A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Chapter 2 — Consequences and Challenges

Included in this Section

2.1 – The Cost of Delay

2.1.1 – What role does culture play in governance failures that ultimately require supervisory attention?

  • 2.1.1a Some Participants describe the importance of effective firm governance and the influence that governance structures have on culture.
  • 2.1.1b Participants also point to evidence that culture problems frequently influence the effectiveness of governance structures, and serve as a warning precursor of their failures. But the relationship between culture and governance remains unhelpfully murky, complicating efforts to examine or improve either.
  • 2.1.1c Some participants emphasize that culture and governance are fundamental to performance outcomes such that reliance on formal controls and processes without addressing culture undermines risk management.
  • 2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

2.1.2 – What are the consequences for failing to consider the influence of culture in assessments of governance effectiveness?

  • 2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.
  • 2.1.2b Participants discussed the outcomes of the COVID-19 pandemic and the impacts of increased remote working environments on culture supervision.

2.2 – The Anatomy of Structured Discretion

2.2.1 – How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

  • 2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.
  • 2.2.1b Participants argue that focusing on the cultural proclivities that underpin or undermine risk and control environments (“risk culture”) can bring structure to supervisory judgment.
  • 2.2.1c Other participants note that culture drives impact well beyond risk and control functions, and that it therefore requires supervisory attention for these reasons as well.

2.2.2 – How is supervision made more challenging by a reliance on judgment?

  • 2.2.2a Many participants describe challenges with engaging management teams and boards on questions related to culture risk supervision.
  • 2.2.2b Other participants point out that reliance on insufficiently structured supervisory judgment can lead to inaction or delay.
  • 2.2.2c Participants discussed how a lack of trust between supervisory bodies and the firms they oversee can be detrimental

2.2.3 – How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?

  • 2.2.3a Participants describe effective supervisory culture as both forward-looking and supportive of necessarily bold decision-making amidst unavoidable uncertainties.
  • 2.2.3b Participants described how establishing effective risk governance structures within supervisory agencies is important to supporting reliable supervisory judgment.
  • 2.2.3c Participants highlighted how supervisory bodies are beginning to explore how their own supervisory cultures might be assessed.

2.3 – Proportionate Early Action

2.3.1 – How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?

  • 2.3.1a Participants note that a lack of established culture risk governance frameworks and metrics makes enforcement and accountability more challenging.
  • 2.3.1b Participants describe various structural challenges related to enforcement and culture risk.

2.3.2 – Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

  • 2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.
  • 2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee.
  • 2.3.2c Some participants note that data is sometimes collected but then it may be unclear how it may be properly used for risk assessment or enforcement.
  • 2.3.2d Many participants discussed how relying on post-hoc assessment of culture has can lead to adverse governance outcomes.

2.4 – Institutional Memory and Accountability

2.4.1 – What steps can supervisors take to ensure that the exercise of their judgment regarding matters of culture risk governance isn’t arbitrary, and that it improves over time?

  • 2.4.1a Participants described the importance of having mechanisms to preserve judgment, whereby earlier anticipatory assessments are tested against what actually unfolded thereafter.

Chapter Questions and Comments

2.1 – The Cost of Delay

2.1.1 – What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1a Some Participants describe the importance of effective firm governance and the influence that governance structures have on culture.

“There is confusion around the taxonomy of culture because the word ‘culture’ is confusing and slippery. When we say culture, we’re not talking anything about theatre, literature, poetry, music. We're talking about conduct and governance, specifically in the sense of how organisations and their agents do and should behave. 

Culture needs to be anchored into something that's more real and more obvious. It must be connected to governance, the conduct rules and tools that firms can use, the standards that define the corporate expectations and how those standards are expressed, both in word and deed. 

If Regulators therefore couch culture in terms of governance, it would be easier to talk about in ways that everybody understood and in ways that could be defined and applied without the academic or philosophical debates about what it really is. 

If we're serious about culture, we should find ways to hardwire it into the regulatory framework itself. We cannot afford to just talk about it abstractly, because as long as we do that, we are not going to make any tangible difference in the way in which firms actually think and act.”

“Culture and conduct reform, in my view, is an ongoing process. We put so much effort into building a sustainability-oriented culture after the Financial Crisis because it is the only answer to ensuring the right conduct. And it was expected from the other side of the table — from the regulators.

And this is also important in connection with the G in ESG. Governance issues will become dominant for listed companies globally. They will be judged on the G part as much as they’re judged on the E part and the S part. I’m convinced that we need a permanent culture change in banking, and across corporations more generally.”

“Our supervisory experience tells us that firms with good governance, culture and controls are much better set up for success — both in terms of growing safely as well as dealing with the risks facing them and their customers. And on the other hand, we have seen what happens when external shocks or major change coincide with poor management behaviour — not to mention how the risks of consumer or investor detriment rises when poor business practices and weak business processes are allowed to persist within a firm. 

As such, we see sound culture and effective governance as consistent mitigants to risks facing firms, the system and consumers/investors. And, in a rapidly changing world, and an environment of heightened external risks, the need for effective governance underpinned by a strong culture and robust systems of delivery is becoming all the more essential.”

“I find neither ‘governance’ nor ‘culture’ helpful terms in this context. Lazy supervisors often point to problems with governance or culture without being sufficiently clear and specific about what they mean.

The origins of firm culture, defined as patterns of behavior, is clearly complex. In reality, large global banks have multiple sub-cultures within an overriding enterprise culture. Some patterns of behavior stem from current leaders within the firm: for example, a dominant CEO that overrides all debate within management and the board. But other patterns of behavior might be long-standing and engrained norms and habits amongst employees, or they might be specific to particular markets or geographies.

Boards and management clearly have a strong influence over culture, but they cannot control it fully. They do need to state a desired culture; to ensure that processes within the firm support this culture — e.g. tone from the top, remuneration, promotion, discipline — and to have effective ways of assessing actual culture so as to address gaps between the two.”

“Supervisors must move beyond treating culture as a ‘soft’ topic and link it to hard elements: governance structures, risk-management design and implementation, incentives. We need supervisors who can connect soft and hard qualities.

Culture risk assessment should be about patterns and indicators, not trying to establish strict cause-and-effect. Because culture isn’t physical. But we still need tangible indicators — behaviors, decisions, outcomes. 

Culture should feed into a broader supervisory ‘forensic’ analysis of institutional health and risk culture robustness. For examples: whistleblowing volumes and themes; frequency and type of risk indicators; complaint patterns; speed and quality of remediation; and whether employees feel safe to speak up. We need to appeal to a combination of soft and hard evidence.”

2.1.1b Participants also point to evidence that culture problems frequently influence the effectiveness of governance structures, and serve as a warning precursor of their failures. But the relationship between culture and governance remains unhelpfully murky, complicating efforts to examine or improve either.

“With a good culture, you can compromise on some formal aspects of governance and still have a good outcome — or temporarily deviate from norms and still be fine.

There are two points to note here. First, there’s a range of acceptable risk cultures. The upside (good/brilliant) shouldn’t concern us as supervisors; the downside does. Even a mediocre risk culture may be okay for some business models, but there’s a lower bound that depends on what business you run. Supervisors must ask: (1) when is an organization outside the acceptable range? and (2) what do you do about it?

I’ve seen companies genuinely striving to show correct governance yet losing sight of culture. That’s the problem with what I call the model-mindset: ‘If we can believe the model, then everything’s fine.’ That ignores the human element — the red in tooth and claw nature of some parts of banking — and can allow things to drift.

You won’t get far saying ‘G is for governance’ and ‘C is for culture’ and scoring both separately. The two must be related. Since we’re committed to evaluating the impact of governance, the best way to get supervision to look at culture is to extend the definition of governance so that it encompasses culture. 

But you could also invert it and say: you’re really looking at culture, with formal governance as a sub aspect, because culture may be more important than organizational boxes and charts.”

“In the last decade, a majority of supervisors have adopted a focus on behaviours such as leadership, decision-making, and escalation. In order to manage behavioural risks and change undesired behaviours, one needs to dig deeper to be able to understand why people behave in a certain way — i.e., what drives them.

A distinction between supervisory approaches can be made, whether the focus is on (1) formal drivers and/or (2) informal drivers of behaviour. Formal drivers refer to the ‘tangible’ side of the organisation — i.e., how it is ‘set out on paper.’ These include the more structural elements such as those reflected in organisational charts, job descriptions, hierarchical reporting lines, standard operating procedures and incentive schemes. 

Informal drivers refer to the ‘intangible’ side of an organisation, that which is not written down on paper or openly voiced. It is often referred to as the unwritten, unspoken rules of an organisation. Informal drivers include, for example, social relationships, perceptions of the work climate, and the beliefs and values that people hold. Formal drivers are more tangible and more easily accessed by supervisors. They therefore require less specific expertise from supervisors than that which is necessary to gain systematic insights into the informal drivers of behaviour. 

In my view, it is almost impossible to assess the informal drivers of behaviour based solely on tangible information such as frameworks, policies or controls via off site activity. Conduct — and misconduct — follow partly from formal systems, such as incentive schemes and ‘tone from the top,’ but far more powerfully so from informal influences obtained by observing ‘what actually happens’ among close colleagues. We rely on interaction with other people for ‘social proof’ that our behaviour is ‘normal’ — that is, in keeping with group norms. These norms shape our individual and collective identities, setting and re-setting what we see as boundaries of acceptable and expected behaviour. Employees in a firm experience the same standard-setting of norms for the workplace.”

“Sometimes it’s not about culture — it’s just weak or overconfident people. And the culture might allow those people to stay in roles they shouldn’t be in.”

“Although we did not know for certain what the root causes of misconduct were, we had credible suspicions — many of which were shared by others in central banks, government, academia and even the private sector — that organizational culture played a material role.

For example, an organization sends powerful messages when it promotes and fires employees. It is only natural that other employees will try to replicate behaviors leading to the former, and try to avoid behaviors leading to the latter (assuming they want to keep their jobs and do well at them). 

Compensation incentives also influence conduct by pricing certain outcomes above others. Recruiting and training offer opportunities to communicate senior leadership expectations and to reinforce the importance of seeing the ethical dimensions of business decisions. Diversity and inclusion also play a role — a big role — especially if we want to avoid groupthink and encourage employees to speak up when they see something wrong. Finally, but perhaps most elusively, the way employees treat one another in everyday workplace settings matters.”

“This is where risk management becomes crucial. At the governance level, you set the organization's risk appetite. Is there a high appetite for financial risk? Is there zero tolerance for certain behaviors or regulatory breaches? Defining these tolerances at the governance level embeds a particular kind of culture, which may have unintended consequences.

For example, a zero-tolerance policy for anything can foster a culture of blame. If mistakes occur, and it is not possible to eradicate all error, people may feel they will lose their bonus or their job. This then permeates the organization's culture, causing people to focus solely on complying with that one specific rule rather than adopting a more holistic view of the overall purpose and desired outcome. 

These are the challenges both organizations and supervisors must grapple with when defining what behaviors are observed in practice and what may need to change, especially concerning compliance and risk management.”

