A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Chapter 3 — Past Efforts and Outcomes

Included in this Section

3.1 – Integration into Supervision

3.1.1 – Why have some jurisdictions invested in and leaned into culture supervision while others have not?

  • 3.1.1a Several participants noted that many of supervisory agencies have typically increased their culture risk supervision efforts in response to some crisis.
  • 3.1.1b Other participants note that they have sought to implement effective culture risk supervision specifically so as to avoid potential future crises.

3.1.2 – What are the structural challenges to integrating culture supervision into standard oversight practices?

  • 3.1.2a Some participants describe challenges when there is a lack of a legal framework or regulatory mandate.
  • 3.1.2b Participants also point to other structural challenges, such as achieving management buy-in, and overcoming resourcing constraints.
  • 3.1.2c Some participants noted that questions as to whether and how culture should be approached by conduct regulators vs prudential regulators can create organizational challenges.
  • 3.1.2d Some participants discussed the role of judgment-based supervision versus rules based regulatory approaches to culture risk assessment.

3.2 – Innovation in Measurement

3.2.1 – What tools, metrics, and data collection capabilities are currently available to support culture risk governance and supervision? What is working and what does this hold for the future?

  • 3.2.1a Participants discussed the promise and the challenges that new technologies offer in culture risk supervision.

3.2.2 – What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

  • 3.2.2a Some participants describe ways in which AI can improve culture risk supervision through the application of sentiment analysis and natural language processing tools.
  • 3.2.2b Participants highlight the potential offered by analyzing latent data sets in innovative new ways.
  • 3.2.2c Participants point to the value that would be achieved were we able to conduct reliable horizontal peer reviews and benchmarking exercises in the realm of culture risk supervision.
  • 3.2.2d Participants describe other innovative applications of AI to challenges of culture risk governance and supervision.

3.3 – Supervisory Learnings to Date

3.3.1 – What frameworks have supervisory bodies considered as an effective means by which to assess culture risk governance among firms?

  • 3.3.1a Participants described different frameworks and governance processes that supervisory bodies have trialed with a view to assessing culture.

3.3.2 – What have we learned from past approaches to culture risk governance and supervision?

  • 3.3.2a Participants noted both opportunities and challenges in connection with individual accountability regimes.
  • 3.3.2b Many participants reflected on how a focus on Tone-From-The-Top, while necessary, has had limited success.
  • 3.3.2c Some participants noted challenges associated with utilizing compensation and incentive schemes to drive cultural change.
  • 3.3.2d Participants highlighted how difficult it can be to push through meaningful culture change and the tendency towards superficial fixes.
  • 3.3.2e Participants highlighted how difficult it can be to push through meaningful culture change and the tendency towards superficial fixes.

3.3.3 – What are the informal challenges with integrating culture supervision into regulatory bodies?

  • 3.3.3a Still others describe cultural barriers to trialing new approaches and encouraging the internal risk taking that innovation demands, making it difficult to drive change in practice.

3.4 – Re-setting Institutional Memory

3.4.1 – How can supervisory bodies move to embed culture risk into supervision and governance frameworks?

  • 3.4.1a Participants describe current efforts to incorporate culture risk into supervision and highlight the questions that such efforts raise.
  • 3.4.1b Participants also described the role of the supervisor in making culture risk governance tangible for supervised firms through training, tools, and targeted frameworks.

3.4.2 – How do supervisors need to adapt in order to accelerate progress in culture supervision?

  • 3.4.2a Participants highlight the importance of effectively embedding challenge in their engagements with firms related to culture.
  • 3.4.2b Participants note that supervisors should build trust into their approaches.

Chapter Questions and Comments

3.1 – Integration into Supervision

3.1.1 – Why have some jurisdictions invested in and leaned into culture supervision while others have not?

3.1.1a Several participants noted that many of supervisory agencies have typically increased their culture risk supervision efforts in response to some crisis.

“[In the Netherlands] one of the lessons that could be drawn from the financial crisis and major incidents in the financial sector is that employee behaviour and culture greatly affect the soundness, risk profile and integrity of financial institutions. Answers had to be sought in employee behaviour, going beyond organizational structure and processes.”

“The 2008 global financial crisis resulted in a seachange in financial sector regulation across the world, with a particular focus on conduct regulation. 

South Africa experienced the crisis from a slightly different perspective, as its financial sector weathered the stability crisis well, reflecting the strong prudential and stability framework already in place. Nevertheless, the role of the financial sector in supporting the South African economy and the country’s citizens was put under review, in particular looking at the conduct and culture of financial institutions. 

The financial sector could and should be doing more to drive better outcomes for South Africa’s citizens and economy. High-profile cases of outright fraud and misconduct have been endemic, alongside poor practices such as opaque pricing structures, ineffective disclosures, poor claims and complaints practices, and complicated product offerings. This has resulted in high levels of mistrust among financial customers. 

More active participation in the sector was required in order to drive improved outcomes for customers, and to ensure that the financial sector plays its facilitative role in the economy well.”

“The events of the 2008 Financial Crisis, together with several scandals that followed, made it clear that more work was needed to address some of the underlying issues that led to these events. [The Federal Reserve Bank of New York] wanted to understand better what the drivers were — and wanted to work with the industry, academics, and others to take a closer look at culture as a potential driver of conduct within financial services. This led to the first of a series of conferences hosted by the Federal Reserve Bank of New York, starting in 2014. 

This effort has now grown into the ‘Governance and Culture Reform’ initiative — a multi pronged approach that incorporates educational and training efforts, direct dialogue with the industry, and sharing of best practices across regulatory agencies, combined with the more public events like conferences, podcasts, etc.”

“While lots of bad things happened during the Financial Crisis, everybody was so focused on fixing it that I don't think there was much time spent reflecting on it. The real trigger point came later with the FX and LIBOR situations. 

I know in conversations, we looked at each other and said, ‘WTF? We just went through a terrible crisis, and now we have these issues?’ For me, that was the moment that prompted a lot of the effort to think about what was actually driving this behavior. 

People started talking about ‘bad apples’ and ‘broken windows,’ and the issue started to get some momentum, particularly at the New York Fed. We tried to explore what this meant, what it was, and what should be done. I think there were even some efforts coming out of the initial set of conferences [organized by the NY Fed] that were supposed to bring together the private and public sectors on things like the whole mortgage process, asking, ‘Is there a different way to actually do this?’”

“About [2014], the New York Fed decided to use its position, influence, and credibility to ‘shine a spotlight’ on the issue of culture. We wanted to persuade the financial services industry to pay greater attention to the group norms that affect individual behavior and to use all available tools to strengthen norms that contribute to public confidence in finance.

