory framework, which leaves very little time for focusing on cultural issues.”

“[The question is] whether non-financial risk has descended, via a culture of compliance with voluminous rules, into merely a cost of doing business. This, crudely, amounts to: read rule, interpret it in a way favourable to the business, monitor compliance, accept there will be violations, pay fines, carry on.”

“I sometimes joke that if the Financial Policy Committee at the Bank of England is doing its job, it will be known only to the aficionados. It’s like the dog that didn’t bark. 

It’s the same with fire insurance — you pay for decades, and there was no fire. So was it a waste? You might get lucky. But when the fire comes, it really comes. I live in Chicago. We had a big pretty big fire here a while back! So, the answer depends on whether paying for the insurance also came with adopting meaningful safeguards — new roofing, better materials, behavioral shifts.

It's an uphill battle for making preventative investments by government, especially when there’s no crisis. But that’s why you need a framework: one that explains where the risks are, what data you have, what you don’t know, and where more resources could help. 

At the Bank of England, I routinely ask: what data did you use to reach this conclusion? What data do you wish you had? That’s how we build capacity for better decisions.”

“Real-time and continuous surveillance and intervention by the supervisor is an important part of addressing cultural failings in banks. What you see with some of the banks that have had longstanding cultural problems is that every few years, they'll have another blow-up, and it'll turn out that nothing's changed since the last blow-up. How do you tell, in between those big events, whether the culture is moving in the right direction? If you can answer the question of how to measure progress on culture when there hasn’t been a blow-up for some time, then you are in a better position to drive change.”

“I ended up negotiating and finalizing Basel III. It was finalized, I think, in 2016 or 2017, and it came out of the Global Financial Crisis. So it took 10 years. Even then you could say, ‘Oh my gosh, this is too slow.’ Now it comes into full effect in Europe by 2033. Most of the attempts and complaints about Basel III are about diluting what was agreed.

So if you are a supervisor in this environment, the effort to have somebody else fighting you when you say ‘no’ is relentless. We're talking about 25 years after an obvious disaster, putting in place new rules, and keeping at it for 25 years while trying to dilute the rules. By 2033, most of those who remember the global Financial Crisis won't be around anymore. And then people will say, ‘Well, Grandma and Grandpa didn't know what they were doing. Now we're much smarter and this time is different.’ And you keep at it. 

If you run into what is called a systemic financial crisis, then you have the accounting cost of that, which is basically: who's losing money? How much money did the government have to put in? All the rest of it. But the true cost to society as a whole is unemployment and the loss of output in the economy during the years it takes to put the pieces back together. And in many cases, you can never claw back that loss of output. So that loss of output is a loss to society forever, and that's why you would like to avoid a systemic financial crisis. 

But that, of course, also means that you need to say ‘no’ quite a good number of times in good times, in order to avoid that very bad outcome. But the problem with all of this is that the timeframe is such that maybe disaster does not happen, or maybe it takes 10 years. And that's what is absolutely the hardest thing for us human beings to deal with. 

In the short run in politics, you tend to cater to the median voter. And the median voter usually wants to buy a house, or a car, or something, and you would like to make it possible for them to make that happen. And if that means that bad things happen 10 years from now, well, there are many moons and many elections until we get to that point, and it'll be someone else's problem. 

But it still means that it is meaningful, in my view, to think about it in cultural terms because it says something about what you are expected to do and how you're expected to think about things when you are a supervisor.”

“As a banking supervisor involved in international bodies, I feel that the further we move from the last crisis, the more detached we become from emphasizing these things. 

The 2023 turmoil reminded us of the importance of proper risk culture and governance structures. But, as time passes, people are less concerned, and it’s easy for supervisors or regulators to give the impression: ‘These problems are fixed; we don’t need to keep reminding institutions.’ 

No. Because it’s difficult to quantify and measure, it takes continuous effort to keep it in check. As we grapple with trade issues and economic challenges, it’s easy to overlook this. Studies like yours are important because they keep people focused on the core issues — how to improve behavioral outcomes and not overlook the pitfalls we saw in April 2023.”

“People need to feel they have to do things differently and feel the pain in order to really change. All the countries that have adopted some of our work have also experienced some kind of pain, like Australia, a couple of countries in Europe, and the New York Fed. In Canada, it was slower; I think their financial industry is very easygoing. 

On one hand, it's so obvious, and everybody says it's culture. But to make it tangible and actionable, it has to be owned on the board level and by the executives. Somebody has to step up and say, ‘We need to drive this in a very serious manner.’ 

But as a psychologist, I would say the pain isn't big enough for people to take this on and make it happen.”

“History has shown that, as crises recede, memories can fade. And that is why, for me, it is essential for regulators to retain their focus on the fundamentals of resilience, governance and risk management.”

“If you don't have good core fundamentals around culture and risk management, the propensity for other things to go wrong is always there. So, we should not take our eye off these core things, which are important for managing all the other risks we look at.”

1.2.2c Other participants describe how organizational complexity can make it difficult to assess culture risk and to evaluate success in connection with culture change initiatives.

“A board can’t be expected to run the day-to-day governance, or culture and conduct of these large organizations, whatever industry you may be in.”

“It goes beyond what you see at the board level. It’s about how the organization runs at the end of the day. Everyone gives you lip service — they laugh at your jokes. But when they go back to their desk, they talk about how stupid your joke was. That's the operational culture. Then there's the deep culture: the group that goes golfing together, the group that goes on vacation together. If you're not attuned to those subcultures, you may find that what you think is happening in the organization is not what's actually happening.”

“There are only so many hours in the day and so many meetings in a week that executives and board members can attend. This dynamic places heavy reliance on materiality determinations, which drive the issues senior leaders consider and make decisions about. 

When a significant problem surfaces at a bank, there are two likely reactions: Either the bank assumes similar problems might be lurking elsewhere in the organization and embarks on a mission to seek them out and address the root cause, or the bank assumes that the problem is isolated and reflective of a bad apple and maintains business as usual. 

When a negative surprise occurs, large banks should presume that similar risks lie hidden beneath the surface elsewhere and that unseen root causes need to be uncovered and addressed. A “look across” to other units should be standard operating procedure, and the burden should be on those units to demonstrate they are not similarly vulnerable. The larger the banking organization, the more important it is to shift the default presumption before concluding that an issue is contained and being addressed. 

A sign that a bank may be becoming [too-big-to manage] is when supervisors consistently uncover more risks and problems than the bank’s internal risk and control functions do. Tracking the ratio of supervisor-identified issues to self-identified and self corrected issues is one way to gauge this risk and track it over time.”

“An important point I want to make is that dealing with these culture questions is hard.

It’s very easy to make isolated statements and judgments based on historical firm performance. It is much more difficult to consolidate those into a thoughtful, consistent framework that results in a score distinguishing one firm from another. If it were easy, firms would have done a better job of it over the years. 

It’s not about the optics. It’s about whether changes are rational and reasonably related to the underlying issues. If the firm just blames a ‘bad actor’ and adds to their compliance headcount, that’s not credible. If the firm says, ‘This isn’t how we want to operate, here’s how we’ll change our systems, our accountability, our client engagement’ — that matters. 

Regulators should ask: does this response reduce the likelihood of recurrence? Has the firm learned from others’ failures too? Those are the real indicia of culture — not how much money was spent.”

1.3 – Global Convergence and Divergence

1.3.1 – How does the lack of a common supervisory approach to culture and conduct risk across jurisdictions pose a concern?

1.3.1a Some participants note that, because many financial institutions operate in multiple jurisdictions, a lack of coordination on culture and conduct risk creates challenges for effective supervision.

“I think we need to be a bit realistic about how we use the concept of culture and try to put some structure around it. And to the extent there's some international consensus around how we do that, then I think that would be useful.