“A lot of internal investigations take place because things go wrong. Often this leads to establishing a ‘culture of compliance,’ from the second and third lines rather than making sure that the first line adopts a culture that prioritizes the delivery of good quality outcomes for clients.

As a former regulator, I’ve regularly observed that one does not notice a good culture, per se. What you notice is a lack thereof at a firm. I think many firms that don’t have a clear culture, around which they evolve their business, sooner or later find themselves facing problems. That lack of focus on desired culture means that such firms have a higher idiosyncratic risk of misbehavior, reflected in the attitude ‘it’s allowed if it’s not explicitly forbidden.’ Well, not everything that is not explicitly forbidden is allowed, and even more to the point, even what may be allowed is not always in the interest of clients.”

“Poor governance doesn’t directly cause bad outcomes; people operating within that governance framework do. You see organizations obeying the letter but not the spirit of rules. Culture is what says: ‘we adhere to the spirit, not just the letter.’

We’ve seen banks fail where the ‘hardware’ of governance and risk management was in place — limit frameworks, etc. — and functioned, producing the right alerts which were then overridden. That can happen if the client relationship or the revenue potential is prioritized over the downside risk. 

Especially when it comes to balancing risk and reward, governance is filled with real people taking real decisions. What frame of reference do they use? How do they exercise power? The sum of those interactions and interpretations — that’s culture.

Maybe you can codify elements of ‘good culture’ to some degree, as separate or semi separate from formal governance?”

“Some financial institutions are inherently very compliant. In those cases, you start from a much higher and easier base, but you can have another type of risk because they can be too compliant, in the sense that they abdicate their thinking. They only do what the regulators tell them, and that's not an ideal situation. Those types of institutions, frankly, don't do so well in the long term, because they don't really innovate and they don't think for themselves.”

2.1.1c Some participants emphasize that culture and governance are fundamental to performance outcomes such that reliance on formal controls and processes without addressing culture undermines risk management.

“Do you have a three lines of defense framework? Yes? Well, that’s a start, but is that enough? Are we done just by ticking the box? 

The real question is whether the framework is actually working as intended. And how do we know? Governance structures and processes might look robust on paper, but they can be easily undermined by an unhealthy culture. 

Culture operates beneath the surface — it is the attitudes, behaviors, and unwritten norms that influence how people actually act within the framework. If the culture is misaligned, it can render even the best-designed controls ineffective.

In many cases, governance failures do not stem from a lack of frameworks or processes but from a culture that corrodes their effectiveness. That is why understanding and addressing culture is not just an add-on; it is a precursor to ensuring governance systems succeed”

“Regulators can give you lots of governance and lots of rules, but no amount of governance or rules will ever deal with all the situations where you have to deploy judgment. 

It is incredibly easy to encounter a problem or a new set of rules and for a firm to deploy another checklist, another manual, another process run by compliance rather than address the underlying cause. Particularly in financial services, you can get into a situation where everyone is just ticking the box.

Sometimes you can infer the culture just by looking at how processes work. I've seen a risk committee tracking probably 200 risks on a matrix for the bank, and all but three were green. That tells you this is a culture where you simply do not tell the board if you've got a problem until the last minute.”

“Rules and standards are a necessary part of an effective regulatory regime but they will never keep pace with change and human ingenuity. We know this because time after time, when a crisis happens, we find that someone found a way around the rules and the risk management culture didn’t detect or stop the behaviour before it was too late.”

“When you ask boards of directors a hypothetical question: ‘What happens when you have a trader who blows through all of your limits and loses $2 billion?’ They say, ‘Well, you fire him, you throw him out, you call the police.’ Okay. ‘Same trader blows through your limits and makes $2 billion?’ The answers you get are, ‘Ah, well, we should warn him. We should write a stern letter. We will withhold 10% of his bonus.’

The issue is not whether they made or lost money; the issue is that they blew through the limits. They have no respect for your middle and back office, and that's a management problem. 

If you don't know the subcultures of the organization, people might start to fudge, to cheat, to hide. If you don't have an open culture where people feel comfortable talking about something going wrong, you'll find that people simply lie. Once they've started fudging the numbers, when things turn bad, they'll turn bad in an angry way — they’ll drop significantly past where you thought they would be.”

“For example, it can happen that your trading desk is in a terrible place in terms of culture, which means all your risk management frameworks applying to those people are not working because half the team are trying to get around them. It’s us trying to fix your risk management system so that you see the issues and you challenge them as a firm.”

“Interestingly, people with a strong tech background who go into the financial sector, for example, have a different approach. They possess a strong problem-solving attitude, which is positive. When you say, 'This needs to be solved,' they are quick to solve it.

The problem arises when an entrepreneurial style results in the frequent use of trial and error for financial sector issues: just start, see how it plays out, and then course-correct. This trial and-error approach is not fitting for many issues regulated institutions are confronted with.”

“If you boil down culture to behaviors, values are an intrinsic part of that. You can't separate [values from behavior]. However, culture itself is perhaps not as tangible because it's a shifting element. People define and measure it in different ways. That's why it's important to understand the drivers of human behavior, including both the formal and informal elements of good governance. This involves examining why people, individually or collectively, behave as they do.

You must consider these drivers and how culture — which isn't inherently a definable, permeable, or measurable thing — impacts day-to-day decisions. This applies at the governance level and as expectations filter through the organization, influencing not just behavior but also what's delivered on the ground.”

“The interesting question is not so much that people do bad stuff. The question is: why does that bad stuff persist?

There does seem to be a sort of slippery slope aspect to all this. But I think the question is: why didn't people put up their hands and say something? I guess the question is: how broadly known were the bad behaviors, and then what did people do about it? If people are colluding — a number of bad actors are colluding — that’s one thing. It's another thing if people are broadly aware and just looking the other way. So we have to distinguish those two issues.

So a good example is: when do I speak up? When do I object? When do I say, ‘Hey, what about this?’ And how does the firm react to that, or how does my boss react to that? Is a good defense, ‘I followed the rules,’ or is that not a good defense?

I mean, the thing that makes me the most annoyed when I'm in an organization is when someone says, ‘Well, I did everything I was supposed to do.’ ... ‘I followed the hierarchy.’”

“Culture has to be top-down. It's the basic principles or values that influence a person's behavior. However, there could be subcultures within a large bank. It's not that the board said, ‘Let's go open false accounts for $25 each.’ I cannot imagine senior management or the board would quietly approve that. That was a case where the overall culture from the top was good — Wells Fargo is otherwise a very well-managed, conservative bank — but a subculture existed.”

2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

“Conduct is the actual practice or behavior you can observe, whereas culture is the set of values that guides thinking and behavior. You would rarely find a board that condones bad ethics. The problem is not that directors are bad people; most of them are decent. The problem is that they are often not able to influence the management or the culture of the bank.”

“There are limits to a large organization’s manageability. I have seen enterprises become so big and complex that control failures, risk management breakdowns, and negative surprises occur too frequently — not because of weak management, but because of the sheer size and complexity of the organization. Some identify this as the too-big-to-manage (TBTM) problem. 

Misidentifying or misdiagnosing problems at a large bank can lead to ineffective actions and solutions, which in turn can prolong the risk of harm to consumers, counterparties, and the financial system. It can also hurt the credibility of financial supervisors, as large banks can take inordinate amounts of time trying to remedy deficiencies, which can and should be addressed quickly.”

“I’m not sure it’s just about compensation. While aligning pay with risk outcomes is important, it’s not the whole story. Culture plays a critical role in shaping how people respond to any incentive structure or management intervention. If the organizational culture rewards short term wins over long-term sustainability or tolerates cutting corners — then even the most well designed compensation frameworks can backfire”

“I regret that the focus on remuneration has been almost exclusively incorporated in rules, so that supervisors in most cases check compliance with the rules rather than asking themselves how the remuneration policies of firms affect behaviour of key function holders and staff in general.”

“There are limitations to what a board can do. They don’t manage the company. But the more information you can get to them in discrete increments that allows the firm to develop a reputation for good governance and compliance, then the less the board will probably have to do.”

“Every financial institution you walk into has the vision and mission on the wall: ‘We treat everyone fairly, we support our community, let's all row together.’ That's fine for the lobby, but the board sometimes doesn't go beyond that. There are levels of culture in an organization that the board may not actually know about. 

For example, what have been the most significant disagreements you have had at the board? If every decision has been unanimous, the chair has probably either beaten them down or hired all their mates. The same goes for the guts of the institution.”

“It comes back to the concept of the ‘directing mind.’ What is directing the mind of the person in the organization? The culture really reflects that directing mind — what's driving that individual to do things the way they do.

It probably comes back to the same techniques you use for corporations. You start with the indicators of problems with culture. I was talking to a chief of police about this, because police forces often have issues with culture, and he said, ‘Look, we don't have one culture. We have lots of subcultures.’ Part of it is identifying subcultures that are not consistent with the culture you're trying to portray.”

“[T]he truth of the matter is that the senior management are often unaware of what’s going on in the core of their organizations. Despite best efforts, they’re often operating in the dark. Senior management is only as good as the data it works with, the information it receives through their reporting systems, and the layers of reporting that aggregates up to them.

The problematic issues are in the middle to the bottom of the iceberg. We can talk about the executive officers, and we can talk about the board, but they’re only as good as all the people down below them, and how ready they are to escalate critical information. We have to make sure our people are comfortable reporting the truth, reporting the bad news.”

“Culture is a complex matter. Although it should be prescribed from the top down, practicing it requires bottom-up acceptance. The incentive system plays a huge part in this. The board can set appropriate risk parameters, but if the bank continues to reward excessive risk-taking, managers will take excessive risks.”

“We have spoken to many firms which have strengthened their vision and purposes statements to drive a more customer-centric culture. This is a good starting point, but clear vision statements can only have a limited impact on the lived culture of the firm. We are concerned when we see leaders with an almost evangelical belief in their customer-focused mission statements who have not invested in sound controls and reporting to manage and understand the actual customer experience.

As regulators we obviously need to ensure that firms comply with the law. But good conduct risk management will not be achieved by a compliance implementation programme alone, because it is about how leaders and employees behave over time. For an industry within a jurisdiction that has been used to a more legalistic approach, this requires a change of mindset and a move from the compliance-led programmes that have been implemented in the past to conduct-led programmes that are better able to monitor the real outcomes of actions.

The focus of bank leaders should be on identifying and acting on behaviours that produce poor customer outcomes over time — and the implementation of this approach is ultimately an exercise in change management. Unfortunately we have seen firms spending a lot of time and money developing voluminous compliance manuals and processes that fail to deliver much value for their business or their customers.”

2.1.2 – What are the consequences for failing to consider the influence of culture in assessments of governance effectiveness?

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

“The recent case of Credit Suisse is, arguably, an example of persistent conduct of business failings reaching an extent whereby there was a significant loss of confidence in the bank.”

“Credit Suisse had a number of financial surprises that led to an erosion of confidence, in addition to several non-financial surprises. But it is fair to say that all of them could be traced to a bank culture that was not sufficiently alive to the measurement and management of risks of all sorts.”

“As we saw in the Credit Suisse case, a series of things you might think of as conduct-related ultimately undermined wider market trust and confidence. At the end, you had what, even a couple of weeks previously, had been a very well-capitalized bank hit by a collapsing confidence in the wider market.”