The Global Financial Crisis and a subsequent litany of scandals prompted our action. Although the Dodd-Frank Act and its implementing regulations did much to improve the resilience of banks and the stability of the financial system, misconduct persisted. And, in several notable examples, bankers collaborated across institutions to accomplish their goals, strongly suggesting that behavioral problems were shared across the industry, or at least across large financial institutions.

In my view, and in the view of many of my colleagues, regulation and enforcement were a necessary response to the Crisis and to subsequent misconduct. We wondered, though, whether either was completely effective at addressing the root causes of misconduct. We doubted the industry and the public could rely on laws, enforcement actions, and lawsuits alone to improve the trustworthiness of financial services.”

“Ten years ago, in the wake of the 2008 financial banking crisis, I had the privilege of sitting on the UK’s Parliamentary Commission on Banking Standards as part of a cross-party body to take evidence on the fundamental causes of the crisis especially the breakdown in banking culture, and to recommend changes that would prevent similar failures again. 

The evidence was frankly shocking — failures of management, failures of supervision, failures in culture. The many good people in banking either felt unable or feared to question. The tone from the top of banking institutions favoured risk and short-term profit maximisation. The supervisors not only lacked powers but often behaved with deference.”

“We lived through the Asian financial crisis. The Asian tigers were the ones that were badly hit. We were so lucky in Singapore; we were actually a safe haven and, in a way, beneficiaries of the Crisis, because there was a flight to quality.

But having said that, one of our very small local banks had an inordinate exposure to Indonesia. They didn't go bust, but they were bought over, and there's a reason people get bought over sometimes. We did have that as a lesson. Luckily, it was not a fatal blow, but it was still a lesson to us as to what can go wrong. Even with tight regulation, and even though it was our smallest bank, it still got into trouble. That taught us that we needed to change our thinking. 

We were moving away from very tight regulation to more risk-based supervision, we had to then rely on the players and their in-house ability. We weren't clever enough to give it the label ‘risk culture,’ but that was what we were looking at. 

When the Global Financial Crisis came, it was an even better result for Singapore. A lot of foreign banks were going down, but the local banks didn't even have a loss. We credit that to having gone through the earlier crisis. 

The Asian financial crisis made our institutions very risk-aware. It made us think about following fads and about too much concentration risk. So, when all these CDOs came along and became a very sexy thing, we used to just say to the banks, ‘You have to understand it first before you get into it. Why are you getting into it?’”

3.1.1b Other participants note that they have sought to implement effective culture risk supervision specifically so as to avoid potential future crises.

“Since the Royal Commission into Misconduct, APRA has strengthened its supervisory framework to assess governance and risk culture more explicitly. It has also enhanced its enforcement approach to empower supervisors to require entities to act before financial soundness is threatened.”

“APRA’s Risk Culture team has developed an enhanced supervisory toolkit through which to assess risk culture issues. The toolkit includes: 


Industry-wide risk culture survey: APRA is piloting an online survey of staff at a number of entities in order to develop a risk culture benchmark which can be mapped across the Risk Culture 10 Dimensions. Following the pilot, the expectation is that the project will be expanded to a broader set of entities on a regular basis. The approach is similar to that undertaken by the Banking Standards Board in the UK but with a focus on risk culture.


Risk culture deep dive reviews of entities: The team is undertaking a number of risk culture deep dive reviews each year. Findings are made following a triangulation of data from interviews of members of the Board, senior management and staff, focus groups with staff, online surveys and document reviews. Following the reviews, actions undertaken by entities are tracked to ensure that appropriate changes are being made. Risk culture transformation toolkit: A toolkit has been developed that outlines the key drivers for embedding strong risk culture outcomes in the longterm. The toolkit has been tested as part of recent deep dive reviews and is included as part of our feedback to entities outlining the areas they need to focus on to enable long-term improvements to risk culture, rather than short-term fixes. It is planned that the toolkit will be rolled out more broadly during 2021. 


RegTech and innovative approaches: As the available methods and technologies used to assess risk culture are rapidly evolving, APRA is trialling a number of approaches including the use of natural language processing which is used as part of risk culture reviews. Issues such as psychological safety, role-modelling of leaders, how managers ‘listen up and act’, incentives and remuneration, accountability, governance effectiveness and how COVID-19 has impacted entities are some of the many factors the team has recently examined.”

“We've been intensifying our efforts, and we have a three-pronged approach. 

The first prong approach in supervising organizational culture is what we call promote and cultivate. So MAS promotes awareness and cultivates commitment within financial institutions to build strong organizational culture. This first step recognizes that building strong organizational culture is something that financial institutions need to own. 

MAS engages in regular dialogues with financial institutions, their boards and senior management, to discuss the benefits of good culture to get the mind share. And we also lean in to listen to their operational challenges, and then we try to bring the industry together to facilitate sharing of good practices so that good solutions to common problems can be tackled very much more quickly. 

The second prong is to monitor and assess. Having secured commitment to build sound organizational culture, MAS as supervisor must monitor progress and nurture improvements. We assess both the hardware, things like frameworks, policies, procedures, they still have a role to play, as well as the software, such as tone from the top, leadership attitudes. 

We evaluate whether a financial institution's organizational culture incentivizes ethical behaviors and responsible risk taking. We also look out for potential red flags, such as for example, perhaps this empowered risk control function. The supervisory techniques that are involved are rather different from what our inspectors are ordinarily accustomed to. 

For example, great reliance is placed on in-depth conversations and interviews with bank employees on topics such as their perceptions of front office culture, tone from the top in terms of organizational values, and their perceptions of desired employee behavior hence aside from iteratively improving our methodology of assessing organizational culture, we are also deepening our supervisor's capabilities of performing these assessments. 

And the third and final prong is to enforce and deter. We can take a variety of actions ranging from just issuing a warning to closing a financial institution, to civil penalties or referring it to our attorneys generals chambers for criminal prosecution. Of course the penalties will have to be commensurate with the severity and nature of the misconduct and be sufficiently tough, adequate to achieve effective deterrents. 

While the three prongs are mutually reinforcing and important, our predominant focus now is on the first two prongs, because cultivating and monitoring industry norms of desired behavior are more preemptive towards minimizing the likelihood of serious lapses in the industry.”

“The Hong Kong Monetary Authority (HKMA) initiated its “Bank Culture Reform” programme in March 2017, with a view to cultivating the right culture and values in banks. 

The HKMA’s reform effort seeks to develop and promote sound banking culture that supports prudent risk management and contributes towards incentivising proper staff behaviour, that will lead to positive customer outcomes and high ethical standards in the banking industry. 