 Increasingly, the world's getting smaller, and issues around financial stability and how we think about these problems have a global context. So if we're taking that seriously, then we can't all be singing from different hymnals because it's just going to create confusion and lead to bad policy. 

So I think the idea of having some document — a charter or protocol or whatever you want to call it — that encourages people to talk about the concept similarly, I think that would be helpful.”

“The international regulatory community has yet to establish precisely how we are to create and embed supervisory cultures that are appropriately intrusive, skeptical, proactive, comprehensive, adaptive, and conclusive.”

“Global challenges require global solutions, grounded in cross-border supervisory coordination and cooperation, and robust stakeholder engagement. Closing protection gaps will require an intensified global collaborative effort amongst policymakers, supervisors, and the insurance sector.”

“Sometimes I get the impression there is too much red tape. It's not just one regulator; it's several. It's throwing out a lot of red herrings and sand in the wheels that may not be necessary. 

There's also an unevenness in regulatory oversight across jurisdictions. I think the regulatory community needs to bring some regulators up to best practice as well. Some jurisdictions tend to take their eye off the right ball and try to make you do things that may not be in the best interest of the bank. More can be done in the international regulatory community to raise the baseline level. 

It boils down to supervisory practice. This is hard to put science around, though you can to an extent. You must have structures and the right incentives in place. Over and above that, regulators can do more to share best practices amongst the industry.”

"Culture is increasingly being treated as a ‘hard’ driver of risk. 

Fragmented approaches to culture risk governance and supervision will make for inefficiencies and overlaps while leaving gaps in oversight. A shared framework, interoperable tools and a common evidentiary basis for judging effectiveness proactively, rather than remedying the consequences of failure after they manifest, yields the best result for the least regulatory burden.”

1.3.2 – What might cross-border coordination regarding culture risk governance and supervision look like?

1.3.2a Some participants suggest cross-border coordination would enable better practices.

“One way to motivate all this stuff is you can get the G20 to decide they want to do something. When you look at the movement on things like central clearing, that was all because the G20 made decisions that these things had to happen, and then the regulatory community came quickly behind that. 

Where regulators can be helpful is twofold. 

Number one, identifying best practices. One thing regulators have going for them is they can look at different banks and say, ‘Look, I've done a horizontal review of these banks, and you think you're pretty good in this area? No, you're not, because I've looked at how other banks do it.’ Regulators do have better information about certain things than any individual bank.

The second thing, in the same vein, is they can identify what's good and what's not so good and share that across the banking community.”

“During the Financial Crisis, the Senior Supervisors Group (SSG) did a deep dive on what the failings in risk management were that led to how we got where we did. Their first report on the Great Financial Crisis was published in late 2009.

And the SSG continued throughout my tenure because it was an opportunity to bring together the actual supervisors — people who ran supervision — as opposed to those who developed policy, who often weren’t actual supervisors executing supervision. 

So the SSG got together and was able to actually talk about real supervision issues, culture supervision being one of the topics. That was one of the opportunities that folks had to learn about what the DNB was doing and then share with each other what they were doing on culture. One of the benefits of these international groups is you get to hear what others are doing.”

“I think [cross-border coordination] could be useful. A lot of it is about sharing best practice, particularly where, in the absence of an adequate framework, people have struggled.”

1.3.3 – What role do international standard-setters have to play in coordinating culture supervision?

1.3.3a Many participants point to the need for global coordination on standard setting

“15 years on [from the Financial Crisis], one important issue remains largely unaddressed by the international regulatory and supervisory community: establishing and reinforcing a strong supervisory mindset and culture. It would be a pity if this remained consigned to the “too-hard” basket. 

The financial system is a global one, and weaknesses in supervision can impact well beyond national boundaries. It’s time for the relevant international bodies tasked with promoting good supervision to take a closer look at the issue, and to play their part in promoting a stronger supervisory culture more widely

It’s time for the relevant international bodies tasked with promoting good supervision to take a closer look at the issue, and to play their part in promoting a stronger supervisory culture more widely.”

“Whether [global standards for culture] metrics themselves would be of ethical help is less relevant than the fact that they would stimulate debate and discussion among central banks and top supervisors. It's a good idea because it keeps the topic from losing steam.”

“Maintaining trust in global financial markets requires ongoing collaboration. IOSCO’s members work together to identify emerging risks, share supervisory practices, and promote effective enforcement. This is particularly important when dealing with issues like AI adoption, cross-border misconduct, or corporate governance failures. 

Culture and corporate governance must remain central themes in the global effort to support resilient, fair, and competitive markets. Regulatory initiatives that focus on practical steps — such as oversight of culture, evaluation of AI governance, and reinforcement of board responsibilities — can make trust a measurable outcome, not just a rhetorical goal. 

This is how we ensure that markets serve their intended purpose: to facilitate growth and innovation, which goes hand in hand with protecting investors and sustaining confidence across borders.”

1.3.3b Participants also emphasize that the goal may not be uniform standards as much so as establishing coherent terms of reference and frameworks of analysis — a “shared grammar.”

“Whether it’s a set of ‘standards’ that we need, I’m not sure. But sharing experience around these issues could lead you into the direction that says you need some aspect of an accountability regime for key position-holders.”

“Robust minimum international standards have a role to play in fostering better corporate governance. But it is the implementation of those standards at the level of individual firms that determines their effectiveness. 

As in other areas of post-crisis reforms, this is where continued effort is needed. The task of changing culture in the financial industry is complex and challenging. 

The greater role of social media in generating and spreading information of actual or perceived governance failures, demonstrates the need for an innovative and more holistic approach in regulation and supervision.”

“A high-level international framework would have its challenges. For example, even the widely known ‘three lines of defense’ framework is not universally agreed or consistently applied. 

Take liquidity risk. In areas like this we are able to say: here are the Basel standards; here’s the data to collect; here’s how to analyze it for an individual institution and across firms. That’s all tangible and quantifiable. But it’s harder for other areas like operational risk, and harder still for governance and culture, beyond basic structures — and even then, not everyone agrees on those. 

So in the judgment-based, non-financial space, it’s harder — but probably not impossible.”

1.4 – Legitimacy and Trust as Supervisory Assets

1.4.1 – How do supervisors approach supervision in the absence of clear frameworks and guidelines related to culture?

1.4.1a Many participants point to the importance of supervisory judgment in assessing potential problems related to culture.

“One of the lessons from the Global Financial Crisis was that supervisors had been quite busy — but they had been busy doing the wrong things or doing them in the wrong way. Part of the response was, ‘Oh, well, we need to do something called judgment-based supervision.’”

“I understand that many people may feel uncomfortable when there's too much discretion involved, where it can feel arbitrary. So, you really need some kind of framework around it. But the idea that good banking supervision can be done without discretion and rather like mathematics, like two plus two is four, that's also ridiculous.”

“In the end, even with great frameworks and great tools, the job of supervisors is to make judgments — to assess the evidence in front of you and decide whether you still have concerns or not. Even though we've really developed our framework around this topic, you still need people to make very good judgments. And they have to make those judgments about the people and the firms they're dealing with, as well as the processes, systems, and controls.”

“It’s easy to get lost in details and the numbers, so when I took over at OCC, I anchored priorities on safeguarding trust in banking. That prompted my interest in doing a survey on trust in the OCC itself. 

While sitting on the FDIC board, I had been struck by the FDIC’s survey on the unbanked or underbanked. It’s very rigorous — done through the Census, with economists — and has shaped the policy conversation for years. It provided the FDIC with credible, visible leadership on access and inclusion. 

I wanted something similarly rigorous for the OCC — something focused on trust in its multiple dimensions — so banks and supervisors could get useful feedback. I thought that would also signal that OCC cares about trust for banks and for itself. 

Trust is multi-directional: trust in banks, trust between banks and regulators, and trust between regulators and the public. In healthy systems, accountability and discipline apply across those relationships.”