“Credit Suisse's prudential benchmarks were hit time and again by things like mis-investment and customer fraud, which led to a collapse in customer confidence and a very unfortunate outcome.”

“We have seen plenty of firms that showed very healthy capital and liquidity ratios, low non performing assets, sometimes even decent profitability, before entering in very disruptive crises. The spring 2023 turmoil provides plenty of examples.”

“The banking-sector failures in the first half of 2023 are dramatic examples of the consequences of lax governance and poor risk cultures. Banks’ boards and senior management failed to assess and manage risks adequately, and banks did not have effective internal controls and risk management systems in place.”

“The international consensus of various reports into the events of March 2023 was clear: ‘the first and most important source of financial and operational resilience comes from banks’ own risk management practices and governance arrangements’ and ‘poor risk culture’ was a key factor.”

“The point about Credit Suisse is that the problem cases were real; they were amplified, sentiment shifted, and the bank's main customers lost confidence. That has real financial consequences.”

“The 2023 banking turmoil illustrated that liquidity stress episodes often stem from structural vulnerabilities in banks, such as weaknesses in governance, business models, and internal controls. Identifying and addressing these vulnerabilities should be a primary objective of regular supervisory reviews and evaluations.”

“When we talk about culture, attention often goes to customer interactions — conduct. Conduct supervisors find it easier to pursue culture because the link is visible. 

But the prudential side is putting increasing emphasis on risk culture too. Think back to March 2023. If a bank sees an increasingly concentrated deposit structure, shouldn’t that be a concern? On the prudential side, you need proper liquidity risk management, with a highly concentrated deposit-base, you need to watch for runs against that.

During that fateful weekend in April 2023, Credit Suisse’s capital adequacy ratio was healthy — no solvency issue. It was liquidity: deposit drainage. If you look at what brought down banks over the past 30-40 years, most cases were liquidity problems. Liquidity brings down banks.  Why is liquidity so relevant? Because it hinges on trust. People keep money in a bank when they believe it’s run properly. Trust is difficult to build and easy to shatter. A risk item so dependent on perceptions is inherently unstable; you need large comfort margins. Conduct issues are highly visible and can damage trust quickly — so they link to liquidity and 
prudential concerns.”  
 

“There is a fundamental question for some banks of whether they are in the right businesses given their resources and competitive strengths. Will they be constantly reaching for results which they can’t sensibly and safely reach, because the business model isn't realistic and sustainable?

If a bank’s ambition is wrong-sized for the strengths that the bank has, that’s when you then see people getting into all sorts of cultural troubles. 

Silicon Valley Bank is a classic example of that. What was the bank trying to do? What were its capabilities to identify and manage the risks of its business model? There was a mismatch between SVB’s ambition, capabilities, and governance and the net result was a cultural failure to acknowledge and manage risks, leading to a massive blow-up.”

“Given how very basic (and so, historically, well understood) SVB’s vulnerabilities were, it suggests the executive faced little challenge at the board, or that any meaningful challenge was swept aside or deflected.

If, contrary to my assumption, no one on the board did understand the now obvious vulnerabilities, there is the question of whether board members had pressed for a risk oversight process that would flush out the risks behind strong headline returns. And, if not, there is the still more-basic question of whether the board had a tolerably decent process for identifying and filling gaps in its own expertise. 

Hence, operational risks can run through a board itself. Shareholders, and their agents, with check lists and so on, might not get that.

“If you look at Credit Suisse and ask, why was it constantly falling into disrepute? It's because there were questions about the sustainability of its business model given its size and ambition. 

The business model didn’t align with the firm’s capabilities. And therefore, across the firm, people were reaching for more risk than they could responsibly manage.”

“The 2023 banking turmoil highlighted the critical importance of integrating robust risk culture and governance into compensation frameworks in order to mitigate financial misconduct and to ensure sustainable business practices. Among other things, the banking turmoil revealed shortcomings in compensation practices, including the use of compensation tools. 

The bank failures of 2023 underscored the role of Boards and Senior Management in linking incentive structures to prudent risk metrics. Several postmortem reports have identified fundamental failures in risk management and oversight, including a lack of robust and prudent risk metrics, as root causes of the 2023 bank failures. 

Compensation at these banks was often tied to short-term financial profits and returns, exacerbating vulnerabilities, leading to misconduct and issues in managing non-financial risks.”

“I do think that part of the reason supervisors were unprepared for [SVB’s collapse] was a result of supervisory culture. In my view, the Fed’s supervisory culture is not adequately focused, and lacks the right prioritization of attention.”

“It is noteworthy that when Michael S. Barr produced a report on the failure of the Silicon Valley Bank, he called out failures in SVB’s 3LoD system but had much less to say about how to change the Fed’s own 3LoD system. 

Similarly, the Swiss Financial Market Supervisory Authority’s (‘Finma’) report on ‘Lessons Learned from the Credit Suisse Crisis’ covers deficiencies in Credit Suisse’s 3LoD system quite extensively, but does not suggest how Finma’s own 3LoD system could be improved.”

“The supervisory culture and supervisory practices that surrounded Silicon Valley Bank failed completely in identifying, escalating, and rectifying poor culture, governance, and risk practices in the bank. That was a supervisory culture problem just as much as it was a bank culture problem.”

“Supervisors can seek to work through boards and management to change culture. But this will take a long time. In the short- to medium-term, supervisors should focus on diagnosing problems well, and then increasing the financial resilience of firms with obvious problems through higher capital requirements.

Enforcement has a place, where firms deliberately break regulations or persistently fail to address threats to safety and soundness effectively. But enforcement actions alone will not change a firm’s culture. That can only happen through consistent action from the board and senior management, and even that might not work.

Credit Suisse shows how difficult changing culture is. Since the 1970s, the firm had consistent patterns of behavior in which excessive risk-taking and sometimes morality was ignored, provided that a business was apparently profitable. It also had a siloed culture in which businesses focused on, and were rewarded for, their own revenue and did not seem to care about what was happening elsewhere in the group.”

[Events of the 2023 Turmoil] once again underlined the importance of effective supervision and the need for authorities to engage in credible and sceptical conversation with an institution’s board and senior management on the institution’s business strategy and effectiveness of its risk governance.”

2.1.2b Participants discussed the outcomes of the COVID-19 pandemic and the impacts of increased remote working environments on culture supervision.

“I define culture as the norms that drive people’s behaviors. They’re often unwritten rules. That’s one of the big issues with working from home. How do you get inculcated with a firm’s culture if you’re remote all the time?”

“Fostering sound organizational culture has also increased in complexity. Under the current remote hybrid work arrangements, which some organizations are going to extend indefinitely, it is harder for managers to model the desired codes of ethical behavior, corporate values, codes of conduct. It is also challenging to onboard new employees into organizational culture when they spend limited face time with their peers and with their supervisors. 

The long-term adverse impact of remote working on an organization's culture, team dynamic, creativity and overall ability to innovate bears close watching. So firms and supervisors must stay keen, be aware of some of these challenges as they try to strengthen organizational culture.”

“[G]iven some of the lessons learned from [pandemic] WFH experiences, it would be worth exploring more to understand what parts of the supervisory process worked well in a remote setting and which parts were less effective.

As a start, where firms already had an established relationship with their exam teams, including a regular cadence of interactions, that foundation was critical in ensuring an ongoing productive dialogue, even when those conversations moved to an entirely virtual setting. Establishing and maintaining trust, which is foundational in the supervisory context, is very difficult in an entirely virtual environment — and even more so when you’ve never met the other person live.

Also, there are things that are missed in an entirely virtual environment — like the cues in meetings that you don’t pick up in the gallery view, the pre-meeting ‘get to know you’ portion of the engagement, body language that sometimes reveals other things (like, discomfort with the information being conveyed, or lack of understanding of the answers provided). These ‘misses’ go both ways in the supervisory relationship and often can be picked up and remedied more quickly in a live setting.

We need to consider whether culture was robust or resilient to the changes driven by the pandemic, including the changes in how, where, and when we worked. And how ‘speaking up’ and ‘say something when you see something’ works in a virtual environment. How does challenge, or ‘speaking up,’ work when you aren’t in person? I’m not sure we have an adequate understanding of such risk management issues as yet.”

2.2 – The Anatomy of Structured Discretion

2.2.1 – How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“All institutions have cultures. Culture comes from history and leadership. Sometimes you need to reinforce it. Sometimes you need to change it to achieve different outcomes. 

Culture risk, as we see it, has two parts. First, the board or senior management might define the wrong culture — one that doesn’t align with the institution’s goals. They misdirect the organization. Second, they might define a good culture, but fail to pursue it properly. They let it drift. They fail to embed it. 

So boards, in our view, need to find ways to assure that culture is aligned and sustained. We don’t supervise for outcomes — we supervise for process. Are you overtly thinking about culture? Have you reflected on how your values support your mission? Have you reviewed this more than once in the last decade? Are you checking annually — maybe even quarterly — how well the organization is living those values? 

If boards are doing that, and taking steps to measure it, regulators shouldn’t give them grief. The risk again is, if we push beyond that — we become overreaching. We diminish our supervisory legitimacy.”

“If the last decade of bank supervision was about designing rules that lead to more resilient bank balance sheets, the next will be about designing supervisory tools and strategies that lead to more resilient bank cultures. 

And the goal in the decade ahead must be for banks to improve their risk culture and operational resilience by at least the same margin as they have improved their financial resilience in the decade past.”

“Think of supervision as a feedback mechanism. Banks, left to market forces alone, will sometimes drift into unsafe/unsound practices. Supervisors provide corrective feedback.”

“In practice, culture is how governance is made real. 

Firms exhibiting poor culture aren’t necessarily the ones with formal governance deficits. Supervisors like a formal framework that you can check or audit against — ‘to what extent are you compliant?’ — but the ‘software’ aspect of culture doesn’t lend itself to that kind of supervision or auditability. That’s what makes it tricky. 

Culture has historic aspects, moves slowly, and is driven by leadership which brings you close to governance. I consider fit and proper assessments as part of effective governance, for example. That’s heavily regulated, telling you what kinds of people are appropriate for positions or combinations of people appropriate for a corporate body. And that’s where culture starts.”

“I’ve seen situations where changes in a few key positions can really change the operations and performance of a supervised institution. So I think there is clearly a lever that we can use. We take our fit and proper test very seriously.”

“So why have regulatory reforms to date failed to prevent governance failures?

One possible explanation is that supervisors and regulators have been too focused on technical measures, such as capital requirements and risk management practices. Capital, liquidity, and related standards are essential to a stable financial system. Compliance and risk management processes are necessary but not sufficient.

Values and culture are keystones of governance as they drive behaviours of people throughout the organisation and the ultimate effectiveness of its governance arrangements. Governance is not a fixed set of guidelines and procedures. Rather it is about behaviours and ongoing processes by which decisions are made. A focus on right behaviours would mean a shift from the focus on structures and procedures to organisational culture and values that drive behaviours.

Supervisory approaches that focus primarily on compliance and do not give proper weight to culture and governance cannot keep pace with changes in finance. Supervisors need to broaden their perspectives to include strategy, people and culture and need to understand how desired cultures can best be supported and reinforced.”