While there is no one-size-fits-all approach when it comes to culture, the HKMA asks banks to adopt a holistic and effective framework for fostering sound culture within their institutions, with a focus on three main pillars: 

1. strong governance; 

2. appropriate incentive systems; and 

3. effective assessment and feedback mechanisms.”

“In recent years it has become increasingly clear that studying behaviour has a predictive quality with regard to future performance. 

Behavioural problems often already exist before problems in the performance of the organization come to light. Therefore, by identifying and tackling ineffective behaviour and an unhealthy culture at an early stage, major financial and non-financial risks can be prevented. 

Behavioural Risk Management uncovers structural behavioural patterns at work within an organization that might lead to financial as well as non-financial risks. By thoroughly analysing behavioural patterns in the organization, we develop tailor-made interventions that mitigate and — eventually — prevent behavioural risks. 

Early intervention can mitigate risks in a more timely way and help to prevent future problems. Where people used to look back more, nowadays, there is more value attached to looking ahead, and people are increasingly aware that the capacity to examine behavioural risk is an important asset in this respect. 

In the end, we all want the same outcome: reduced financial and non-financial risk and a healthy, high performing organization. If that requires insight drawn from behavioural science, most people are actually quite keen to explore how this adds value.”

“I think one of the organizations that helped ignite a lot of conversation around culture was the NY Federal Reserve Bank (FRB), under Bill Dudley. From a broker-dealer perspective, at FINRA, we started to examine the ties between culture and conduct, and we thought that sitting down with a number of large firms to ignite the conversation was consistent with FINRA’s mission. 

Since there are reporting requirements for certain disciplinary actions and terminations, FINRA can monitor, on an industry-wide basis, the level of conduct that was violative of firm policy, SRO rules and federal securities laws. Having that unique lens, we determined that understanding the tone, perspective and sense of accountability around the issue of culture would help us to identify conduct-related weaknesses which could potentially have an impact on the investing public.”

3.1.2 – What are the structural challenges to integrating culture supervision into standard oversight practices?

3.1.2a Some participants describe challenges when there is a lack of a legal framework or regulatory mandate.

“In our Criminal Code, we talk about the concept of ‘fault elements.’ If intention, knowledge, or recklessness is a fault element, that fault element must be attributed to a body corporate that expressly, tacitly, or impliedly authorized the offense. 

But the key point I want to make regards the means by which such an authorization or permission may be established. One of them is proving that a corporate culture existed within the body corporate that directed, encouraged, tolerated, or led to non-compliance. Or, proving that the body-corporate failed to create and maintain a corporate culture that required compliance with the relevant provision. 

The Commonwealth Parliament of Australia was persuaded to pass legislation that says, if you want to prove the corporation did something wrong, one of the ways of doing that is proving one of these corporate cultures existed. 

And culture is defined in that legislation. “Corporate culture means an attitude, policy, rule, course of conduct, or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activity takes place.”

However, without too fine a point on it, it's pretty much a dead letter. It's never been used. Prosecutors just haven't run any cases. This legislation took effect in 2001. It's now 2025, and there's been not one case. I just think it's curious. I was in private practice in the late nineties, and I spoke against this law on the basis that I didn't think it was prosecutable. I just didn't think it would work. And it hasn't.”

“Part of your job as a supervisor is also to say no. But in order to say no, you need a legal framework supporting you. And if you don’t have that, you’re stuck. Because otherwise, if you say no, you get fired by the political elite, or the bankers show up in the newspapers and on the news every morning saying the supervisors do not know what they are doing. 

This is also why, in many parts of the world, supervision is handled or guided by the finance ministry, not the central bank. That’s why you sometimes move supervision out of the central bank — because central bankers are trained to say no, and politicians don’t like it. If you move supervision out, the finance ministry can have the final say. 

Another version is to move supervisory decisions into law, because draft laws are usually written in the finance ministry or in parliament. If that happens to you once as a supervisor, you realize you’re stuck. Even if you say no, there’s nothing you can do because they’ve taken the right away from you and put it in the law. 

It’s a very asymmetrical system: in supervision — whether banks, insurance, or securities markets — you always get the blame when things go wrong, and no one knows about the disasters you’ve avoided. This creates a very difficult environment. 

I know of examples in other parts of the world where the supervisory agency was deliberately dependent on the finance ministry. Ultimately, that means if a big bank runs into trouble, you can’t do much without talking to politicians. And the politicians will tell you what to do and what not to do. It’s very difficult to say no in such an environment. This is why there is no global concept of supervisory culture, and no global standard for how to supervise.”

“If enforcement action is based on ‘poor culture,’ is it legally challengeable? Breaching a capital or AML rule is clear. But an action predicated on culture relies on circumstantial evidence and patterns — building a robust case is harder. 

Focusing on board and senior management accountability is key in large, complex organizations where responsibility can be diffuse.

Finally, there are jurisdictional differences — legal frameworks and corporate-governance approaches vary. Achieving broad consistency for global institutions would help.”

“I think a legal framework is incredibly important because I see it as a hygiene factor, but it needs to be in order because the majority of people we work with — accountants, lawyers, or economists — are used to having everything anchored in some kind of regulation, guidance, or legal framework. It's incredibly important because it legitimizes that it's part of the role. 

The majority of institutions understand that this is part of a supervisory role. However, the institutions that really push back on this are always the ones that have the most behavior and culture issues. So, in those situations, when you are entering a very hard fight as a supervisor, it's incredibly important to have your legal framework in order and right, so you don't get sucked into a legally weaponized discussion with that institution.”

“South Africa’s market conduct regulatory reform process entails more than the creation of a new regulator. Another key focus is to streamline and harmonise the legal landscape within which financial institutions, and their regulator, will operate. This entails a comprehensive review of existing financial sector laws, with the aim of developing a single, holistic legal framework for market conduct regulation that is consistently applied to all financial institutions in South Africa. 

The draft Conduct of Financial Institutions (COFI) Bill represents this new legal framework. It puts in place a market conduct framework that is more principles-based, allowing for regulation that is flexible, proportionate, and focused on the achievement of outcomes rather than the mere compliance box-ticking that characterized the previous regulatory regime.”

“Almost every lawyer has had a difficult conversation, in which a client (or, for an in-house attorney, a client representative) has asked us for a narrow, legal view. 

Although the American Bar Association advises against an attorney becoming a ‘moral advisor,’ it has also cautioned that ‘purely technical legal advice . . . can sometimes be inadequate.’ 