Culture is generally understood as the shared values, attitudes, behaviours and norms in an organisation. At the Monetary Authority of Singapore (MAS), our focus on culture and conduct in financial institutions (FIs) seeks to achieve two key objectives: 

• Ethical business practices; and 

• Prudent risk-taking and robust risk management. While one could measure the safety and soundness of an FI through indicators like capital, VaR and other financial metrics, measuring the fair treatment of customers requires more judgement.”

1.4.1b Participants also acknowledged how supervisory discretion may be limited.

“Supervision relies on discretion. That is both its value and its vulnerability. 

Discretion, if it is to be exercised with the necessary legitimacy, must be transparent. It must produce results aligned with a mandate of stability.”

“We have also had discussions in the past that we would do culture-type assessments of top management teams focusing on personal styles and board interactions. I'm reluctant to go there. Ultimately, you have to make a clear link with your prudential powers and prudential objectives, which is problematic in such assessments. 

You can occasionally, in a one-to-one, talk to a CEO of a supervised entity, share your observations on how he or she is running the board and apply moral suasion. But most of our supervisory impact is through more formal supervisory powers. You need to ensure that you stay within your prudential mandate.”

In the prudential supervision of banks, there are some cornerstone activities that any supervisor needs to do. First, they need to assess the adequacy of capital. Second, they need to assess whether there is sufficient liquidity. And third is resolution planning. When you dig down into each of them, there’s a lot of supervisory discretion involved. 

There’s a lot of discretionary activity that supervisors can or can’t do, based on the resources they have, their perception of where the risks lie in the firm, and the amount of trust that they have that the firm will itself do things correctly.”

"In Germany, because of our history, particularly after 1945, we gave ourselves a constitution that restricted the power of public authorities, especially regarding discretion. Every discretionary decision must be based on a legal, often detailed framework. You're not allowed to go beyond this framework, and you always have to explain why and how you used your discretion.

There's a three-step legal test we follow in Germany. First: does the law give you discretion? Second: is the measure suitable, and is it the mildest option to achieve the objective? Third: is it proportionate, meaning does it balance constitutional rights fairly? Every lawyer learns this; it's foundational.

I think it makes sense to always consider how to limit discretion — not to lose it, but to retain it strategically."

 

“Supervisory discretion that is not grounded in clearly defined risk-related criteria may be interpreted as ideological overreach — eroding trust and exposing supervisors to political challenge.”

“It's not about only having a framework that comes down to a single score and then you decide something, or a framework that's entirely based on judgment. You need a mix of the two.”

1.4.2 – If culture is a factor in governance outcomes, should supervisors take stock of their own cultures to improve supervisory outcomes?

1.4.2a Some participants also observed that because culture affects outcomes across all sorts of organizations, that it is also relevant to questions of supervisory effectiveness.

“[O]ne important issue remains largely unaddressed by the international regulatory and supervisory community: establishing and reinforcing a strong supervisory mindset and culture. 

We have learnt that [an] emphasis on risk governance infrastructure over risk culture is insufficient in financial institutions, and it’s no different in supervisory agencies.”

“Time and time again the issue of supervisory mindset and culture are prominent features of postmortems conducted in the wake of a financial failure. 

That the issue has emerged in many different jurisdictions, each with different supervisory architecture and powers, suggests that this problem is not a product of any particular supervisory structure, approach or methodology. Yet little seems to have been done by the international community to help address the challenge.”

“It is important that leadership of the supervisory agency promote and continuously assess the culture of the supervisory organization itself.”

“Thinking about how best to achieve sound supervisory outcomes has received increasing attention from a number of supervisory agencies in recent years. Good supervisory outcomes are largely influenced by risk culture, particularly factors such as willingness to act, persistence, and intelligent risk-taking. These intangible qualities are pivotal in enhancing supervisors’ ability to promote safety and soundness of banks and the banking system. 

Governance and risk culture always start from the top of the organisation — in this respect, supervisory agencies are no different to regulated firms. 

In the context of supervisory agencies, this means that the actions and support shown by senior management are vital in establishing a tone from the top that empowers supervisors to take prompt and decisive actions. This should include articulating supervisory risk tolerance, acknowledging that intervention is expected as part of the supervisory process, and supporting supervisors in taking risks and making judgement calls around the timing, force and nature of interventions.”

As all institutions with staff coming from many different nationalities we had cultural risk at the ECB. We had 25 authorities contributing staff to banking supervision. Everyone brought a different understanding of supervisory approaches. Some followed rules to the letter. Others came from countries with legal systems used to discretion. Some escalated small issues. Others were used to more independences in their decision making. Not all of that is cultural — some is individual — but much of it is cultural too."

“We need a supervisory culture that is less focused on administration and more focused on key risks that can be measured and ameliorated — which again puts a premium on seeking to find ways to measure and monitor key cultural risks.”

“Within the supervisor itself, there can be an interesting cultural issue about the approach to supervision. 

Is supervision something that’s left to the operational level, with an assumption that line supervisors are competent to choose what actions to undertake and to judge whether they are being effective? Or is there a really good three-lines-of-defense model, where the board of the supervisor sets expectations of the intensity of activities that the supervisors should undertake in relation to firms with a particular risk profile, and then applies the three-lines-of-defense model in checking that the supervisor’s activities reflect the board’s risk appetite and are followed through in a timely manner? 

The Silicon Valley Bank episode shows what can happen when the three-lines-of-defense model is underdeveloped and supervisory concerns are not followed up rigorously.”

I think that regulators should be spending just as much time in building their own cultures. You should be spending as much time on looking at the fit and the ethos of the people that you employ and not just what the c.v. looks like and their technical capability. 

At the DFSA, we would talk a lot about ‘fit’ when we were bringing people in. We would have as much of a discussion at the senior level in looking at senior people about fit, and not just what have they done, where have they worked, and what the c.v. looks like. And that fit, if you will, was cultural.”

“We've done a lot of work on addressing cultural issues. Did that make us an ineffective regulator? Maybe in some respects, it did. If you haven't got the staff giving us feedback on the various elements of good culture, then you are not going to be a modern, confident, ambitious regulator. You are going to be an inwardly focused entity — the last sort of entity you'd entrust with enforcing the law.”

“Both at the Central Bank of Ireland, as well as part of ECB Banking Supervision, supervisory effectiveness and a strong supervisory culture is something we are always seeking to cultivate and uphold — with the effectiveness of our supervisory framework already a focus of the ECB Supervisory Board prior to the events [of March 2023].”

1.4.2b Some participants argue that because the nature of supervision is different from banking, that culture as a matter of supervisory effectiveness should be considered differently than when examining culture as it drives outcomes for industry participants. Often pointed to in this regard is that private industry is profit-motivated while supervisors seek to serve the ‘public good.’

“There is sometimes a view that, because regulators do not have a profit motive, they are at less risk of control failures.

It’s great to have colleagues with a strong sense of public duty — but that is simply not enough, and confronting a regulator with evidence of its impact (or lack of it) can help to move the culture from feeling good to doing good.”

“I always used to say to the senior guys, ‘Look, I want your bank to be well-run, and I would hope that you want your bank to be well-run. Where we disagree is that I don't really care as much about your share price as you do. And I don't really care how much you're paid. But in terms of the bank being well-run, that should be a shared interest.’ 

A good example for me is it was very easy to be motivated working at the New York Fed because of the public mission, the public interest. I wasn't going to work to earn a lot of money; I was going to work because this can make a difference in terms of how well the US economy operates.”

“I’ve led private and public sector organizations of many sizes, up to global, and the biggest challenge is understanding the culture you have and how to develop it. 

For supervisors, the dimensions on which we must focus may differ from those of firms, but the logic is the same. If you’re going to change an organization, you must understand its culture. And you must define the culture you want, that culture must be consistent with your mandate and enable you to deliver better on the mandate. 