“Regulators should set the expectations. Regulators should say, ‘Here's what we require. We will leave it largely to you as to how you get there, except for some major staging posts such as you must have a proper risk management framework, you must have a proper compliance framework,’ but leave it to the institution as to just what that looks like. And then if they don't get that right, if the behavior is wrong and something happens, well, we hold them accountable. 

So I think it's right for regulators to set the broad expectations and requirements for governance. To illustrate the point, I think it's right to say institutions need to have the right compliance framework, but I don't think the regulator should be saying, ‘And that means you must have X number of compliance officers, and you must have this hierarchy.’ I don't think regulators should do that, and I think it's a mistake to do that. So, I'm much more in favor of a principles-based approach there, which puts the onus on the industry to then manage the structures to get to the right end.”

“I see the role of the supervisor here as providing input into the bilateral discussions with the firm's senior management, where you're trying to inform and improve the firm's own risk management framework.”

“If we see the same thing happening repeatedly within one firm, where it's not just one advisor but a whole lot of them, we would then look further up the chain. We would prosecute the company as a whole for enabling a culture where the individual advisors were not properly supervised.

There's a culture of willful ignorance about what's going on. So when you've got a poor culture, you probably have to start at the top and see whether the board and management are actually the issue enabling everything else. 

Who you appoint as a CEO and what your values are — those are pretty good tools. Upholding the company's values and using them as a basis for sacking someone is a good thing. It says, ‘Look, what you're doing may not be illegal, but it's not consistent with our values as a company.’
At one point, APRA and ASIC had people observing boards and their dynamics because they went to boards where the directors said nothing; it was just the CEO and the chair dominating. 

The problem, as I’d summarize it, is that often it's not a whole lot of ‘bad Indians’, but the ‘chief.’ It's the tree that's the problem, not a few bad apples. We realized that was what culture was; it was driving poor conduct.”

“You have to start with facts. Complaints, arbitrations, disciplinary records — these are imperfect data but predictive. FINRA tried to quantify them at both the individual and firm level. It’s not about declaring someone a ‘bad person,’ but about recognizing patterns. Firms also need to be honest in hiring. Too often, they ignore warning signs. Regulators should focus on whether firms are systematically overlooking facts that suggest control problems.”

“I think there's a real difference in conduct supervision between what you define as a bad culture or one likely to lead to misconduct, which may be intended or unintended. If misconduct is unintended, for example through lack of appropriate investment or capability, it can be understood as much through dialogue and conversation, as through analytics and metrics.

After analyzing the firm's finances and macro environment, engage in dialogue at the governance level: 'Talk to us about your strategy. What are you trying to achieve?' It's about asking key questions: 'How will this serve your customers better? How do you know that? What will your approach to managing the risks and your assurance be?’ Finally, it's about getting into the practicalities: don't just tell us it'll be fine; show us. 

We need to get deeper into the firm to see what's happening in practice, how they're testing, and how controls are ultimately working. We talk about leading and lagging indicators of risk and how often they are monitored. 

Then, of course, you have 'bad actors' — people genuinely trying to rip off customers. Ultimately, we try to prevent such firms from entering the market in the first place. But supervision also means finding those already in the market and ensuring they're either removed or understand that such a business model won't be tolerated within our regime.”

“I favor a two-track approach: introducing sensible rules that seek to prohibit/restrain excessive risk taking or behavior that would jeopardize the interests of the customers, alongside with efforts that cultivate the appropriate cultural values within the bank from top down.”

“On the prudential side, MAS ran its annual comprehensive risk assessment of financial institutions — what we called the ‘CRAFT’ assessment. We’d engage boards with supervisory ratings across AML, conduct, risk management, capital, and so on.

Peer institutions often produced different ratings. Why did some fare better or worse than others? Was there a link to the incidence of enforcement? Not always directly — but the propensity to ‘do the wrong thing’ seemed more likely in some places. 

So we asked: what distinguishes a ‘good’ from a ‘not-so-good’ bank? Leadership? Vertical communication? That led us to culture — the organization’s attitudes toward risk, misconduct, fraud, and whether managers pursue KPIs at the expense of other priorities. All the conduct related issues — balanced scorecards, incentives — were attempts to shape behavior and steer culture at both management and working levels. 

Looking back, we were trying to pin what we couldn’t otherwise explain on ‘poor culture,’ without fully defining it. Still, we decided supervisors should engage bank boards on our sense of their culture and risk culture. We had an internal document on supervising for culture — but theory and practice diverge.”

2.2.1b Participants argue that focusing on the cultural proclivities that underpin or undermine risk and control environments (“risk culture”) can bring structure to supervisory judgment.

“Very few significant prudential or conduct failures do not have some root cause in patterns of behavior.”

“A serious think-piece on this topic would, in my view, need three elements: 

First, how supervisors assess the tone that’s set at the top of a firm — what tools they have to assess it, and how leadership prioritizes risk management (prudential and conduct) versus commercial objectives. 

Second, what tools supervisors have to assess how well that tone flows through the organization. If you speak to someone in middle management or a non-management role versus the C-suite, are you hearing consistent overarching themes and priorities, especially around risk versus commercial goals?
And third, through what mechanisms can supervisors compare one firm’s culture with that of its peer group? In supervision, we’re often looking for outliers. If a firm’s culture is an outlier in some way, that’s an important supervisory signal.
So: tone from the top, diffusion through the organization, and peer comparison. A framework that enables supervisors to do those three things — assess tone, assess diffusion, and compare across peers — would have value.”

“Financial sector supervisors are in the business of strengthening safety and soundness and fair treatment of customers in our regulated institutions. Increasingly, it is recognized that fostering strong organizational culture within regulated institutions can help us to do that well.”

“As supervisors, we’re interested when culture becomes risky. Private sector firms have a profit motive and entrepreneurial culture — that’s not usually our concern. The question is: when you have too much of an entrepreneurial culture, how does that affect risk outcomes? So we talk about risk culture and subsume what’s interesting to us under it. 

I’d define risk culture as those aspects of an organization that influence the decisions which transform the same inputs — same business model, same conditions — into different risk or risk reward outcomes. You can have the same inputs and people, but behavior changes with the environment: what’s expected and accepted differs.”

“Our surveillance people were seeing this sort of behavior out in the field and saying, ‘Look, it is a culture. They don't really have a culture of compliance with the law.’ This is what the courts recognize; if you fail to have a system of checks and compliance that results in the law being broken, they consider that to be a culture of non-compliance.”

2.2.1c Other participants note that culture drives impact well beyond risk and control functions, and that it therefore requires supervisory attention for these reasons as well.

“From the perspective of a prudential supervisor, ‘risk culture’ (i.e., attitudes towards and behaviours around risk management) is the most common concern. 

But it is striking to what extent problematic behaviours differ across firms and some cases are not specifically about risk management. For example, behavioural problems stemming from a dominant CEO or an apparently successful firm suffering from hubris go wider. 

In general, I think prudential supervisors should be concerned about any patterns of behavior that could threaten the safety and soundness of the firm. 

And there is a very wide range of possibilities — you could argue that each case is unique. This is why it is unhelpful for supervisors to label a risk as ‘poor risk culture’ without being very clear about the specific attitudes and behaviours.”

“I think it is broader than risk culture. You can deal with risk culture much easier than with culture as a broad aspect. And as a supervisor, you cannot really set detailed requirements for how a bank’s culture should be. You can have a kind of minimum requirement — that people are listened to, that things are documented. These are general behavioural patterns. But to create an ideal culture and ask every bank in Europe to shape its own culture according to that ideal is not possible and not preferable either.”

“I’m keenly aware that the most important aspect of a high-performing firm is its culture, and that building and maintaining a strong culture focused on making a fair long-term profit is probably the single most important task of a financial firm’s leadership.

It is also, though, a very difficult task to make culture analyzable, measurable, and replicable — which makes it very hard to supervise. The challenge for bank examiners is how to assess a firm’s culture, and a management team’s work in fostering that culture, in a way that doesn’t simply devolve into vague, subjective, personal preferences — which are as likely to be wrong as right.”

“In order to ensure that you have the right culture, you need to positively create it. You need to be proactive in building the right culture. You can't just do nothing. And the obligation to ensure that you have integrity as your cornerstone within the framework of your enterprise is exactly that — an activity, not a pious expression. It's hardwiring something that you then have to demonstrate to your own satisfaction as well as to the satisfaction of the Regulator if they come knocking on the door.”

“Culture is clearly a part of management. You can shape a risk-averse culture or a risk-seeking one. Economists usually interpret culture as a shorthand for incentives: what behaviors are rewarded or discouraged, what risks are addressed or ignored. So, in that sense, yes — if culture is shorthand for the incentive structures that drive behavior at the firm, then it’s absolutely important. 

Think about the ‘M’ in CAMELS: management quality. That rating tends to be very high-level. It would be far better to have something more concrete. Culture could certainly be a part of that.”

“Different firms will have different cultures. It’s critical to know what culture you have — and want to have — and to design how you work around that. Also, it is important to know your employees and prospective employees and to develop an informed sense of how they work with and react to changes in their day-to-day work environment. Who do we want to recruit, going forward? We need to be deliberate about setting our work environments and about our expectations for how people will work within a firm.”

“The definition of culture is almost as simple as ‘the way things get done,’ whether it's written or unwritten. The lawyers add the phrase ‘culture of compliance’ because the first level of culture is that you've got to comply with the law. The next level is a culture that's compliant with the company's values. So you almost have two concepts: the minimum is complying with the law, and the second is complying with your values as a company. 

Lawyers will often talk about a ‘culture of compliance’ or a ‘culture of risk management,’ whereas others may talk about a culture of making sure that what they say is what they do.”

“Risk culture, like organizational culture, is usually the aspirational side. It's about who we want to be and how we want our people to behave. Risk culture is part of your organizational culture, and there's no big distinction between them. It's simply a way of zooming in on day-to-day risk management behavior.

As a regulator, you should ask institutions to think about their culture — who they want to be. But at the same time, you, as a regulator or as a risk function within an organization, also need to understand the behavioral risks. The distinction I always make is between the aspirational culture you want to have and the reality of the issues you're working on. 

Is the term ‘risk culture’ helpful? No, I think people find it confusing. ‘Behavioral risk’ is becoming more common, but people are not always familiar with it. The aspirational side of culture provides an escape for people to avoid talking about the real issues. I'm generalizing, but HR loves to talk about the aspirational side of culture, and they're allergic to anything that has to do with risk. 

However, for people in the risk function, which is a harder business to discuss, they're much more comfortable talking about risk. In that context, the language and perspective of behavioral risk are incredibly important.”

“What we wanted to do [at the regulator] was to get institutions to take responsibility. They're the frontline, and they take responsibility. We would say, "This is the base, and then you go and decide what you need for yourself. But this is the base, and it's a base, not the maximum." 

That's how we started looking at how management and the board looked at this, and that is how I would define culture. How do they self-reflect and think about the risks and profiles of their company? How do they mitigate and navigate those risks? How do they look forward? How do they take advantage of some of these challenges and then move ahead? All of that is culture.”