In my experience, a request for purely technical advice from lawyers is a frequent attribute of decisions that later attract scrutiny, regulatory or otherwise. This type of request also tends to arise where the interests of one desk or line of business may not wholly align with the broader, long-term interests of the organization — which is the in-house lawyer’s client.
Lawyers are partners in trying to achieve the goals of the organization together with the business or operational departments. They are also guardians of the firm’s reputation, objectives, and integrity — which, at times, means saying no to business partners. In my experience, in-house lawyers offer the greatest value to their clients when they embrace the partner-guardian model. Finding the right balance is, of course, the art of our profession. 

Being a partner and a guardian does not pose insurmountable conflict. Done properly and skillfully — and that is key — one role enhances the other. A lawyer becomes a trusted advisor because she is also perceived as a guardian of the organization. Her ‘blessing’ carries that much more weight and influence.”

3.1.2b Participants also point to other structural challenges, such as achieving management buy-in, and overcoming resourcing constraints.

“When I was at MAS, we made concerted attempts to supervise for culture — especially in key financial institutions. For us, it was about understanding the human element of risk. We focused on observable behaviors and then decided how (or whether) to intervene, with the goal that culture would function as a line of defense rather than a hidden vulnerability in the financial system. 

That’s also why we brought our Chief Data Officer into the picture — to think about how data and analytics could inform assessment — and we even recruited a behavioral expert from a university to join some supervisory site visits. The idea was to get better at picking up signals.”

“The challenge was that, when you talked about culture, not everyone we spoke with understood what culture was or what we were referring to. And many didn't believe culture was a thing. Then you had some policymakers in the U.S. who were either uninterested in the topic or didn’t think culture was a thing either. The resistance in the U.S. was immense, both at the official level and in the private sector. 

Some argued, ‘If you can't write a rule around it, it doesn't exist.’ So anything that we were going to be doing, anything that we were going to evaluate, they thought that you had to have a specific rule that could be written about it before we could do anything about it. 

We started to explore [culture supervision] and tried to initiate some pilots in New York using the techniques the Dutch central bank had used, but we weren’t able to get buy-in from policymakers in DC. They wanted us to ‘stay in our swim lane.’ 

Since we weren't able to use supervisory processes and tools, we then went into the culture initiative through other means outside of supervision. We could put on conferences, initiate work with academics, and make speeches about it, which a number of us did.”

“There is currently pressure from a number of governments on the regulators to stand back and not be so intrusive. The danger is that it has a cultural impact on the regulators — and that they therefore decide that maybe they’ll do less supervision, and the supervision they do won’t be so demanding. While that may go along quite well for a while — eventually it’ll blow up with a loud bang. 

If you look at the cultural influences on the supervisors, they’re quite complex. They come from the government, they come from other politicians, they come from lobby groups, and they come from the firms themselves. There’s a risk of capture or groupthink coming from a number of different directions.”

3.1.2c Some participants noted that questions as to whether and how culture should be approached by conduct regulators vs prudential regulators can create organizational challenges.

“MAS is both conduct and prudential regulator, and also the central bank and AML regulator. During my tenure, conduct issues — behaviors, incentives, remuneration — were constant topics in joint supervisory meetings. We asked whether lessons from conduct could inform prudential reviews.

We also had incidents — our SIBOR-fixing episode (our analogue to LIBOR). Were those traders acting individually, or was there a deeper cultural driver? Why this group, these institutions, and not others? That pushed culture into prudential work. 

At that time, our board would ask: what is the culture at Bank X versus Bank Y? Are they cowboys? Are they careful? Do they try to do right, or only chase the bottom line? As supervisors in and out of institutions, we were expected to have a view. We needed a common ‘song sheet’ internally and when engaging firms. That prompted more structured thinking. 

We had the ‘luxury’ of being conduct regulator, prudential regulator, and central bank — with autonomy — so we could make the case to our MD/Governor and weave culture into supervisory processes. It resonated with leadership and staff. To be honest, teams felt they were already observing cultural signals informally: ‘helpful’ versus ‘evasive’ managers, etc., and sometimes wrote that into supervisory reports.”

“Is it easier as an integrated regulator to see this? Yes, I think it is, because the prudential team has access to data that a conduct regulator doesn't typically get. As an integrated regulator, you see more, and it's probably easier to engage.”

“The creation of the new FSCA involved a significant change management process, shifting from the organisational, regulatory and supervisory approach of the Financial Services Board to an entirely new institution, focused on a relatively new area of financial sector regulatory interests, i.e. conduct and financial sector outcomes.

A further shift in approach was necessary, away from the traditional compliance-driven model to one that is proactive, pre-emptive, risk-based and outcomes-focused.

Banking conduct regulation, and particularly appropriate governance practices and culture outcomes, remains a key focus area of the FSCA and a crucial success indicator of the newly adopted Twin Peaks regulatory framework. 

The FSCA has promulgated Conduct Standard 3 of 2020 (‘Conduct Standard’), the underlying regulatory instrument for the conduct of banks … Amongst its key requirements and provisions is the obligation for banks to have in place proper governance and culture-focused structures, and related policies conducive to good customer outcomes.”

“In Singapore, conduct regulators and financial stability [shared common leadership], so it was all under one roof. But in many other jurisdictions, it's more balkanized. That is also a problem. Conduct and enforcement people tend to set really strict rules, and if they're broken, you want public hangings. But prudential regulators want to be more anticipatory. Especially if you're in charge of a bank, you do not want to precipitate a bank run. Public hangings are really not the way to go. It's a different philosophy, so it's a different culture. 

The conduct regulator will have to look at culture from a particular perspective. The prudential regulators will look at it from a particular perspective. But there must be somebody joining it all up at the top for large institutions that have both prudential and conduct risk.”

3.1.2d Some participants discussed the role of judgment-based supervision versus rules based regulatory approaches to culture risk assessment.

“The regulatory reforms following the GFC have significantly enhanced the official sector’s ability to manage financial stability risks. However, these reforms have not been matched by comparable efforts to establish more effective supervisory frameworks. 

While recent evidence points to the need to enhance the safety and soundness of financial institutions, the option to do so by significantly further tightening regulation should be approached cautiously. After the far-reaching post-crisis reforms, the marginal benefits of additional regulation may have diminished, while the marginal costs of higher regulatory burdens have arguably increased.
Conversely, the case to enhance supervisory frameworks looks quite strong and should therefore become a key priority. Efforts should focus on identifying banks' vulnerabilities and addressing them through well defined, prioritised, and monitored qualitative measures. If successful, these efforts could also support ongoing initiatives to simplify the regulatory framework by streamlining minimum requirements without compromising financial stability objectives. 

Targeted supervisory actions to address specific weaknesses in regulated banks — before they escalate into crises — can effectively safeguard the safety and soundness of individual financial institutions. Robust supervisory frameworks may reduce the need for frequent adjustments to regulatory requirements across the board, especially for vulnerabilities that are not uniformly relevant to all institutions. By striking the right balance between regulation and supervision, the prudential framework can achieve financial stability goals while minimising compliance costs for the sector.”