That may be easier for supervisors than for firms, because staff generally subscribe to the public interest mandate you don’t have to discuss purpose.”

“Regulators face constant scrutiny and accountability for their judgments because they are often made in public or their consequences become public. As a regulator, the process in which you get an understanding of whether your judgments are good ones or not is pretty clear, which is not a fashionable viewpoint. And when you get it wrong, it's also pretty clear as well. 

When we talk about judgment, from a supervision perspective, what we are really talking about is conduct. We're not talking about judgments that are made in good faith but turn out to be wrong. We're rather talking about judgments that don't get made at all when they should be. We're talking about things that don't happen when they should happen. We're talking about people who follow a course of action following an agenda that conflicts with the sense or spirit of what is important or valuable, either from a corporate perspective or a regulatory one. And that includes dishonest conduct.”

“Central bankers do see themselves as working toward their understanding of the public good. Our mandate comes from statutory objectives — safety and soundness. 

In a capitalist society, profit motivation is fine; but in banking, market failures mean that without regulation banks over-leverage and take too much risk — we’ve seen it. 

Politicians ultimately decide the public good — but they tend to underweight very bad outcomes when those have faded from memory. Good societies create institutions to ensure those risks aren’t forgotten; an independent central bank regulating is, in my view, good design.”

“In the end, banks are commercial entities focused on making a profit for shareholders. I am here to serve the public interest and, in my current role, the interests of European citizens. So, while we can have common endeavors at times, it's important to remember that our fundamental mission is quite different. In the end, if I have to make difficult judgments, they are informed by my focus on safe and sound banks, the public interest, and my legal mandate, which isn't necessarily always aligned with that of the bank I supervise.”

1.4.2c Participants observed that demonstrating attentiveness to supervisory culture is critical to gaining buy-in from the firms they supervise.

“The problematic behaviors in a supervisor differ from those in a bank. Still, techniques to identify behaviors that could cause an institution to fail or miss its mandate — yes, why should we not consider that ourselves?”

“Whether supervisors have a rigorous framework enforced by three lines of defense and an effective challenge function is a culture point as much as an organizational design point. It comes back to a question of culture: Should you trust us because we’re good guys doing public service? Or should we accept that we’re human beings who make mistakes and need careful checking just like the banks we supervise”

“Many regulators (financial or otherwise) would probably admit that they have not always held themselves to the standards they require of the businesses they regulate.

More recent failures of regulation and supervision — the crises among US regional banks and at Credit Suisse [in 2023] — have shifted the lens to the culture of financial regulators themselves, and revelations about the culture of the US Federal Deposit Insurance Corporation (FDIC) have intensified this focus.

If a regulator can show that it engages with those it exists to serve, that it is making a positive impact, and that it holds itself to the standards it requires of the businesses it regulates, then there is every chance that [it] will go on to find that it has a sound culture.”

“If we keep talking about risk culture statements and core values without doing it ourselves, how can we ask institutions to do it?”

“You can’t tell other people to fix themselves if you don’t try to fix yourself as well. People watch what you do, not what you say. You’ve got to walk the walk. No question about that. 

That’s why at the New York Fed, we also took a really deep dive and looked at our own supervisory practices during the Great Financial Crisis.”

“If we’re going to talk about culture in the financial sector, we can’t ignore the culture of supervision and regulation itself. There’s no reason why regulators and agencies shouldn’t take a hard look at their own cultural predispositions, just as they expect financial institutions to do.”

“Moreover, evidence shows that organisational governance and cultural failings are not just confined to financial firms. If poor culture and governance can produce poor decisions and practices in any sort of firm, why should we not expect these issues to challenge a financial supervisor too?”

“I believe you [make progress] when you start talking about how to change supervision, not just how to change a bank's culture. We need to change the way we do things as regulators. This cannot be an exercise in how to change bank culture without thinking about ourselves as supervisors.”

“Supervisory organizations should be aware of their own culture and how it affects their supervision. 

Tone from the top and throughout the supervisor matters, just like tone from the top within firms. It shapes how firms behave. So we have to look at our own culture.”

“We can't have an engagement-led approach if we're not open to hearing what firms have to say, but we also need to be quite direct and make sure that we're very clear about what our opinion is. If something is wrong, we need to tackle that quickly and consistently. And we really need to role model as supervisors what we want to see, demonstrating transparency, clarity, and good communication.”

1.4.3 – How does a lack of effective tools and frameworks for culture risk supervision impact perceptions of supervisory legitimacy?

1.4.3a Participants described how the lack of a common evidentiary basis makes it difficult for supervisors to demonstrate effective culture risk governance and/or supervision.

“In 2017, the FSB conducted a peer review that examined the implementation of the OECD Principles of Corporate Governance of 1999 (revised in 2004). The peer review observed that, despite progress in enhancing risk governance frameworks, many authorities lacked the ability to assess the effectiveness of a firm’s risk governance — and more specifically its risk culture, to help ensure sound risk governance through changing environments — or they did not have corporate governance-specific enforcement powers to augment other existing powers. 

New approaches, e.g. culture audits informed by behavioural and data science, might provide greater insight into the human factors that shape risk taking individually and collectively.”

“This isn’t like capital where we want a consistent international metric of adequacy.

There isn’t a single culture in a bank. There are multiple sub-cultures — especially in large groups with acquisitions: legacy bits, trading vs. retail, geographies, disciplines. (In insurance, the actuarial side has a different culture from sales.) 

So ‘culture’ is slippery. The most useful thing supervisors can do is get specific about the behaviors they think are a problem and what’s driving them. Be concrete: a hubristic senior team that thinks it can do no wrong; a bullying CEO who won’t listen; or something pervasive, like being too driven by revenue, profit, and bonus. And then ask: how do you establish credibility with the board or senior management about your view?

I see two routes. 

One: produce something that looks like hard evidence — data, staff surveys — but ‘hard evidence’ is hard to come by here. 

Two: bring in experts with credentials people will believe — psychologists, third parties. 

Those feel like the right candidates.”

“We talk about firm culture, but you also need to talk about team culture, and financial center or jurisdiction culture, and sector culture. In a lot of financial firms, they don't really have a firm culture; they have team cultures. I have certainly seen that myself in my own background, working in a team whose risk appetite was very different and not well-aligned with the risk appetite the CEO thought his organization had.”

“[M]ore surveillance and monitoring isn’t going to solve the problem of bad actors. There are some few people in any firm who will be smart enough to take their illicit activities offline.”

“Regulators should avoid supervisory assessments based on narrow or limited data points. For instance, over reliance on just employee survey results could lead to subsequent curation by institutions to demonstrate desired outcomes. Regulators should instead rely on a broad set of culture-related observations and indicators.”

Analysis from economists at the Office of the Comptroller of the Currency demonstrates the importance of ‘M’ [in CAMELS ratings] and how it can help predict future bank performance and risk. The importance of ‘M’ explains why regulators have repeatedly implored banks to ensure they only accept risk commensurate with their ability to manage and mitigate that risk. 

If one accepts the premise that ‘effective management is not infinitely scalable,’ enhancing and expanding management capabilities remains prudent for banks of all sizes, as does recognizing that there are business and regulatory consequences to failures in management, regardless of bank size.

A bank of any size can be viewed as [too big to manage], if its management is not up to the task. Of course, that task becomes more difficult as the size and the complexity of the institution increase — but not impossible. The challenge lies in enabling management to oversee institutions of increasing size and complexity with greater competence. 

Bank management and regulators need better means of assessing complexity in a predictive manner that enables them to make better decisions and produce better outcomes for shareholders. That is, we need to improve how we assess ‘M’ — proactively, in advance of failed risk governance and supervision. 