2.2.2 – How is supervision made more challenging by a reliance on judgment?

2.2.2a Many participants describe challenges with engaging management teams and boards on questions related to culture risk supervision.

“The most difficult aspect for me is the dialogue with the firm. This is an area where supervisors are expressing their judgment, but often lack hard evidence to substantiate their views. 

If the supervisory assessment resonates with the board and senior management, then the firm takes ownership of the cultural issues and shortcomings can be remediated — often also with changes in key people. But if the firm does not recognize itself in the picture painted by the supervisors, then it is very painful for the supervisor to promote the necessary change.”

“I think supervision is too often about process, like, ‘You didn't include that file in this report.’ I remember when I was a bank examiner very, very early in my career for the state of Massachusetts. Literally, examinations where you went in, looked at the mortgage, and saw if they had all the required paperwork in the mortgage file. But no one was actually driving out to look at the house to see if the valuation was consistent with the mortgage.”

“Supervisors look to the board, as the highest governance authority, to do the controlling. But in reality, many boards are unable to monitor this closely or influence behavior to align with what the board has aspired to.”

“Culture is so difficult to deal with because, essentially, when you talk to bankers, it’s passing judgment on individuals. You can have all three lines of defense in place, AI, and many other things, but eventually you have to pass judgment on individuals: do I trust them, do I think they understand what they’re doing?”

2.2.2b Other participants point out that reliance on insufficiently structured supervisory judgment can lead to inaction or delay.

“Supervisors must have sufficient discretion to act when necessary, and this requires a robust legal foundation — particularly as banks are likely to push back against such interventions. That said, discretion must be carefully balanced with objective criteria, like quantitative reference points or specific indicators, which act as triggers for deeper scrutiny when certain thresholds are reached.

I strongly advocate for a framework that includes both public and internal triggers to guide early intervention. Public triggers serve as transparent benchmarks. Internal triggers work to detect vulnerabilities early and prompt action before they become visible externally. These internal mechanisms are vital for protecting trust, allowing institutions to address issues discreetly and proactively. 

Acting behind the scenes and ahead of time helps prevent situations from escalating into public crises, avoiding the loss of confidence and reputational harm that often result from delayed or reactive responses.”

“For many issues, if a company says, ‘We just don't recognize what you're talking about,’ you are stuck as a supervisor. Supervisors are sometimes unwilling to recognize those issues because they're afraid of the dead end.”

“Ex-post reviews of crises and periods of turmoil since 2008 have inevitably raised questions about whether supervisors did enough, and quickly enough. While hindsight is a wonderful thing, rarely has it been concluded that supervisors didn’t have enough information, or sufficient powers, to identify problems. Rather, supervisory inaction, or insufficient action, has often been called out. And yet steps to tackle this issue head-on remain, at best, piecemeal and largely left to domestic supervisors to pursue individually.

Because good supervision is forward-looking, it must involve a degree of judgement applied (judiciously and proportionately) in a proactive manner. It’s therefore often rightly said that supervision is more art than science. 

Good supervision isn’t mechanistic — it requires a blend of experience, intuition, foresight, a degree of scepticism, and a healthy dose of courage, to be effective. A supervisor obviously needs the requisite analytical tools to identify potential vulnerabilities, but identification without action achieves little.”

“At worst, it becomes superficial. And supervisors might lack confidence — numbers like capital and liquidity are easier. Making these judgments — especially under strong pushback, with the risk you’re wrong — means going out on a limb. That’s hard. 

It also feels more personal for bank management to be told they’ve got behavioral problems. It’s easier when something goes wrong and you can track back to root cause. But when things are going well — which is often when behavioral issues become biggest — it’s very hard for supervisors to challenge. You see teams believing their own hype, ‘we can do no wrong,’ translating into more aggressive risk appetite. 

Ideally, supervisors would intervene early; in reality, that’s hard. That’s part of the problem — supervisors doubt their own judgments: who are we to make them? 

That’s the problem with forward-looking, judgment-based supervision. Beyond prodding bank executives to be more self-aware, it can be hard for supervisors to act in the absence of a crystalized risk.

So you either persuade the top of the bank to act — which requires compelling evidence — or you increase capital — which also requires compelling evidence, especially now, with stronger political pushback steered by industry. It’s very difficult to justify higher capital based on anything less than hard evidence — certainly not just ‘culture judgment.’ 

It may be that you have to wait for a problem to crystallize before you can act. It’s not how it’s supposed to work, and you hope for a small crystallization rather than a terminal one. A small heart attack, maybe.”

2.2.2c Participants discussed how a lack of trust between supervisory bodies and the firms they oversee can be detrimental

“There's often no interaction between the regulator and the industry outside of the inspection, when you've both got your armor on and are ready to do battle. That is a problem.”

“It requires a huge element of trust between the supervisor and the supervised. If you don't have that trust — that you're not on the verge of an escalation to an enforcement process — you will never be able to have this conversation and get the improvement in the risk system.”

“If I may say, we're always hitting them with black marks. You should get some brownie points if you've gone above and beyond the regulatory minimum and have shown self-awareness in your company. Even if it's just a pat on the back or you tell the board, ‘Your management voluntarily did this.’ We don't do enough of that. We go out there with a stick all the time.”

“There needs to be a degree of trust between the respective parties if the regulator/regulated relationship is to operate in a constructive manner. Regulators need to have trust that industry participants will provide them with information, and engage with them more broadly, in an open manner. Industry participants should always expect to be held accountable for their shortcomings and mistakes, but be able to trust that any response will be proportionate. 

That means one major challenge for a regulator — and it is particularly critical for prudential supervisors — is to strike the right balance between a constructive relationship with industry participants, and enforcement. The right balance is neither at one end of the spectrum or the other. 

A regulator focused entirely on preserving its relationships with industry participants will not be effective in deterring poor risk management or bad behaviour, and inevitably be perceived as weak. At the other end of the spectrum, a regulator that demands 'heads on pikes' and a public shaming for any shortcoming or mistake within a financial firm will fail to gain trust and respect from those it regulates. Indeed, it will likely end up promoting a secretive, 'catch me if you can' culture within firms.
The key to finding the right balance is a careful calibration of the regulatory response function. Firms will expect to be sanctioned if they have done the wrong thing. But they also need to see there are differences, for example, in the severity of response to issues that the firm has identified and rectified (including customer compensation if warranted) through its own risk management, control testing and audit activities, versus the response if the firm was unaware of the issue and it had to be alerted to it by the regulator itself. Regulators should certainly be tough, but they can still maintain constructive relationships if they seek to be fair and proportionate as well."

“One of the significant issues we see today is that supervision has become so prescriptive that, in some ways, it feels as if regulators are actually running the institutions themselves. 

That’s not how it should work. The role of supervision should be to establish guardrails — not to dictate operations to the extent that firms no longer have the flexibility to make their own risk based decisions. When oversight becomes overly rigid or bureaucratic, it can stifle the very innovation and dynamism that financial firms need to operate effectively and serve their customers.”

“I’ve seen organizations where committees are created to ‘oversee’ a function that’s underperforming, but then the committee undermines individual accountability. Sometimes you create the committee because the individual is failing, and you won’t deal with it. 

Government adds another dynamic: historically, government jobs have been treated as a property right of sorts — it’s difficult to remove people in government jobs, even when their performance is demonstrably inadequate. 

That breeds risk-aversion: the surest way to lose your ‘property’ is to take a risk and get it wrong. So inaction becomes the safest choice — especially in licensing, bank M&A, or anytime someone asks for a decision. ‘No response’ is common. 

But inaction compounds risk; deferring decisions does not eliminate risk, it builds it. These are incentives problems, not ‘bad people.’ The incentives produce a culture that struggles to act with speed and clarity. Some of this is changing, but the legacy mindset is real.”

2.2.3 – How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?

2.2.3a Participants describe effective supervisory culture as both forward-looking and supportive of necessarily bold decision-making amidst unavoidable uncertainties.

“Over my career, I learned to mind the clear line between conduct supervision, or the fair treatment of consumers, and prudential supervision, or financial safety and soundness. Finally, for most of my career, I could define what a bank was, and what it was not, and by extension, what my responsibilities as a bank supervisor were. 

Each of these bright lines seem to be rapidly disappearing. Banks and banking are increasingly diverging. Conduct and prudential risks on the other hand, are increasingly converging. Combined, these trends mean that the legislated mandates given to many supervisors can leave them ill equipped to be a good referee or to meet public expectations. 

This evolving landscape requires us to think differently about the job of bank supervision. More forward-looking supervision and a greater willingness to use judgement and to act without perfect information will need to replace the dominant focus on rules and standards.”

“In supervisory authorities the culture problem is often risk aversion, not excess risk appetite. I’ve never met a supervisor ‘taking too much risk.’

A key cultural attribute I’ve sought to encourage is boldness. Many career supervisors want to be bold but aren’t always led in a manner that allows them to be bold. Giving people permission to be bold, and then demonstrating through a few decisions that boldness makes us more effective, created a step-change for our organization. Our decision processes and legal basis for action were the same, but the biggest change came through shifts in our culture. 

Some changes can be made quickly because they’re synchronous with how people think and the mandate: e.g., getting supervisors to be bolder can be done quickly. Asking supervisors with a tendency toward form over substance to become faster and more pragmatic is slower.”

“Risk management and business strategy are, and must remain, the responsibility of the banks themselves. However, supervisors must be prepared to step in decisively when failures occur. The real challenge lies in striking the right balance — holding banks accountable for their governance and decision-making while ensuring that supervisors have the authority and tools necessary to intervene effectively when the stability of the system is at risk.”

“When you move into risk-based supervision, you become responsible for taking a stand: Do I trust these people or not? Do I have a sense that these board members actually don’t know what they’re doing because of their background, or do they have the professional background to understand what is going on?”

“Getting the right culture in a supervisory organization is truly top of our mind. If you read the post-mortems of bank failures, there's typically an important element of inertia — of insufficient willingness to act by supervisors. And I think that's a theme that, at least in my day to-day activity as a supervisor, I give a lot of attention to.

Although I believe that in general you can achieve a lot in banking supervision with moral suasion and with setting the right capital requirements, in some cases you need stronger measures, like instructions and fines. And I think that may be difficult for banking supervisors because of the close relationship with the supervised entity. 

The real complexity lies not just in increasing the overall level of willingness to act among supervisors, but in ensuring it's applied correctly in each situation. I've seen cases where rank and-file supervisors were overzealous, being very strong on what I viewed as minor issues or mere formalities. So, the true complexity is getting boldness higher on the right issues. 

This makes it difficult to give the right signal to staff. It's easy to get this wrong because a simple instruction like, 'You need to be bolder,' might backfire, leading them to focus on the wrong problems. This is the real complexity of this matter. What's important here, obviously, is why supervisors don't dare to act. One reason is that the outcome might be very uncertain. The supervisory case may end up in court, and the supervisor may lose the legal case.”

“I lived through the pre-2008 approach and have watched the post-Crisis shift in supervision. To over-generalize, the post-2008 supervisory culture has been in a defensive posture. 