“When you see outbreaks of misbehavior or something happening in the industry, often the knee-jerk response from regulators is to put in place more regulation. But in fact, I think often the answer is not to do that, because you're just slowing down the people who are doing the right thing. But often the better response is to see where the bad behavior is, take enforcement action, hit those people hard, and let the people who are doing the right thing get on with business.”

3.2 – Innovation in Measurement

3.2.1 – What tools, metrics, and data collection capabilities are currently available to support culture risk governance and supervision? What is working and what does this hold for the future?

3.1.2b Participants also point to other structural challenges, such as achieving management buy-in, and overcoming resourcing constraints.

“What is very striking when it comes to supervision — and it doesn’t really matter where the supervision happens to be located, inside the central bank or outside the central bank — is that there is no global best practice when it comes to how to organize it. 

If supervision happens to be inside the central bank and things go wrong, then you move it out because politically you feel that you need to do something. And if something goes wrong and supervision is outside the central bank, you move it into the central bank, because action has to be taken. Whether this really produces results or not is very hard to tell. 

We do know from history that we never learn when it comes to the financial sector. We make the same mistakes over and over again. It’s just so easy to increase leverage in the short run, pump up the system, and get all the gains in the short run, while the costs come in the long run — but that’s way beyond the next electoral cycle. And for bankers, it pays to increase leverage in the short run.
This is where the whole concept of culture on the side of the supervisors — not within the banks — really matters. And it’s very difficult to deal with because it depends on what kind of national or domestic governance structure you have, because it’s within that framework that you are expected to act, react, decide, or do something. 

There is a difference between supervision outside the central bank and supervision inside the central bank. When things really go wrong, supervisors don’t have any money, but central bankers do. That means the central bank always has an informal say, whether you like it or not.”

3.2.1a Participants discussed the promise and the challenges that new technologies offer in culture risk supervision.

“The use of Suptech and predictive analytics, complemented by behavioural science, will equip supervisors with the necessary tools to examine and evaluate in a more systematic way what is commonly viewed as a nebulous area.”

"Without confidence in the supporting analytics, taking difficult decisions under uncertainty will be even more challenging. Technology may be able to help and should be promoted, but I don’t expect it will be a panacea.”

“If you look at supervisory technology, the investment is at a very low level in large parts of the world. We are still collecting data in a 20th-century way.”

“We cannot undertake this work … without the help of technology. Indeed, we are fully aware of the problems about people telling you what they think you want to hear. And so to solve this problem, it’s really about going down to the masses, taking a very elapsed sample and then lobbing off at the extremes. And in order to do this, you need technology to help you.”

“AI’s increasing adoption has added impetus for us to explicitly codify what is acceptable behaviour so that we do not end up with unintended outcomes. Values and norms that are implicit in our decision-making cannot be assumed when handing the reins to a machine. 

The need to find ways to connect values to tangible metrics presents an opportunity for us to reflect on what metrics we might leverage to identify good ‘culture’.”

“My hope is that the development of new technologies and the use of AI in supervisory processes could help reduce the time devoted to assuring core compliance and free supervisory resources for focusing on culture. 

AI tools could also hopefully help in focusing supervisory attention on culture, as this is an area where firms frequently reject supervisory judgment and having some evidence on internal norms and behaviors would help supervisors.”

“We are very conscious that technological developments and innovations can have a transformative effect on what we do — allowing us to be faster, better, more efficient and more targeted in aspects of our regulation and supervision.”

“RegTech holds great promise for supplementing the training, judgment, and expertise of bank examiners and supervisors. The best RegTech eliminates burden of data entry and retrieval, minimizes risk of human error, and helps identify patterns and indicators that may go undetected by the human eye. 

At the OCC, we are undergoing just such a transformation as we modernize and integrate the toolset we use to manage and administer our bank supervision process. Rather than replace human beings, we want tools that make examiners super capable, because we still have not found a greater substitute for the curious, skeptical human mind.”

“I gave a very controversial speech to the Law Council in September 2015 called ‘Culture and Regulation.’ Around that time, the Senior Managers Accountability Regime came about to try and make senior managers more accountable for poor conduct. But I was trying to say that we should talk more constructively about how you create a good culture, monitor it, and give companies the tools to do so.

 From a regulatory perspective, you have pretty good indicators that tell you there's a problem, like customer complaints or our own direct supervision visits revealing unreported breaches of the law. If we saw a pattern of conduct that was breaking the law or close to it, or if we had a lot of complaints about a company, those were usually indicators. 

There are a lot of tools companies can use to identify cultural problems, which you can then unpack. You have both internal and external techniques to identify where culture problems exist. 

Boards have got to have tools that enable them to challenge management. They need dashboards that can give an indication of problems further down the organization. Directors at the board need to challenge the executive about what they are doing about these issues and continue to challenge them until the problem is resolved. 

Often, the problem is that these things are identified but perhaps not challenged with enough focus before they get out of hand.”

“There remains a crying need for better data analytic tools that allow firms to focus in on exposures more quickly — before damage to clients has occurred. 

If a number of firms stepped forward and proposed employing one or more culture diagnostic tools to determine better how to incorporate that into control environments, I think regulators would likely view that quite positively.”

“One of the areas where I think there’s an opportunity to advance our toolkit is through more forward-looking tools — those that allow firms to identify hotspots and take action to prevent future misconduct. 

While these efforts don’t replace the ongoing need to be able to detect misconduct (though that’s after it happens and has potentially already had some level of impact), there are opportunities to get in front for example, to look through vast amounts of data (structured and unstructured) and identify patterns of behavior that signal something is amiss in certain parts of the organization.

Can you imagine getting a report that says that one of your teams is an outlier on a particular dimension? How great would it be to be able to jump on that issue — before something even bigger occurs?”

“Behaviors don’t fit cookie-cutter archetypes. Each case is somewhat unique — some things rhyme, but situations differ. With hindsight it’s easier; at the time, it’s hard to disentangle. 

Would psychologists have diagnosed more objectively? Maybe. Different ways have been tried: psychologists/experts; surveys; painstaking observation; training supervisors to be alert; some regulation — not of ‘what culture should be,’ but requiring firms to think about it and letting us check. 

The big one underused, to me, is data. Data’s probably useful for some cultural issues — but not all. We need to work out what can be done with data.”

“There’s no doubt about it. Compliance burdens, particularly those involving BSA/AML, are burdensome and costly. More importantly, I’m not convinced they are as effective as they need to be to prevent the kind of misdeeds or illicit activity that they were intended to catch. 