While this discussion has focused broadly on financial risks and outcomes, improving management’s ability to understand complexity, and to act effectively when faced with it, has perhaps greater import in the context of managing non-financial risks — such as operational, compliance and reputational risks — that also have a direct impact on a bank’s performance and survival.”

“The biggest challenge at the DNB was always that our deep-dive [culture and behavior] review approach, where we zoomed in and got a lot of depth, was difficult to scale. We were able to find a way to scale with our annual risk-profiling and identification process, but I definitely would've liked to do more.”

“It is incumbent on governments to act in ways that are predictable, transparent, and rules based. That’s important not only to avoid inefficiency, delay, and politicization — although that’s very important — but because those are the minimum requirements for government action in a democracy. My strong interest in seeing the advancement of work to develop measurable markers of culture derives precisely from the desire to ensure that this key element of bank risk can be supervised in a way that is consistent with these core principles.”

1.4.3b Participants also point out that such tools would be helpful in supporting effective governance around supervision itself.

“Supervisors are striving to be forward-looking to prevent, or at least mitigate, consumer harm instead of only learning of misconduct after the fact but at the same time supervisors face resource constraints and competing priorities.”

“If culture supervision is to be legitimate, it must begin at home. Supervisors must first discipline their own frameworks — what we define, how we measure, and how we communicate expectations.”

“There’s also the question of how involved supervisors should be. Extensive board-level interviews, for example, are resource-intensive for already stretched teams. We needed pragmatic approaches that add value, even if imperfect.

Since leaving my regulatory role, I’m more conscious of another boundary question: where’s the line between effective supervision of culture and regulatory overreach into internal management — where boards and executives should be held responsible? We don’t want to micromanage or dictate specific cultural elements. Principles alone can become too vague; prescriptive rules can devolve into box-ticking. We need to manage that balance.”

“The core challenge in supervision — like many roles — is too little time and too many things to chase. That tends to push us toward what’s actionable and tractable. Everyone agrees cultural elements drive problems but turning that into a proactive supervisory yardstick has proven difficult — we’re not always sure what we’re targeting.”

“For me, to deliver ‘state of the art supervision,’ our supervisors need to have the right skills, the right mind-set, the right tools and the right data to do their jobs. But they also need to be adaptable, robust and indeed at times intrusive — with enough empowerment and escalation options to deliver truly effective outcomes.

From where I am sitting, achieving this is about making sure frontline supervisors have the right training, technology, autonomy and flexibility to do their jobs, and to do it right. But it is also about ensuring they know that we have their back — to be risk focused, and to use their toolkit to get traction within supervised entities.”

“Regulators and supervisors operate within cultures that shape their own performance. Putting these tools to work in our own organizations may be exactly the place to start.”

Responses to Chapter Questions and Other Commentary

1.1 (a) How should we define culture in a manner that brings it clearly into the scope of supervision? Does culture only matter in so much as it directly affects risk and compliance functions (commonly discussed in terms of “Risk Culture”); or is prudential relevance of culture broader than this (often discussed in terms of “Culture Risk”)?

Defining culture carefully is an often overlooked, but essential, step and an important aspect of defining culture, for both banks and supervisors, is to think about it as behaviour in aggregate. It is important to focus on what actually happens, and not to view it as an aspirational or abstract set of values. A working definition is that:

“Culture is the detailed behavioural landscape of the organization as it currently is,
encompassing the behaviours and decisions that are made by individuals and groups, with a particular emphasis on those patterns of behaviour that predominate or are missing, and areas that are common or are outliers”

A key element of culture is therefore the imperative to understand the drivers behind individual and collective behaviours and decisions, which may be personal, social, organisational or environmental.

Using this lens it is somewhat abstract to classify culture just as it directly affects risk and compliance functions (commonly discussed in terms of “Risk Culture”) as somehow separate from a broader understanding of what is influencing all behaviour.

In fact the very use of the term “culture” can be problematic insofar as it is freighted with very different meanings by different people. As such I would err towards talking about the topic using the terms of a behavioural landscape, or if it needs to be pointed to where it is an area of specific supervisory concern, as pertaining to behavioural risks.

– David Grosse, Director, Behavor Ltd.

First and foremost, culture is a matter not just for supervisors, but for institutions’ leadership and management. An institution is responsible for establishing, maintaining, and transmitting an organizational culture to guide its team members’ behavior through effective implementation of not only its policies and procedures, but also its day-to-day business routines and expectations for its executives and employees, and ultimately for its values and key strategic, operating, and business objectives.

Therefore, ABA believes that, once a firm has established its risk appetite, specific risk policies, business routines and objectives, and fundamental values, “culture” is an expression of the degree of consistency and effectiveness with which the firm’s board, executives, and staff actually implement those stated principles, objectives, and requirements. As with any human organization, a degree of monitoring and oversight is an integral part of a successful business, but a key manifestation of an effective culture is a high degree of compliant personal behavior, independent at least to some extent of the threat of adverse consequences, but strongly supported by compensation frameworks and other policies (discussed in more detail below).

Under this formulation, therefore, risk management and legal and regulatory compliance imperatives are major elements of a healthy organizational culture. As noted, risk culture is an important component of risk management programs, systems, and processes (collectively, “Risk Management Practices”), along with other components like risk identification and control assessment, monitoring, testing, and reporting. As discussed in more detail below, Risk Management Practices are the most appropriate subjects for supervisory scrutiny. Beyond those, however, organizational culture is a means to promote efficient and coordinated operations, in which team members across the organization conduct their activities in a manner that minimizes conflicts between objectives. When objectives present some inherent potential for conflict, e.g., increasing quarterly profit and managing to the desired risk appetite, cultural influences lead promptly to an appropriate and robust, balanced solution, e.g., an appropriately calibrated riskadjusted return, aligned with the broader risk management framework.

Note that this “culture” definition encompasses the often-underscored “tone at the top,” an indispensable element of an effective culture. The right tone at the top is insufficient by itself, however – implementation of an effective culture also requires consistent implementation below the “top,” throughout whatever lower management layers exist, with particular importance for roles having some extra element of leadership (prominent roles highly visible to other employees and to firm counterparties, customers, and, perhaps especially, for banks, the general public).

Thus conceived, “culture” is the connection between risk appetite, detailed policies and procedures, business objectives and routines, and organizational values, on the one hand, and actual implementing behavior, not only at the top but down through the ranks. “Culture” is what actually happens at the firm on an ongoing basis, the actions that speak louder than words. As a key aspect of risk management and compliance, it is undeniably an appropriate subject of supervisory concern. Responsibility for culture begins with firm management, however, and with the recent clarification of U.S. supervisory standards to deemphasize supervision of reputation risk, the role of culture in establishing the firm’s brand and reputation with customers, business counterparties, and the public remains the province of management.

– American Bankers Association

1.1 (b) Some discuss culture in terms of “non-financial risk” or “material operational risk.” Does either formulation offer an effective framework within which to contemplate matters of culture as relevant to supervision?

No, discussing culture on terms of “non-financial risk” or “material operational risk ”is not

a helpful formulation and does not offer an effective nor comprehensive framework.

We need to move away from these piecemeal, partial and somewhat abstract categorizations.

Behavioural and cultural considerations underpin all aspects of Financial Services, whether that is performance, resilience, risk management, compliance, conduct or other. Indeed behavioural factors are also key to market, credit and liquidity, those areas traditionally classed as financial risk.

To conflate culture with terms such as “non-financial risk” or “material operational risk”

is very unhelpful and is more likely to confuse rather than enlighten.

As an example, the UK FCA uses the term non-financial risk to mean a specific subset of behaviour as it relates to areas of personal misconduct (such as bullying). This is very much a subgroup of the overall topic of culture, and the two terms should not be used synonymously.

Indeed part of the problem is attempting to retro-fit the topic of “culture” into preordained frameworks and taxonomies. Attempting to bash a square peg into a round hole.