We’ve tried to focus on everything for fear of missing anything — and by doing that, we often focus on nothing.
We have limited resources — time, attention, exam teams — yet we’ve sometimes lacked the confidence to concentrate on what actually matters, the wisdom to know the difference between what matters and what doesn’t, and the self-restraint to avoid distracting management and boards with the things that don’t matter.

The result: our message gets lost, and I’m not sure we always know what truly matters because we’re busy covering ourselves. I’ve heard repeatedly, even in my short time here, that examiners are afraid of being criticized for missing something, so the process becomes an exercise in ‘CYA.’ That’s a cultural shortcoming. You saw elements of that in SVB supervision — lack of focus, hesitation to decide, to escalate — though that shades into governance, too. 

There’s also an extremely low risk tolerance among regulators. No one wants to be wrong, and somewhere along the way the public came to believe supervision should prevent all bank failures — which is neither the law nor realistic. We must restore confidence in teams to focus on the few things that matter and back them when they do.”

2.2.3b Participants described how establishing effective risk governance structures within supervisory agencies is important to supporting reliable supervisory judgment.

“Strong governance in a regulator requires speaking truth to power. Without it, first culture and then performance will suffer.”

“The analysis that there wasn't enough judgment being applied prior to 2008 was correct. But what has sometimes been lacking — both before and after 2008 — has been a framework to ensure that there is a tailored programme of supervisory activity and a set of time-bound outcomes that can be overseen within a three-lines-of-defense model.

You see that problem with both Credit Suisse and Silicon Valley Bank, where important issues were identified but either they were not escalated or they were escalated but then remediation was allowed to drift for unacceptable periods of time. 

Supervisory culture issues can be more acute in areas where there is no binding international standard forcing action, such as interest rate risk in the banking book. 

That’s what crystallized with Silicon Valley Bank and in the absence of a binding standard, the supervisors lacked the confidence to drive prompt remediation. Judgement-based supervision is all very well but there need to be adequate checks and balances.”

“We need a return to common sense. And that starts with taking responsibility. Finger-pointing doesn’t fix problems. Regulators, supervisors, policymakers, everyone involved in the process — must own the outcomes of their decisions.

If something fails, the response shouldn’t be to pass the blame. It should be, ‘This is my responsibility, and it’s on me to fix it.’ That kind of accountability is critical because we are dealing with major issues that impact financial stability, economic opportunity, and ultimately, the health of our society. 

I believe we can solve these problems, but we have to be willing to put in the work. Frankly, I think we’ve all gotten a little lazy. Society is demanding more of us now than it did in the past, and that’s not a bad thing. It should demand more. 

Our responsibilities are greater and, if we don’t step up to meet them, we won’t be able to maintain the kind of healthy, functioning financial system — and broader society — that we need.”

“One of the most difficult things in regulatory organizations is prioritization. While we try to truly let go of things that aren't important, you never know — even smaller issues may ultimately blow up. Something that appeared minor at the time and was deprioritized may at a later point in time become an important issue. 

Then we mustn't start a blame game. I think that's a crucial cultural issue where it also requires us, as leadership, to back people when they, for example, prioritize their supervisory activities.”

“In our case, as you probably know, we have the Supervisory Review and Evaluation Process (SREP). This is our fundamental methodology for dealing with the banks that we supervise. 

It looks at all the core elements of what you would want to look at in a bank: its business model, its governance and risk management, its credit risk, its liquidity risk, et cetera. We have an internal methodology so that all of our supervisors understand how to undertake that process. We explain that process to the banks, and then on an annual basis we go through that process. It's also guided though by many other things. 

We have a very detailed inspection process that we can go through. We have findings and measures. We have all of these things, I suppose, which are really tangible things to inform our thinking. 

In the end, you have to put all of that information together and decide in some way what it tells you about that bank. And that's the role of judgment in the end. What do we really think? All of those indicators, data, forms, whatever we gather, whatever engagements we have, whatever inspections we undertake, what do they actually tell us?”

“It endlessly frustrates me when people say something is really difficult, it can't be 100% consistent, you can't absolutely prove it with an equation, so we shouldn’t try to do it. If we are going to say that all regulation has to come down to a 100% quantitative metric, then we will measure a few things, but they may not be the right things. 

The counter to the argument that we need to focus on this culture issue is, well, everyone should just give up. And I don't think everything we've learned so far about serious breakdowns in markets — whether they're conduct-related or tip over into a prudential problem — suggests that.”

“Coming out of the first half of 2023, the sense I had was that the pendulum had swung quite far in the direction of resilience. Now, perhaps, we need to think about it swinging back. 

As we’ve pushed for greater resilience, one of the clearest lessons has been just how well aligned shareholders are with creditors. Our job, in supervision, is to protect depositors, policyholders, and creditors. Coming out of the Financial Crisis, we often assumed there was a conflict between shareholder and creditor interests. What we’ve learned is that these interests are actually quite well aligned — except in the most extreme, near-failure situations. 

That realization is changing how we engage with boards. Boards act on behalf of shareholders, and increasingly we see that their goals are aligned with ours. That means we have to listen more closely to what they’re telling us. And while that’s true for management as well, boards have a unique position: they’re focused on long-term shareholder value — and that’s perfectly aligned with protecting creditors. 

The burden is on supervisors to recognize where the pendulum is and where it’s heading — and to act early, before our regulated institutions do. We need to propose sensible ways to reduce burden, without putting the system at risk. Give firms more degrees of freedom — to compete, to take risk — within a resilient framework. 

That’s the mindset we’re trying to adopt: to be proactive, to lead, to stay on the front foot. It’s counterintuitive — certainly counter-cultural, given the last 15 years — but that’s how you earn credibility. Regardless of where you sit, it’s your independent pursuit of your mandate that carries the day — not transient political winds. But that credibility isn’t automatic. We have to earn it.”

2.2.3c Participants highlighted how supervisory bodies are beginning to explore how their own supervisory cultures might be assessed.

“[International bodies] can develop principles, based on observation and research of what good looks like, that help guide regulators in how they approach the issue. 

The other thing you can use organizations like the OECD for is peer reviews. A country can have the OECD come in and do a peer review and assess whether the culture at companies or regulators is up to scratch. Peer reviewing is a good way of getting people to focus on how they're performing at a country level.”

“A recent FSI paper reviews supervisory practices in major jurisdictions and offers insights for timely and effective deployment of qualitative measures within robust supervisory frameworks. The paper suggests that authorities could benefit from defining their own risk appetite frameworks, which would involve clearly articulating the level of risk they are willing to accept when making risk-based decisions. Combining top-down and bottom-up approaches in risk scoping can enhance this process.”

“Regulators should be asking the same structured questions of themselves as we ask of firms: Are we forward-looking? Do we understand evolving risks? Do we hold firms accountable in ways that help them improve, not just punish them? That hasn’t classically been the expectation, but it should be.”

“Without measurement of impact over the medium to long term, the regulator cannot hold itself to account — and neither can others.”

2.3 – Proportionate Early Action

2.3.1 – How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?

2.3.1a Participants note that a lack of established culture risk governance frameworks and metrics makes enforcement and accountability more challenging.

"The more work we can do on identifying specific markers of culture the more we can also make progress in developing ways to measure advancement in those markers which is fundamental to making culture a subject of supervisory review. That’s a real challenge for the official sector. And it’s something critically important — particularly since financial institutions depend fundamentally on confidence.”

“One helpful angle would be measurable indicators of culture, beyond the ‘psychologist’s view’ of things. Most supervisors have enough case studies to know culture plays an important role in negative outcomes that didn’t need to happen. I think the supervisory community could do a great job brainstorming on indicators that surface culture problems. There are ways to get a handle on culture with indicators you can syndicate.”

“In the very early stages, it’s often as simple as saying: there’s an issue, now explain what happened. Just having senior management come before the regulator and account for themselves creates significant pressure on the leadership of the institution. From there, measures can become progressively more intrusive if the bank fails to comply — extraordinary audits, in-depth examinations, or additional onsite inspections. 

That said, you don’t want the process to be entirely automatic; there needs to be some discretion to account for the specifics of each situation. But if you allow too much discretion, you risk falling into forbearance, where nothing meaningful gets done. The balance lies in having enough flexibility to respond appropriately, without losing the resolve to act when it’s necessary.”

“How does enforcement work? Taking someone to court for their culture? Fining you for having a bad culture? How do I prove that? At each stage, it looks to supervisors like an almost insurmountable problem. 

Anyone who wants to measure culture will find that incredibly difficult. You end up trying to measure a proxy rather than the thing itself. When people measure proxies, they do things like observing meetings. If you correct the proxies, you haven't corrected the culture; you've just corrected the proxies. Using proxies is not a bad thing, provided that you benchmark against reality rather than against abstract norms. 

The big mistake I have seen is to then think that fixing the proxies is fixing the culture issue. It's like saying, ‘People aren't laughing at my jokes. That's okay, we'll order them to laugh,’ and so they'll find them funny. That is not actually solving the problem.”

“How do we know when a bank is [Too-Big-to-Manage (TBTM)], as opposed to just poorly managed? And how do we make sure we use due process and fairness in making that determination? Given the stakes involved, getting both right is vitally important. The answer to both questions lies in having a clear enforcement framework. 

A well-calibrated enforcement framework gives banks sufficient opportunities to address deficiencies. A bank’s repeated failures to do so then become, by themselves, presumptive evidence that it is at the limits of its manageability. Under such a framework, the need for simplification and divestitures at a bank is clear from management’s actions and outcomes, or lack thereof. 

Stepping back, following this enforcement framework has a number of benefits. First, it strikes a balance and is proportional. Second, it helps to ensure that regulators avoid doing too little (simply imposing a [civil money penalty]) or doing too much (jumping to breaking up a bank). And third, it adheres to due process, giving banks time and opportunities to fix their problems, while providing clear steps for escalation should a bank be unable or unwilling to implement the needed fixes in a timely manner.”

2.3.1b Participants describe various structural challenges related to enforcement and culture risk.

“There are two things you do [when there are signs of a culture problem]. One is you keep reasonably constant supervision on them. But often, it's better to be fairly blunt with the CEO and the chairman that there appears to be a problem. You tell them you're concerned about their mechanisms and that you're keeping a close eye on how they're operating.”

“The effectiveness of qualitative supervisory measures crucially depends on adequate resources, legal powers, operational independence (of the supervisory authority), and a supervisory culture that encourages early intervention when needed. 

Meeting, in particular, this latter requirement is challenging as it requires supervisory agencies to adopt a risk tolerance framework that accepts a non-zero level of policy mistakes and successful litigation against supervisory actions. 

The effectiveness of qualitative measures also hinges on the supervisory frameworks employed by prudential authorities. For instance, an external assessment commissioned by the ECB in 2023 highlighted room for improvement in the formulation, prioritization, scalability, and monitoring of qualitative supervisory measures within the European banking union. Similar observations could likely apply to supervisory frameworks in other jurisdictions.”

 

2.3.2 – Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“We often approach incentives through a narrow lens, focusing heavily on deterrence through negative incentives, but perhaps we need to think more broadly. Should supervision be limited to punishing and criticizing, or should it also involve recognizing and rewarding good behavior? 