Some of that can be addressed through better policy and greater coordination, and some of that can be fixed by allowing banks greater flexibility to share data and information and to explore new technologies that alleviates burdens while giving the good guys what they need to catch the bad guys. 

Today, we have a high-definition view of what happens within a financial institution, but we need greater technology to assess what is occurring in the gaps and exchanges in between. Emerging technologies hold great promise to shine a light on these shadows.”

“If you are looking for metrics, you also need to think about going broader than the regulator to-bank conversation. 

When you talk to analysts, many are saying, ‘Look, we're just discounting this set of earnings because we believe there'll be some form of redress in the future or another regulatory problem.’ So, they're not going to give these institutions full credit. How do you turn that line of sight and immediacy into a question about, ‘Why are we trading at such a discount, and what are the things we need to do about it?’”

3.2.2 – What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2a Some participants describe ways in which AI can improve culture risk supervision through the application of sentiment analysis and natural language processing tools.

“Recognising the immense potential that technology offers, MAS coined the term “SupTech” in 2017, and has since gone on to expand our capabilities to harness technology for more effective supervision, including in the area of culture and conduct supervision. 

Some examples are as follows:

  • Dashboarding and Visualisation — At the most basic level, MAS monitors a broad range of data and metrics, including complaints received by MAS and financial institutions, misconduct cases, financial disputes, and product revenues, among others. Dashboarding and visualisation tools allow us to quickly identify trends, outliers, as well as specific issues of concern from these voluminous datasets.
  • Natural Language Processing — To analyse the misconduct reports that MAS receives from financial institutions each year, MAS uses a combination of Natural Language Processing (NLP) techniques such as topic modelling, sentiment analysis, and regular expressions to tease out various misconduct modus operandi, and monitor these for spikes and trends of concern.
  • Automatic Speech Recognition — MAS is also exploring the use of Automatic Speech Recognition technology to automatically transcribe the interviews and conversations we have with financial institutions’ staff, then running these through NLP and machine learning models for topic classification and other analyses. This will significantly improve the efficiency of our inspection work that places heavy reliance on interviews with staff of financial institutions and help us to identify more quickly, common themes and patterns that may be indicative of cultural issues.”

“One of the technologies that we've been trying to experiment with is automatic speech recognition. MAS is exploring the use of this technology to automatically transcribe the many, many interviews and conversations that we have with financial institution staff. 

This has the potential to significantly improve the efficiency of our inspection work, that places such heavy, and it's really inordinately heavy reliance on interviews. And it will help us identify very much more quickly, common themes and patterns that may be indicative of cultural issues.

[Another] example would be the use of natural language processing. To analyze misconduct reports submitted by financial institutions, MAS uses a combination of natural language processing techniques such as topic modeling, sentiment analysis and regular expressions to tease out various misconduct modus operandi, and to monitor these for spikes and trends of concern.”

“With technology we can address culture issues more on an ex-ante basis rather than waiting for problems to happen.
 

  • Speech-to-text, for example: the best place to start is at the supervisory level. Through supervision and enforcement we already collect many recordings — interviews, investigations. We can use these data to develop engines.
  • Product sales are recorded; with speech-to-text, the engine can monitor conversations in near-real time. Choice of words, a change in tempo, forgetting required disclosures — these can all be picked up, and a reminder can pop up on the screen: ‘Don’t do this; you might be breaching requirements.’ This used to be expensive, but it’s becoming feasible.
  • Robotic process automation is another area: supervisors have many repetitive processes. We shouldn’t just ask banks to explore these tools; we should adopt them ourselves. Our experience over the past two to three years with supervisory technology has been positive.”

3.2.2b Participants highlight the potential offered by analyzing latent data sets in innovative new ways.

“Regulators these days have a lot of data, and it needs to be interrogated intelligently. But you also then need to be guided by that. A regulator needs to be out there looking at the institutions on a rotational basis, on a risk basis, and seeing what's actually happening inside. 

I think that's the sort of magic little bit. It's not just trusting it to everyone doing the right thing and then seeing whether it happens, but when you go in and visit the institutions, you should be testing those things.

I think using the data intelligently, using the enforcement outcomes that you're getting, allowing those to guide you into, if you like, the main body of your work, which is supervising what people are doing and actually getting in there and testing compliance, testing that approach to risk.”

“Machine learning and big data analytics have enabled ‘regtech’ solutions capable of interpreting organisational data, predicting conduct and culture risks and suggesting remedies.“

“Large datasets that are now available to us which, when combined with machine learning and predictive models of behaviour, can be used by regulators and compliance functions to detect potential misconduct before it even arises. 

Data-driven models provide a window into individual teams across an organisation. Culture is not uniform across a company — it exists in many different layers right down to small units. Behavioural science provides valuable insights into where culture is going right, and where it’s not, which is crucial in the pursuit of restored trust in the industry.”

“The right tool depends on the problem. If it’s the board, maybe you need the ‘skilled person.’ [a third-party expert consultant] 

If the first line doesn’t respect the second line, maybe you can use data. 

Silos are common — perhaps that was a part of Credit Suisse’s problem — a lack of empowerment or respect for the risk function, insufficient authority in the second line.

Maybe you can measure that — how people communicate, the language they use, and so on.”

"I’m not aware of any rule requiring banks to collect and analyze misbehavior in a way that identifies clusters of problems. That kind of cluster analysis would be helpful. Because in a big bank, with 60,000 staff, you can’t expect everyone to follow every rule. But if there are consistent, even smaller but many violations in one area, maybe that points to a weakness in communication or clarity — or even in middle management. So if you could cluster incidents intelligently, you might see systemic issues earlier — both as a manager and as a supervisor."

3.2.2c Participants point to the value that would be achieved were we able to conduct reliable horizontal peer reviews and benchmarking exercises in the realm of culture risk supervision.

“You start by working up a system with a few jurisdictions — say New York, Frankfurt, and London — and tell firms, ‘We will do an assessment and tell you, if we were using this as part of our risk assessment, where you would stand.’ You're not using it for capital purposes initially; you're using it to help them understand their own systems. 

The conversation goes: ‘This doesn't look right to me.’ ‘Looks fine to me.’ ‘Okay, I'm going to benchmark you against your peers. This is not just my subjective opinion.’ That puts you in a different space. You're widening who you're talking to and bringing in evidence. This minimizes the number of issues that are in that standoff category where the only way forward is de escalation to enforcement.”

“Very much in the Financial Services Culture Board's methodology was this idea that you reinforce good culture by making peer comparisons, and that's a perfectly valid methodology. In terms of human behavior, it's about establishing cultural norms, particularly when you are around the City or any financial community.”