Human behaviour and decision making, and the key factors that exert influence (personal, social, systems, environmental) pervade all aspects business, risk, compliance, conduct and indeed supervision. They need to be understood and assessed in that light.
One important aspect of this is to recognize the reality of the “complex adaptive” nature of the topic of culture, rather than artificially imposing more (misleading) mechanical or linear approaches.

The latter may have an appealing narrative, but unfortunately it is not reflective of reality nor helpful.

– David Grosse, Director, Behavor Ltd.

Consistent with the discussion under 1.1(a) above, a firm’s culture is relevant to management of non-financial and operational risk, among all other types of risk. From the perspective of firm management, it is axiomatic that most commonly imagined types of risk can eventually be the source of adverse financial outcomes if poorly managed, certainly if ignored. [4] Recent increases in cyber threats and fraud represent operational risks that present great potential harms to firms if inadequately addressed; a firm culture that includes robust monitoring and testing, among other things, makes detailed risk management policies effective.

After the firm adopts appropriate protective policies and procedures, it must budget for adequate investment in personnel, vendor services, and software and other tools to make them effective. In many cases, the team will raise competing budget priorities, and if resources are scarce, management may face hard choices. An organizational culture that effectively manages such risks will acknowledge and take into account, for example, that the firm must balance investing in new revenue opportunities with defenses against potential losses. As discussed in more detail below, it must also align its compensation practices to hire and retain appropriately qualified and experienced risk managers, as well as qualified and experienced business generators.

[4] This statement, from the perspective of the firm’s management, is distinct from the subset of risks that are the proper province of supervisors. The recent shift among U.S. financial supervisors to focus on “material financial risks” [citation] represents a rebalancing of supervisory agency priorities; firm managements’ focus is a distinct discipline.

– American Bankers Association

1.1 (c) What is the relationship between governance, risk management, and culture? Which is of paramount in terms of supervisory significance? Is culture to be viewed as a byproduct of formal risk and governance infrastructure, or is it better viewed as a driver of performance outcomes? Can these matters be assessed independently? If so, should culture be assessed independently of governance and risk management? Why/not?

As noted in the prior responses, it remains important to keep in mind a clear interpretation of what culture is (re: Sec 1.1- a), as that interpretation is key to understanding the interplay between governance, risk management, and culture.

Both governance and risk management are typically based on frameworks, policies, practices and systems that have been established to aid the management of a firm. Culture is the reality of how things are, and the behavioural landscape “as is”, not representing an imposed construct. Culture is not a set of aspirational values, nor the simple byproduct of a formal process.

Culture and the key influences that shape behaviour and decision making are therefore important aspects that feed into the efficacy of governance and risk management.

Nonetheless, as with all complex systems, there are feedback loops and emergent properties where that nature of how governance and risk management have been set up and operated in turn feed back into areas that shape behaviour.

Culture can most assuredly not be viewed as (just) a byproduct of formal risk and governance infrastructure. That would be a simplistic and reductionist approach denies the reality of the complex interplay of many factors that drive behaviour. Yes formal risk and governance systems would exert some influence on culture, but as one of a wide range of factors (for example including social drivers and norms).

Culture would be better viewed as a driver of outcomes, but not just in performance, also in risk, resilience, compliance, conduct outcomes etc. And that “culture” is itself shaped and influenced by a variety of factors (personal, social, systems, environmental).

To answer the sub question, of whether culture be assessed independently of governance and risk management?

Both Governance and Risk Management can and should be looked at through the twin lenses of 1) formal frameworks, structures, policies and expectations; as well as 2) the behavioural lens which seeks to understand the wider influences on decisions made and unmade, on action and inaction.

For instance a Board Meeting can be considered in relation to 1) its formal processes, quorum, quality of papers etc. But this would be incomplete without assessing 2) the human dynamics, challenge, curiosity and social drivers important to what gets discussed, actioned and the efficacy of governance.

Likewise an assessment of Risk Management would be incomplete if it did not consider the variety of human factors that influence understanding, completeness, transparency and escalation. For example the sometimes perverse impact of measurement and the illusion of control, or the impact of sludgy risk management processes in how people undertake their work.

The assessment of culture therefore needs to take into account a more extensive and scientific set of disciplines such as organizational psychology, behavioural science, behavioural economics, neuroscience and sociology to explore the mix of cognitive, social, and environmental factors that are key to shaping and driving behaviour.

Key principles in this approach should include that:
• Behaviour and culture are looked at and understood using the rigour and lens of science.

• This approach encourages systematic experimentation, observation and analysis of results.

• Context is important and care needs to be taken in extrapolating findings and interventions from one situation, team or location to another.

• There is a need to understand the underlying factors that drive behaviour, many of which will not be visible or obvious.

• Focus should be on understanding social, structural or organizational factors that influence behaviour, and not just individual attributes. This often requires a rebalance of attention from the “apple” (personal) towards the “barrel” (environmental).

• Culture is a complex system, not a linear system. This means that there is very rarely a single cause and effect, and that it cannot be fully understood without looking at both the individual components and at how they interact.

• Culture is not a single uniform phenomenon that exists and is consistent across a whole organization. It is better viewed as a collection of many sub-cultures, which will have different attributes, drivers, strengths and weaknesses.

– David Grosse, Director, Behavor Ltd.

1.1 (d) With culture defined as a matter of supervisory significance, what is the relationship (if any) between culture and a firm’s stated purpose? Its espoused values? Its ethical stance and practice? The ‘fitness & probity’ of its board and executive management? (Etc.) Are such matters also rightly viewed as being of supervisory significance? Why/why not?

Great care needs to be taken in assuming that there is any meaningful relationship between culture and a firm’s stated purpose or its espoused values.

The former should be seen as the reality of how things are. Whereas purpose and values are often little more that “framing” devices for communications and reputational risk management; they may be seen as necessary but are nowhere near sufficient. There is nothing inherent in how a firm describes its aspirational values that has any meaningful impact on its lived culture9 10 .

The coherence and alignment between a firms ethical stance and the reality of its business practices is also not a given. Indeed a lack of alignment can itself feed into a “knowing” cynicism and affect culture (through a “say-do” gap).

The ‘fitness & probity’ of a board and executive management are important matters of supervisory concern through the robustness of the processes and due diligence, and through the weighting given to diversity of experience and thought. These will both influence, and be influenced by, the culture. However, just focussing on this topic alone will not be sufficient to understand or address culture.

Those matters that should rightly be viewed as being of supervisory significance are therefore those which influence and reflect the reality of day to day organizational life, behaviour and decision making, and not those which are merely aspirational statements.

9 https://www.ntu.ac.uk/about-us/news/news-articles/2025/01/organisational-culture-survey-showswidespread-mismatch-between-behaviour-and-policies

10 https://www.gallup.com/471521/indicator-organizational-culture.aspx

– David Grosse, Director, Behavor Ltd.

1.2 (a) Culture is viewed by some as being of relevance to the supervision of conduct risk concerns and also as a matter of significance for prudential supervisors. Is culture to be considered differently in either context? If so, how so? Or should conduct and prudential supervisors adopt a standard approach to culture as a precursor to risk considerations more generally?

I agree that culture is of importance to both conduct risk and prudential risk supervision.

In broad terms, it should not be considered separately or differently, as there is already an unhelpful (and artificial) sub division to the topic that is often applied inside and outside firms and that leads to siloed thinking.

The complex behavioural landscape that comprises culture, and the range of influences behind it (personal, social, systems, environmental) is common to conduct and prudential understanding, and it is important that there is a shared philosophy that under-pins this.

Nonetheless there will of course be areas of specific behavioural focus which are more relevant when looking at the different outcomes of interest. For example in conduct there will be a need to understand how “motivated reasoning” exerts an influence, and in the prudential sphere how resilience is impacted by co-operation and escalation, and from a systemic perspective how fear spreads across organizations.