The deeper question is whether we truly understand what a good culture looks like in banks and financial institutions. If we do, is there a way to highlight good practices and showcase examples of what works? This could help foster a more constructive dynamic between supervisors and the institutions they oversee, ultimately contributing to a healthier financial system”

“Frankly, I think we fudge this all the time, and we get away with it because usually we talk about culture when there's lots of evidence of problems. So you fix the things you can measure, and then the assumption is that's happened because the culture has shifted to the so-called ‘culture of compliance’. 

The harder question asked here is, ‘Well, does that mean I now have good culture? Are you now happy?’ 

I know people do board assessments for a living. You look at the way the board operates and you say, ‘Okay, you're getting good results, but are you running the board with the kind of governance I was describing earlier — in an open-minded manner, curious, with high integrity?’ And that's an assessment you can outsource, or it's an assessment the regulator itself can do. 

It may not be as scientific, but I think there's room for better science to make whatever we do or decide more transparent and replicable. People need to understand why you're doing things, why you're reaching conclusions. That's good regulation; it's fair.”

“I do think you've got more chance of impacting the culture of an organization by taking a principles-based approach. I think a more principles-based approach works because you can enforce against breaches of principle.
I think that getting out and doing proper thematic supervision gives you a good snapshot of behavior. At the DFSA, we would sometimes take enforcement action because an individual or firm breached the Regulatory Principle of Acting with Integrity. 

I think that that gives you far broader scope in being able to impact the culture and behavior in the organization. You can say, ‘Our finding is that you breached the principles of integrity.’ It's not that you breached these 27 small things, and we're going to take 27 small bits of action against you, but we think that taken as a whole as an organization or as a person, you haven't acted with integrity, and that's a requirement under DFSA legislation.”

“For natural reasons, firms and policy makers often prefer hard and fast rules — for the regulated this offers the sense that ‘I complied with the rule, so I must be safe,’ while, for regulators, rules provide clear evidence that they are trying to manage a situation. But they need to be subordinate to the overall purpose the rules intend to serve. There is no point having 100% compliance if the outcome is not good or effective.”

“We must also change ourselves. Many of the regulatory tools and processes we use now remain more suitable to a compliance-led regime and we are seeking new ways to monitor good culture and conduct risk management.”

“Where a compliance-based approach necessitates a very long list of specific rules, a principles-based approach can condense these into overarching behavioural guides which are easier to integrate into day-to-day decision-making.

[O]utcomes-based regulation seeks to simply prescribe the desired outcome a regulated entity must achieve, whilst giving the entity some freedom to decide on how they will achieve it. 

As with principles-based regulation, it avoids narrow rule making where possible. It is also much better placed to facilitate a market eco-system where potential harms are reduced, as it directly requires institutions to take ownership in preventing them. 

Compliance-based regulation is easier for both banks and regulators to follow and provides a more straightforward cognitive fall-back to guide decision-making. This is particularly relevant when everyday work is demanding and long — a default for many jobs within the financial services industry. 

In contrast, outcomes-based regulation can conceptually be more challenging, requiring more flexibility, creativity and judgement, from both the institution and the regulator. But the opportunities to change banking for good, aided by conduct frameworks, are much more potent.”

 

“Any culture guideline should be short and grounded in high-level principles. What values drive your business model? What values support your customers, your employees, your shareholders? Are they articulated? Are they practiced? If the board and management are doing that — living those values — then we’ve got nothing to say. That’s their call. Not ours.

What we care about is that they are overtly thinking about culture. Because culture eats strategy for breakfast. It’s what drives long-term resilience. There’s a leap of faith involved. I believe that if institutions do this well, they’ll be more resilient. But that link isn’t deterministic. 

Still, it’s enough for us to say: culture matters. So we stay on our side of the line. If we start dictating which values matter most, we lose diversity of behavior — and ultimately, resilience.”

2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee.

“Supervision isn’t a simple pass/fail test; it’s an ongoing conversation. There’ll be lots of agreement and some disagreement. When we want a firm to act it may not be effective to just tell them what to do. Rather, we can explain why, and we have an informed discussion about the issue, why it matters, and how it can be addressed. 
It’s rare to direct action without that dialogue, except perhaps ex-post enforcement when a rule has been breached. Day-to-day, it’s a two-way dialogue about expected standards, where the firm sits relative to them, and what to do where it sits outside our tolerance. 
Supervisors’ job isn’t to eliminate risk. Risk is inherent to running any business. Our job is to understand those risks; to assess how effective firms’ mechanisms are to keep risks within their stated risk tolerances; and to ensure that if risks crystallize, they don’t create broader systemic harm. We’re here to support a sustainable banking system that supports the economy, where firms take risk responsibly — and if they get it wrong, it doesn’t cause broader harm.”

“We say we have an outcomes-based approach, and we also say we have an engagement-led approach. Engagement doesn't mean being nice or simply accepting what the firm says. It's about having the confidence to enter into a dialogue on how things can be improved, or if we believe something is wrong or have concerns, having a direct and straightforward conversation.
We're not consultants; we're not there to tell them ’the answer’. It’s for firms to decide how best to meet expectations. But we can be alongside them as supervisors to say, 'Well, you might say that that's what you're trying to do, but we need some evidence that that's actually working in practice.'

Our engagement means actively working through the challenges with firms: 'Okay, if this is a risk, how are you tackling it? How are you going to manage and mitigate it? And how are you going to assure yourself it's actually working in practice?' 

They're not our clients. We regulate them, we supervise them. But we think we get the best results through having an open relationship with the firms that we supervise. 

This is because you can't have difficult conversations about what's gone wrong or what is really needed to move the dial from a cultural and conduct perspective if they're defensive and feel that you are out to get them.”

 

“It’s amazing how much talking past on another there is between the regulators and the bankers. 

I always felt one of my comparative advantages was that early in my career, I worked at the Fed. Then I worked at JP Morgan in regulatory policy. And because I worked in both places, I could talk to the regulators and the bankers and understand both sides. 

But they often couldn’t. They literally could not understand each other. Partly because the language is different, the goals are different, the incentives are different. But I think that's another thing to focus on — to try to get to the dialogue between the regulatory community, the supervisory community, and the bankers — to improve the quality of that dialogue.”

“Supervision must escape the ‘hindsight trap’ by building forward-looking methods to assess cultural risk upstream, before failure materializes.”

“From our point of view, the culture we try to instill within our people means we come from a very purposeful place. We're a conduct regulator. We need to act with integrity and professionalism with the firms that we supervise. We're trying to make it easy for them to comply, and we're not out to get them.

We want to see good outcomes for customers; we want to see good outcomes for New Zealanders. So the culture is not to find something wrong. The culture is to enable firms to comply well and to get the right outcomes. And ultimately, my belief is that we achieve that by communicating well.”

“It's really important for the regulator to talk to the industry and to listen. 

It’s incumbent on the regulator to engage and to be approachable and be able to have someone actually speak to people. 

If a firm wants to come and speak to you, you should meet with them. You should listen to what they have to say. Some don't do that, believe it or not. There are some regulators who won't meet with the industry unless there's an actual matter that needs to be addressed. I think it's nuts to say that you're going to regulate an industry but not actually get out and about. You’ve got to engage with the market.”

“My view is that with banks where the supervisory relationship works well, where you think the supervisory system works well — it's a mindset where ultimately our long-term goals are aligned. We are in favor of successful, profitable, and healthy banks that build capital. That is the type of relationship we have with well-functioning banks. 

In good times — and the past years, I think, were relatively good times — I would describe the relationship as: the bank sees our role as positive, believing it can help them be a healthier and more successful bank. And we, in turn, can learn a lot from the bank.”

“Historically, OSFI has been built around the idea of principles-based regulation. We set out broad principles — like ensuring the banking system can absorb trade-related shocks to the Canadian economy. That’s our broad objective. And I think most regulated institutions would agree that’s a good principle. The debate, the tension, comes in how to meet it.

That debate is healthy. Maybe I think capital needs to be at 12.5%; you think 10% is sufficient. Great, let’s talk about it. We’ll show our stress tests; you’ll show your assumptions. That’s constructive. 

But, as regulators, we need to recognize that after the shock of the Global Financial Crisis, we went too far — we wanted 100% insurance. That’s aggressive, and not the right mindset for a financial sector that promotes growth and risk-taking. You don’t get 100% protection in a functioning market. 

So what’s acceptable? That’s where we have to find equilibrium. We want firms to be able to take risk and deliver returns for shareholders. At the same time, we need to be able to say that the system is resilient to shocks — and that it would take a multi-sigma event to jeopardize that. 

Our system allows for that flexibility. Some of my international counterparts can’t even get in the room with their supervised firms — because of concerns about capture or anti-competitive optics. But in Canada, we have a tradition: when the system is at risk, we set aside personal interests and focus on the collective good. That habit served us very well in 2023, and again early this year. That kind of engagement requires constant dialogue.”

2.3.2c Some participants note that data is sometimes collected but then it may be unclear how it may be properly used for risk assessment or enforcement.

“I think there are some legitimate issues with supervision. The supervisory process can get too down in the weeds. It can get way too complex, where the cost-benefit of the outcome is pretty low. 

Living wills are a good example. They are thousands and thousands of pages. What’s the point? Who can even take that on board?”

“I don't want to see [culture] metrics becoming just another quantitative tabulation of so called objective parameters. Culture is hard to measure.”

“If you ask for too much information that you don't use, guess what? That information is sitting in your system. If something happens and people say, ‘Well, you had all this data and you didn't analyze it and you didn't see this coming,’ it is also a risk for the regulators.”

2.3.2d Many participants discussed how relying on post-hoc assessment of culture has can lead to adverse governance outcomes.

“Often management is downgraded to ‘poor’ by bank examiners only after the symptoms of bad management have manifested in weak financial results.”

“It is nearly impossible to say, ‘The earnings are questionable, but I'm going to rate management as good because they've got a plan.’ 

Management is always treated as a trailing indicator, never a leading indicator. You could have poor management with good numbers, and you could have great management with bad numbers. But the numbers always guide the management rating, and it should not be that way. Management should guide the numbers. 

‘If the numbers are good, we're good’ is a great way of doing things until, all of a sudden, it’s not.”

“By participating in many discussions over the years related to conduct and culture, when I was a regulator, I was exposed to many international leaders at financial institutions and regulators across the globe. In my experience, there are different variations in the application of these ideas depending upon where you sit in the world, and the focus and energy that your local regulator has around this topic.

Traditionally, the focus on conduct was always after-the-fact, when issues had resulted in potential terminations and disciplinary actions, as well as regulatory actions by state, federal and self-regulatory organizations. This can be quite costly. Being more proactive, in a behaviorally predictive manner, can have the benefit of freeing financial institutions to spend their time and energy on higher-risk matters. Resources are not unlimited. 

In addition, the after-the-fact approach has not been demonstrably successful in decreasing enforcement actions. Training, coaching and getting ahead of potential trouble, when patterns of misconduct are observable, can provide a financial and reputational boost as such issues are caught, handled, reported and reviewed by the firms themselves, as opposed to receiving requests for information from regulators, hiring outside counsel, and trying to understand the underlying conduct being reviewed.”