“One thing the regulators have going for them is they can look across different banks and say, look, I've done a horizontal review of these banks. You think you're pretty good in this? No, you're not — because I’ve looked at how other banks do. So regulators do have better information about certain things than any individual bank. 

And I think the regulators can also help identify, in the same vein, best practices — what's good and what's not so good — and share that across the banking community.”

“In my experience, the best way to start understanding culture issues across an industry is through a thematic or horizontal review. 

Don't make culture issues part of the individual inspection. Make them part of horizontal reviews where you grab a piece of culture — let's say, adherence to loan policy — across the entire industry. Then you can follow up on that when you go to the individual inspection.
As a supervisor, I can't give you, the company, much in the way of direct benefits from participating in horizontal reviews. But I can give you leeway if your organization wants an acquisition, wants to grow in different areas, or wants international expansion, because you've got good governance. 

A bank supervisor is not going to say who is good, but in these horizontal reviews, you also don't say who's bad. When you highlight a practice that identifies good culture, a bank knows, ‘That’s me.’ We're not telling you who the others are, but on this list of 30 banks, you're number six. Now you can do what you want with that information. Now you can create a race to the top. 

You could also lengthen the supervisory cycle. If somebody's got a good culture, we only look at them every two years instead of every year, or we do a reduced scope. If I trust your culture, I don’t come back for two years, or I only do a limited update next year.”

“I'm a huge believer in doing thematic supervisory visits. You can go either institution by institution and look at what they're doing or you can test a topic across the regulated population. And that can give you a good idea of what behavior is like across the market on specific issues that can be indicators for overall behavior, and that's where you can spot gaps in culture 

The way that I've tended to oversee their use has been not to try to identify enforcement outcomes, but to actually go in and understand what's happening. And in the most egregious cases that you see, you might take some enforcement action, but the purpose is more to be able to test what the market is doing and then provide a report at the end of it and say, ‘Look, this is what we saw in your industry. Here are the examples of good behavior. Here are the examples of poor behavior and their likely outcomes.’ 

The other sort of reason that I like doing thematic work was that we would announce it ahead of time. So, if we thought there was an issue, we would announce ahead of time, ‘We're coming in to look at that, but that's a topic we're going to focus on, and we'll be selecting a certain number of firms.’ 

And they know that it's not enforcement-focused. They know that it's a genuine, ‘We want to understand how it works.’ Guess what tends to happen? You say you're coming in to look at it. Firms at that stage don't know whether they're going to be in the sample or not, but everybody then has a look at their practices. 

The whole industry then lifts because they want to put on a good show when the regulator does turn up. Then we publish a report and say, ‘Here's what good behavior looks like, what bad behavior looks like. Here's what we found.’”

“Compared to supervision at the national level that we had in the past, we now have so much more information on a wide range of banks and business models. The [Single Supervisory Mechanism (SSM)] supervisors oversee a hundred-plus banks. While the executives in a specific bank will have extensive banking experience, the number of observations and insights that we have is so much larger.”

“Participants in [the asset management] sector want to appear responsible and well governed not so much to their regulators as to their clients. For that reason, when a global body sets out ways in which they can work which will allow them to present themselves as ‘best in class,’ that has a commercial attractiveness.”

“One valuable tool supervisors can use to explain and motivate action is peer comparison. Not ‘you vs. Bank B,’ but horizontal analysis across a wide number of firms: ‘You’re in the middle of the pack here, leading there, behind there.’ That helps firms see where to improve. Yes, we must judge what counts as ‘good practice,’ but without that comparative input, firms may struggle to know where to focus.”

“If we detect something, we want to be able to say: ‘On this performance dimension, you’re a negative outlier.’ That’s powerful — especially to a board. CEOs might get defensive, but boards care. They know information asymmetries are real. They want that feedback.”

“In the SSM, we use benchmarking a lot because we have a diverse population of over 100 significant institutions, allowing us to make comparisons across peers. We try to focus on tangible, evidential facts. Of course, we don't do this in complete isolation. We have an ongoing supervisory relationship with the firms we supervise, dealing with individual banks on specific issues. We also have dialogue with the industry more generally with cohorts of banks or representative bodies. 

When it comes to benchmarking, there are a couple of different ways to think about it. 

First, within this large group of over 100 institutions, we have many different business models, from the biggest G-SIBs to retail and local banks. We can group banks into categories based on these business models and look for commonalities or differences. This isn't just for culture and risk management; we also look at data, business practices, and investment.
Benchmarking across the broader population has advantages, helping us identify good practices where some banks are ahead of others, or to spot gaps. We also look at what approaches are more suitable for a bank's size, nature, and complexity, so there are different dimensions through which we can look at these.”

“Large financial institutions, by their nature, spend significant resources with respect to risk management and compliance. It is hard to measure the effectiveness of these programs unless you have the right metrics. When complaints and settlement amounts increase, everyone asks why this occurred and seeks to identify the root cause. Absent an issue with a particular product or volatile market, those answers may not be clear. 

Identifying the root cause of misconduct across the industry, with a focus on where it is not occurring and why, would be interesting to evaluate. Are the drivers found in the compensation models, in the failure of a firm to recognize and reward the strong culture carriers who set the tone on getting it right? And how can predictive modeling and a focus on behavioral science help to cut down on issues of misconduct in the industry? These are all questions we need to continue to ask.”

3.2.2d Participants describe other innovative applications of AI to challenges of culture risk governance and supervision.

“Supervisors should make use of machine learning tools, developed and trained in a manner that incorporates behavioural science. These technologies produce actionable insights by sifting through existing data sets, found within: audit systems, accounting records, internal policies, and external regulatory compliance reports, and the multitude of ‘digital artifacts’ produced by employees in the course of their daily routines. 

Marrying behavioural science, network analysis, and complexity theory, and fuelled by data reflecting both the formal and informal interactions within organisations, such AI-driven tools offer a scalable and automated means by which supervisors may identify behavioural risk profiles consistently across the industry, allowing for proactive horizontal peer review. These tools transform supervisory capabilities and allow us to act on leading indicators of risk.”
 

“We've had some early success in developing a simple, multifactor logistic regression model to score the likelihood of a representative, and by representative I mean someone who sells and provides advice on investment products. The model scores the likelihood of a representative committing misconduct over a specified time period.

The model draws on supervisors input, on predictive factors such as working experience and misconduct history of a representative, it also has tested various other factors that MAS thought was relevant. And the scores are now used by supervisors to identify higher risk transactions for samples for scrutiny. 

Another example would be the use of augmented intelligence systems. For market manipulation cases, MAS often appoint industry experts to obtain a specialist assessment of the trading behavior of the suspects. However, it can take some time before the experts come back with a complete analysis and provide an opinion. 