– David Grosse, Director, Behavor Ltd.

Risk culture is not a “one-size-fits-all” component of Risk Management Practices for financial institutions. As already noted, risk culture, and culture overall, grows organically and is influenced by an institution’s employees, including its board of directors, executive management, senior management, and staff. Risk culture is also influenced by changes in any of these roles. Elements of risk culture include, but are not limited to, values (i.e., everyone is responsible for risk, “see something, say something”, etc.), code of ethics / conduct, escalation protocols, and credible challenge within and across the three lines of defense.

Having regulatory agency examiners separately assess risk culture during examinations would not be an efficient use of institution and examination resources. As stated previously, risk culture sets the overall tone of a financial institution’s Risk Management Practices and will inform examiners’ perceptions of how well an institution is identifying, measuring, monitoring, and controlling risks. Regulatory agency examiners can assess risk culture through examining material financial risks and evaluating Risk Management Practices, including the degree of consistency with which the firm’s staff comply substantively with prescribed Risk Management Practices, versus a check-the-box examination module related to culture.

– American Bankers Association

1.2 (b) Many post-mortem inquiries posit risk governance failures as having culture among their root causes. With this in view, should culture be taken to represent a source potential systemic risk? However this is answered, what implications follow?

Yes, culture should be considered as a source of potential systemic risk and as such a key area for consideration amongst prudential supervisors. There are multiple examples within banking and other industries where the source of a business resilience failure can be attributed to organizational or cultural issues. Whether that is the collapse of SVB in 2023, or the space shuttle disasters of 1986 and 2003. Furthermore within banking the escalation from a firm failure to a systemic issue is often psychological, as fear spreads. In the current highly interconnected world this can be rapid.

The implications of this are that prudential supervisors need to both have suitable expertise in house, and to encourage better behavioural capabilities within regulated firms. They also need to make use of the advancements in big data, AI and network analysis to identify on an ongoing basis where there may be developing areas of concern and outliers. The work on unobtrusive indicators of culture11 , 12 (UICs) should continue to be pursued particularly given the rapid advancement in analysis capability.

Global prudential regulators also need to ensure that their current focus on operational resilience also covers the human and behavioural angle, and not just the technical; and that this needs to address all organizations, critical infrastructure and suppliers key to financial services.

11 Reader, T. W., Gillespie, A., Hald, J., & Patterson, M. (2020). Unobtrusive indicators of culture for organizations: A systematic review. European Journal of Work and Organizational Psychology, 29(5), 633649. https://www.tandfonline.com/doi/abs/10.1080/1359432X.2020.1764536

12 Suss, J., Bholat, D., Gillespie, A., & Reader, T. (2021). Organisational culture and bank risk. https://www.bankofengland.co.uk/working-paper/2021/organisational-culture-and-bank-risk

– David Grosse, Director, Behavor Ltd.

This question seems to imply that culture can be a source of systemic risk for financial services as a whole. Systemic risk by definition involves multiple institutions, but, per the definition of “culture” posed above (see response to 1.1(a)), culture is highly firm-specific. A single firm’s culture by itself will not create systemic risk, but its Risk Management Practices (and a culture that supports them) can mitigate potential systemic risk. The activities of one firm can have implications for risk management at others, e.g., when concentrations of counterparty risk exist and raise the potential for contagion. A specific firm’s risk management culture can reduce its own risk and also systemic risk by such things as counterparty risk limits and dynamic monitoring of present-value exposures, counterparty financial condition (to the extent of information available from either public sources or private, negotiated arrangements), and general market conditions. Thus, an effective risk management culture is likely to be beneficial in mitigating overall systemic risk by reducing the chance of contagion.

As noted previously, however, firm responsibilities (to owners, customers, employees, and, in the context of legal compliance, to public authorities) are distinct from the responsibilities of supervisors. The oversight of systemic risk is ultimately a supervisory responsibility.

– American Bankers Association

1.2 (c) Failures in culture risk governance and supervision are pointed to by many as having worked to undermine essential public trust in the industry and its overseers. Is this fair? Why/not?

Yes, failures in culture risk governance and supervision are an important element in bank issues such as the GFC and the conduct scandals of the last 20 years. And as such they have worked to undermine essential public trust in the industry and its overseers.

The public are rightly concerned that issues such as the GFC, IBOR, FX, PPI can erupt with there seemingly being little warning or foresight from the banks and the regulators, and indeed sometimes developing off the back of a period of deregulation. The loss of trust further exacerbated when the resultant costs are picked up by wider society.

The more recent issues of 2023 once again showed that the supervisors had a blind spot, for example following the collapse of SVB – see the review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank 13.

Public trust will one again be undermined if the lessons from prior crises, such as the GFC, are not fully learned and acted upon before a further push for de-regulation. In particular where the contributing cultural and behavioural aspects have not been properly analysed, understood and addressed in the interim.

13 https://www.federalreserve.gov/publications/files/svb-review-20230428.pdf

– David Grosse, Director, Behavor Ltd.

1.2 (d) To what extent is the culture of supervisory agencies themselves an important driver of the supervisory outcomes such agencies achieve? What specific examples can we point to where supervisory culture was found to have improved supervisory outcomes? What specific examples can we identify where the reverse was in clear and uncontroversial evidence

The culture of supervisory agencies themselves is an important driver of the supervisory outcomes they achieve, albeit one of a number of key factors.

Fundamentally if the agencies themselves have issues with their own culture, and in the maturity of their own approaches to supervising culture, then they are unlikely to be challenging and asking the right questions of the banks, nor able to piece together the insights and information they receive.

For example the Federal Reserve's review of Silicon Valley Bank (SVB) highlighted significant cultural issues within the Fed's supervision and regulation. The Fed being too slow to act on SVB's vulnerabilities and their tailoring approach to supervision had reduced standards and increased complexity. The Fed's Michael Barr subsequently emphasizing the need for a culture that empowers supervisors to act in the face of uncertainty and the importance of developing a culture that supports effective supervision.

In the Wells Fargo fake accounts scandal the OCC had examiners embedded at Wells Fargo for years and were deemed to have been too deferential and slow to escalate concerns.

In the Royal Bank of Scotland failure of 2008 the Financial Services Authority (now FCA) practiced “light-touch regulation”, with deference to senior bank executives; insufficient scepticism; and belief in principles-based regulation without robust enforcement.

As part of these repeating issues across the industry it is also important to consider how “regulatory capture” can occur. 14

Examples where supervisory culture appears to be in alignment with improved supervisory outcomes are noted below, albeit once again the complexity of proving cause and effect should be noted.

• OSFI - Canada avoided major the bank failures in 2008, and OSFI is frequently cited for conservative capital standards, its close but sceptical engagement with bank management, and an early intervention culture.

• MAS - Singapore has highly professionalized supervisory staff. And although it has faced scandals (e.g. 1MDB related), has shown willingness to sanction firms and detail supervisory findings. Its purported cultural strengths include a meritocratic technocracy, and low tolerance for reputational risk.

14 Chesterfield, A. M., Reader, T. W., & Gillespie, A. (2025). Cultural capture among regulators: A systematic review. Regulation & Governance. https://onlinelibrary.wiley.com/doi/full/10.1111/rego.70040

– David Grosse, Director, Behavor Ltd.

1.3 (a) What direct and indirect costs are associated with the persistence of fragmented, jurisdiction-specific approaches to and expectations for culture risk governance and supervision? What is the impact for both firms and supervisors?

Fragmented and jurisdiction approaches to culture governance and supervision impact costs. And I would further add the lack of mature approaches across most territories further exacerbates this.