2.4 – Institutional Memory and Accountability

2.4.1 – What steps can supervisors take to ensure that the exercise of their judgment regarding matters of culture risk governance isn’t arbitrary, and that it improves over time?

2.4.1a Participants described the importance of having mechanisms to preserve judgment, whereby earlier anticipatory assessments are tested against what actually unfolded thereafter.

“Because of our legal grounding with the ECB, we have, in many cases, formal processes called the ‘right to be heard,’ where the bank can give us feedback if they disagree with our determination. And ultimately, there is an appeals process also to the administrative board of review where we've made a legal decision if a bank disagrees with us.

And that's not unfettered judgment. You can't just decide whatever you like because it's Tuesday. It is also, I suppose, more constrained. We have internal processes, we have a second line of defense, for example, that looks at the decisions made by our supervisors and compares them. 

So, the benchmarking is not only of the banks; it's also internal about what we're doing and how we're comparing. We work on quality assurance and effectiveness to make sure that our judgments are made on a consistent basis.”

“Well, fewer firms went to the wall in 2023 than in 2008. So I’d argue that the cumulative work since the Crisis has had an effect. Boards are taking culture more seriously. 

If you provide a credible evidence base that shows you’re taking culture seriously, that goes a long way with us. We exercise judgment. We look across institutions. We know we won’t be perfect, but we build a sense of relative strength. 

Still, there’s the ex-post challenge. Something goes wrong. A firm violates its own stated cultural values. They did all the surveys, the training, and still went down a bad path. Failed to comply with laws. Took a reputational and financial hit.

At that point, we know we misjudged the effectiveness of the culture, or its actual adherence. And that requires a supervisory response. The board will have failed its shareholders.

We have to get better at identifying deficiencies and acting on them early. But you can’t control for everything. No matter how balanced or reasonable your cultural guideline is, you’re still going to see failures. The goal is to ensure they’re rare and non-systemic. 

When they do happen, you ask: did we get the regulatory approach wrong? Or did we get our supervision of this particular firm wrong? Most often, it’s the latter. It’s not acceptable, but it is correctable. You learn from it, you adapt. The big mistake is thinking, ‘We have to prevent this from ever happening again.’ That leads to overregulation. You start defining what a ‘good culture’ is. You exceed your mandate. You lose your license. That’s worse than the failure you were trying to prevent. Here’s what we’ve learned over the past two years: 

First: don’t rely on the informal. Apply the codebook. Follow your formal framework — equally and consistently. No favors because ‘you’re a good banker.’ 

Second: even if you do everything right, failures may still happen. Learn from them. Make tactical adjustments. But don’t abandon your core principle: culture belongs to the board. Our job is to ensure they take that seriously and act consistently. 

Don’t try to reduce failure probability to zero. That temptation is strong. I’ve succumbed to it, and I suspect others have, too. But you can’t go there. It’s the road to ruin.”

“Sometimes what's obvious to me isn't obvious to everybody else. You have to say why. And that is a mixture of a legal and a cultural issue, isn't it? If you've taken regulatory action, or not taken it, I think one of the things regulators struggle with — I know we do occasionally — is to be able to explain to the market and the community why we didn't take action, as opposed to why we did.”

Responses to Chapter Questions and Other Commentary

2.1 (a) With reference to the banking sector turmoil of 2023, what might be attributed to governance breakdowns, especially those related to organizational culture?

Though there are some details available from public reporting, it is questionable whether outsiders other than bank employees and supervisors have enough information to speak definitively on this question. Such reports suggest, however, that for at least one institution that failed in 2023, management of liquidity risk took insufficient account of the risk of relying on assets that, though generally liquid in nature, were accounted for as held-to-maturity, such that using them as a liquidity source would adversely affect the firm’s capital position. Rather than satisfying liquidity needs, liquidation of those assets at a loss and required disclosure of the resulting capital charges made the liquidity situation acute and ultimately fatal. Moreover, alternative contingent liquidity from the Federal Reserve Bank and the Federal Home Loan Bank were likely available, but the firm’s failure to make adequate operational preparations foreclosed access at the critical time.

Whether this sequence of events resulted from a poor choice of risk policies or a failure to implement policies that were adequate on their face (which failure would represent a “cultural” fault as defined in 1.1(a) above), or both, is unclear. In either case, however, a failure of risk management occurred. If firm “culture” more broadly was at fault, the key may have been insufficient weight given to liquidity risk management in the first place.

– American Bankers Association

2.1 (b) What role, if any, might supervisory culture have played in connection with these events?

2.1 (c) How should supervisors approach culture risk governance as a factor in their assessment of a firm’s systems, controls, and critical risk management processes?

As stated previously, regulatory agency examiners can assess risk culture through examining material financial risks and evaluating Risk Management Practices and the consistency of their application. Examiners’ evaluation of an institution’s Risk Management Practice will be informed by the institution’s risk culture. For example, examiners can assess an institution’s issue management program to determine if the institution has timely identification, assessment, escalation, monitoring, reporting, and resolution of risk-related issues. Additionally, evaluating an institution’s complaint management program will determine how the institution is defining, capturing, categorizing, escalating, reporting, and resolving consumer complaints and any associated compliance risk-related issues. Finally, an institution’s internal checks and balances (or “self-policing”), such as monitoring and testing activities, effective challenge, risk reporting, and internal audits, will also help examiners evaluate how well institutions are identifying, measuring, monitoring, and controlling material financial risks.

– American Bankers Association

2.1 (d) How should supervisors view the complex interactions between formal governance structures and firm culture? Should supervisory expectations of firms’ governance evolve to ensure that culture is treated as a first-order determinant of institutional resilience? Why? And how?

2.2 (a) How should supervisors balance establishing evidence of wrongdoing before they take action versus exercising supervisory judgement to preempt problems from happening in the first place? How does the necessary posture differ based on legal mandate and supervisory tools?

The best way for supervisors to identify if an institution has undue risks and weak risk management practices is through the examination process, including a clear, concise written report of examination and on-going communication with the management team. Safety and soundness examination activities focus on assessing an institution’s capital, asset quality, management, earnings performance, liquidity, and sensitivity to market risk (e.g., CAMELS rating system), as well as the institution’s adherence to laws and regulations.

If asked what the hardest report of examination for an examiner is to write and for an institution to receive, the answer, in most instances, would be a Composite 3-rated report of examination report. Examination reports of fundamentally sound institutions with strong or satisfactory risk management practices (Composite 1 or 2) or institutions exhibiting unsafe or unsound conditions or practices (Composite 4 or 5) can practically write themselves as the evidence to support those ratings is apparent. In cases of a well-rated institution, the management team is receptive to the findings – who would refute being told your institution is well-run and safe and sound? For a problem bank, the management team may be in denial but typically will not be able to refute the evidence, such as the level and severity of classified assets and the impact on capital levels, earnings performance, and other factors. Bank failure is a distinct possibility (Composite 4) or highly probable (Composite 5).

An institution, however, with a Composite 3 rating, may be hearing for the first time (and by the same examination team) that the institution has some weakness, is not “well run”, and will be under some type of supervisory action. A Composite 3-rated institution exhibits supervisory concern in one or more CAMELS components, as well as associated Risk Management Practices, and may be more vulnerable to outside stresses and business fluctuations than a wellrated institution. Therefore, a 3-rated institution is at a crossroads, and its financial condition and operational/risk management practices will either improve or continue to deteriorate over time. Which road to take falls on the management team and its board of directors to decide.

– American Bankers Association

2.2 (b) How should supervisory bodies address accusations that they tend towards overreach, on the one hand, versus overly delayed action, on the other?

With changes in economic conditions or political administrations, one constant should remain the same – the examination process including a clear, concise written report of examination and ongoing communication with the management team. An effective regulatory framework should focus on material financial risks with an institution’s Risk Management Practices being an essential aspect to this framework. Financial institutions should be able to determine their risk appetite and strategy and develop Risk Management Practices based on their size, complexity, and product offerings. The examiner’s main objective in an effective supervisory framework is to determine how well a financial institution identifies, measures, monitors, and controls material financial risks given their size, complexity, and product offerings. The leaders of supervisory agencies may change, along with their priorities for the agency, but the basic blocking and tackling of examinations should not change. And, open, ongoing communication during the examination process is not only essential but should be required by both parties.

– American Bankers Association

2.2 (c) How might supervisory bodies work to establish greater trust with regulated entities?

Communication is a two-way street. Throughout the examination process, ongoing, open communication between examiners and an institution’s management team is imperative, especially with hybrid examinations (e.g., partial time on and off site). In addition, reports of examinations should clearly and concisely identify the issues, clarify the impacts, be fact-based, and relate to the law or clearly articulated supervisory expectations. An institution’s management team should be able to leverage the report of examination to determine the root cause of the issues and implement appropriate corrective action plans. It is important that both parties, the institution and supervisors, are on the same page as to what issues need to be corrected; however, it is up to the institution to determine the most effective way to correct the identified issues.

– American Bankers Association

2.3 (a) What steps might supervisors take to help banks to preemptively address culture risk matters before they lead to risk governance failures and enforcement actions?

2.3 (b) What tools can a supervisor use to address clear cultural failings within a regulated entity? Are Pillar 2 adjustments and liquidity add-ons (ie higher financial requirements) an adequate response to behavioural issues? If not, what supervisory tools can supervisors use to incentivize banks to address cultural matters?

2.3 (c) What is the appropriate role for enforcement in addressing culture as sitting among the root causes of risk governance failures?

Postmortems of recent bank failures noted that the institutions had rapid growth without commensurate risk management practices. In addition, these postmortems have shown that stronger regulatory frameworks were needed to make sure supervisors take the appropriate action to ensure institutions addressed supervisory concerns in a timely manner.

Supervisors have the necessary tools, including informal (e.g., supervisory letters, board resolutions, memoranda of understanding) and formal (i.e., cease-and-desist orders, consent orders, written agreements, and removal/prohibition orders) supervisory actions, to ensure that institutions’ Risk Management Practices are commensurate with their size, complexity, and risk profile and that policies and procedures are consistently applied. Provisions in informal or formal supervisory actions are often written as programmatic changes and may not address the root cause of the issue. For example, provisions typically include, but are not limited to, the following: increasing board of directors and management oversight; reducing classified assets; reviewing and revising a specific policy or program; maintaining certain ratios such as capital or liquidity; remediating violations of law; and developing a strategic plan. These provisions, however, serve as a “roadmap” for institutions to remedy issues identified in reports of examination.

This is where risk culture comes into play and where the “rubber meets the road.” Institutions that are successful in remediating a formal or informal supervisory action quickly, identify the root cause of the supervisory concern, develop an appropriate and timely action plan, and, most importantly, implement the necessary operational changes to remediate the root cause. Institutions that remain under supervisory actions for long periods of time, however, tend to think about compliance with the supervisory action as a check-the-box exercise to simply get out from under it by addressing the programmatic changes without implementing the necessary operational changes to address the root cause.

– American Bankers Association

2.4 (a) What is needed to ground supervisory judgement operationally and to make interventions in culture related matters more explainable, consistent, and legitimate?

Thank you!

Your submission has been received.

Submit Your Comment

Drop files here or click to upload