Examples include:

Direct costs for firms may include duplicative policy frameworks: Banks operating in multiple jurisdictions designing, implementing, and maintaining disparate culture frameworks tailored to differing regulatory expectations. With customization of approaches, reporting, training and change programs.

Indirect costs for firms include inconsistent implementation and limited understanding. Without a consistent underlying comprehension and philosophy of culture there is an increased risk of country and departmental silos, and the lack of dots being joined up. This risk is exacerbated with culture, as the topic itself is often dispersed across different functions, such as the Business, HR, Risk, Compliance and Audit without a common approach nor understanding.

Costs for Supervisors include reduced comparability and benchmarking, slower policy evolution, cross-border coordination weaknesses. There are some leading practices in certain global regulators, and it would be remiss and duplicative for others not to learn from them.

In both Supervisors and Banks developing informed behavioural risk management insight and capabilities it is important to note how this approach can mutually re-enforce a focus on performance, resilience and proportionate regulation and risk management.

Properly implemented, a more thorough and informed consideration of behaviour and decision making can help identify areas where excess process, control and regulation can usefully be trimmed without any detrimental effect.

The traditional approach of incremental and additive control, surveillance, headcount and infrastructure and the attendant costs can be reevaluated with an understanding of where these are ineffective in shaping human behaviour and can lead to perverse outcomes, and what alternative methods may be more successful.

Similarly a fuller understanding of how to encourage internal cooperation, challenge and transparency within organizations can help with their financial performance through increased speed, innovation and removing barriers and duplication.

– David Grosse, Director, Behavor Ltd.

1.3 (b) What benefits might result from a more coherent, globally standard approach to culture risk governance and supervision?

1.3 (c) How might international standard-setters, or some other cross-border forum, help to move us from conviction regarding culture as a matter of supervisory significance to convergence around how culture is best addressed in supervisory practice? How should we work to establish and promulgate relevant best practices? Among the practical outcomes that might follow from such a collaborative endeavor, which would be of greatest expected benefit? Why?

As a roadmap for convergence around how culture can best be addressed in Supervisory practice, it will be important for any bodies or standard setters to firstly set out and agree a common philosophy for what they even mean by culture, to avoid parties talking past each other, with different interpretations.

This will need to tackle the reality of culture “as is” with an understanding of the behavioural landscape and drivers, a recognition of the complex domain in which it operates, and an acknowledgment that linear “solutions” may be comforting but will not be effective. This also infers the need to recognize emergent behaviour, context dependency and the importance of expertise and experimentation.

The collaborative effort needs to be wider that just Supervisors and Financial services and also include knowhow from other industries, domains and academia. It will be vital for the efforts to be firmly rooted in disciplines, such as behavioural science, anthropology, psychology, sociology, neuroscience and the study of complex systems.

The focus on convergence should therefore primarily be on what an informed capability looks like (in both Supervisors and firms) rather than a detailed inventory of tasks, procedures, standards or a framework, as the latter will likely lead to the law of unintended consequences.

To help guide the industry to a better place it may be helpful to highlight how investors, funds, ratings agencies and academia are analysing culture as a source of P&L, alpha, and resilience, and how the advance of big data, AI, and analytics is (in conjunction with deeper qualitative work) is informing this. Moving culture from a matter of Supervisory concern to a performance imperative will further focus the minds of executives and boards.

The main practical outcome and greatest benefit that might follow from a collaborative endeavour, would be the recognition, support and development of qualified and experienced behavioural capability in both Supervisors and Banks, and for that to be recognized as an essential requirement. This would help build foresight and preemptive actions.

– David Grosse, Director, Behavor Ltd.

1.4 (a) A tension is called out through our stocktake: some value the application of experienced and nuanced supervisory judgement in the course of oversight activities, over the application of a rigid and overly prescriptive rules-based; while, on the one hand, some complain that reliance on supervisory judgement impairs the cause of transparency, consistency, and due-process. In this connection, what views do you espouse? And why?

This is a very important topic to address in relation to the specific challenges of the Supervision of culture and behavioural risk. As noted in answer 1.1 C, and in the cover letter, there is a unique aspect to behaviour – in that the behaviour of all actors, both individual and organizational, shape how they seek to address and understand “behaviour”.

In this way it is a “meta” risk, where the area you are trying to study is both influenced

by, and influencing, the approach you are taking to study it.

This circular dynamic is distinctive for behavioural risk and culture. Other challenges, such as credit risk, market risk, liquidity risk, cyber security and technology risk are perceived as technical, and not directly confronting to a “sense of self”, and to our own perceptions of (and over-confidence in) what drives human behaviour, action and decision making.

This confounding factor in behavioural risk has very real dangers, in that the more organizations seek to overly prescribe, control and measure culture and behaviour, the more it is likely to create perverse actions, feedback and unexpected outcomes. The dangers of managing to measurement and the illusion of control will develop.

It is therefore vital to recognize this dynamic and the complex domain of culture when setting out both a Supervisory approach and the expectations for firms.

A sensible middle ground would be to ensure that all Supervisors are mandated to have a skilled centre of expertise and capability that is staffed with experienced behavioural scientists, psychologists, and others, that they apply an informed scientific method to understanding the landscape and what good looks like, and that they are engaged to consider both the culture within the Regulators, as well as the approaches taken by Supervisors when they engage with firms. Furthermore that there are expectations that regulated banks will have a similar capability, with appropriate sponsorship, support, expertise and funding.

This does not require a laundry list of all those things that these functions have to do. But if there is no meaningful capability then this should be a matter of Supervisory concern. Culture and behaviour is best addressed through an ongoing capability and suitable expertise, rather than a through a programmatic or framework lens.

– David Grosse, Director, Behavor Ltd.

Similar to financial institutions, a supervisor’s culture grows organically and is influenced over time by its leadership and employees. In the case of regulatory agencies, however, culture is also influenced by changes in wider political leadership – Congress and Presidential administrations. Political appointees under new administrations will have new priorities for the agency; however, these priorities should not significantly impact how field examiners evaluate how institutions are identifying, measuring, monitoring, and controlling material financial risks. Supervisory transparency and consistency are essential to the long-term health of the financial services industry, and, given the industry’s importance in supplying credit, dependable and secure payments systems, and defense against financial wrongdoing, also to the health of the broader economy.

To avoid pendulum swings when political administrations change and maintain trust with the financial services sector, regulatory agencies could issue interagency, non-binding, principlesbased supervisory guidance providing examiners with guiding markers on how to assess an institution’s Risk Management Practices. The focus should be on material financial risks and provide that supervision should be tailored to the institution’s product offerings, complexity, and risk profile.

We suggest the agencies seek public comment on this non-binding, principles-based supervisory guidance before finalizing it. While agencies are not required to seek comment on non-binding supervisory guidance, doing so would help produce more effective guidance by identifying relevant interpretive questions, operational challenges, and system constraints for the regulatory agencies’ consideration. We believe sound, principles-based supervisory guidance could withstand the test of time and political administration pendulum swings and maintain trust with the financial services sector.

– American Bankers Association

1.4 (b) How should supervisory bodies approach challenges with regard to their own organizational cultures, with a view to enable them to exercise supervisory judgement more effectively? To what extent might the culture of a supervisory agency underpin (or undermine) its perceived legitimacy? How might this shape trust in the financial sector, and its participants?

If organization culture and a mature approach to its assessment are important to regulated firms then they are equally important to the Regulators.

It is essential that the Supervisors recognize the importance of their own culture and that they build their own capabilities and expertise that can be applied not only to those firms that the supervise, but also to themselves.

Having these skills is vital to the credibility of Supervisors, in being able to ask the right questions of the firms they regulate, and in being able to understand and encourage best practice.

– David Grosse, Director, Behavor Ltd.

See Comment to Questions 1.4 (a)

– American Bankers Association

Thank you!

Your submission has been received.

Submit Your Comment

Drop files here or click to upload