So we developed a tool in-house in 2018, using an augmented intelligence system, and it performs automated trade analysis and assesses the likelihood of certain types of market manipulation and the likelihood that, that has occurred.”

“We need to start by recognizing the expanding task of supervision: coverage needs are much broader, institutions are much more complex, and things move faster than ever. The top three U.S. banks are at multi-trillion-dollar scale; twenty years ago that was unimaginable. 

We can’t solve this by hiring ‘10x’ more people. We need different ways of processing and acting on information — greater agility and cross-functional teaming. Specialization changes from being an asset to becoming a liability in dynamic, complex, fast-changing environments. 

This is where AI helps — not as a savior, but as a forcing function to ask: Can AI do what I do? What is the core of my job, actually? What do I really need to do? And how can AI help me accomplish that? 

That third question — re-clarifying the purpose of supervision — can guide supervision through this time of great change. Then we can design how AI augments that purpose.”

“Novel digital technologies, such as machine learning and Artificial Intelligence (AI), are providing new opportunities both for authorities and firms. 

For authorities, the use of novel technologies can improve oversight, surveillance, and analytical capabilities. It also allows for greater and more rapid processing of supervisory and regulatory data, as well as improved analysis. 

For firms, the use of those technologies can help to enhance governance processes and risk management capabilities. Artificial intelligence capabilities are powerful and can help to detect problems and promote more informed and effective decision-making.”

“What's different, among the many things that are different today, is the idea that there are metrics and that there are things like AI that can do so much more than what we did last year, much less in 2012.”

“Financial technology (fintech) has grown exponentially, and advancements in areas such as blockchain, cryptocurrencies, artificial intelligence (AI), machine learning and open banking, among others, have unlocked valuable opportunities to identify and address the most critical issues facing the sector and its regulators, including the promotion of growth and widespread financial inclusion. 

Our main role is to ensure that customers and the broader industry thrive by defining controls that protect all South Africans and prevent and pre-empt unfair treatment of customers. We also have a critical role to play in ensuring that advances in technology do not exacerbate or create new areas of exclusion or negative ethical, legal, social or political consequences associated with these technologies. 

On our part, we are taking steps to provide the correct technology solutions — such as AI — to do business with financial services providers and drive the growth of the wider sector. 

Ultimately, technology will continue to gather pace, and devices, objects, people and organisations will become increasingly interconnected. Machines will become more ‘intelligent’ as they start drawing on past experiences to inform future decisions — although the true impact on humans remains unknown. 

But, with the right governance and guidelines in place, there is potential to leverage technology to improve business operations and lives across the continent significantly.”

“Science and technology can help industry participants to push the upper bounds of management capability much further today than ever before with predictive computing capabilities and better risk analysis tools. 

Tools and expertise need to become more accessible and more mature for a wider number of industry participants to benefit, and so bank managers and regulators can better understand how complexity affects the performance of organizations in predictable ways, thus enabling them to make better decisions and to avoid lapses in consumer protection or even economic crises.”

“A common criticism of conduct supervision is that it tends to be reactive, as disciplinary actions are taken ex-post, when the misconduct has already been committed. We hope to make conduct supervision more pre-emptive, by using machine learning technology for analysis of larger and multiple datasets.”

3.3 – Supervisory Learnings to Date

3.3.1 – What frameworks have supervisory bodies considered as an effective means by which to assess culture risk governance among firms?

3.3.1a Participants described different frameworks and governance processes that supervisory bodies have trialed with a view to assessing culture.

“One way of measuring culture is to work out in a firm whether any problems or issues have been identified at the earliest point in time when they could have been identified, and then whether they've been resolved at the right level. 

This backward-looking exercise can be conducted on a regular basis to determine if systems and controls are actually working in the right way. And it should be designed in a way to discourage problems from being pushed into the bottom drawer or problems being noticed and not talked about. 

The problems referred to here will most of the time be small problems. But you want small problems fixed quickly as inevitably what is a minor issue today will become a bigger problem if unchecked. You want big problems escalated to the right person who's senior enough to fix them as quickly as possible. This is measurable and just one way of gauging culture within a firm.”

“One important aspect is how the firm behaves towards supervisors. Recording and doing regular stocktakes of not just what people from the firm say in meetings but also how they behave is important.”

“A strong supervisory risk culture needs to be built on high quality data and rigorous internal analysis. While supervisors bear the ultimate responsibility for implementing supervisory decisions directly with the bank, it is crucial that they are backed by specialist units that provide support in terms of risk analysis and early risk detection. This empowers supervisors and supports confidence in the individual supervisor and the supervisory authority.”

“The IAIS developed a significant resource for members on the use of conduct indicators providing guidance and examples… of how to draw informative, actionable and well-targeted indicators from data collections.”

Over the years, substantial research has been invested into drawing the link between culture and corporate performance. Approaches to measuring culture have ranged from the use of surveys to more unobtrusive approaches like looking at complaints, online forums and employee emails. 

MAS has been working on a Culture Assessment Framework to facilitate a supervisory strategy where intensity and focus is informed by the level of assessed risk of a given [financial institution (FI)]. 

The Framework will leverage behavioural science and organisational psychology concepts and techniques. The Framework is still in development and will broadly look to determine the likelihood that behavioural pressures in the internal and external environment of an FI would interact with behavioural patterns within the FI to result in negative control and conduct outcomes. Given the need for benchmarking across FIs, a survey approach will be adopted, with the model calibrated over time against information and insights derived from other aspects of our supervision.”

“Today, MAS has well-established methodologies and capabilities to assess traditional risk areas such as financial, operational and money laundering risks of our regulated entities. In contrast, our supervisory approach for the less tangible areas such as tone-from-the-top, leadership, attitudes and behavior are more nascent and still evolving. 

In the next phase of work, we are looking to further strengthen our approach to culture and conduct supervision in the following ways:

 

  • Develop a framework to assess financial institutions’ organizational culture in a structured and consistent manner. The framework and supporting methodology will leverage behavioral science and organizational psychology concepts and techniques, accompanied by an intervention framework to guide supervisory actions in addressing cultural risks in a financial institution.
  • Deepen expertise in the area of culture supervision. Our supervisors, while attuned to analyzing financial data, are extending their capabilities to collect and analyze non financial and qualitative data relevant to the culture of financial institutions. This requires learning and application of new knowledge areas — for example, an understanding of how heuristics and biases could lead to excessive optimism and risk taking when making decisions. MAS has set up a behavioral science unit to help supervisors better understand how culture and conduct issues affect financial institutions.
  • Monitor emerging culture and conduct risks. We are monitoring risks arising from financial institutions’ digitalization efforts which have accelerated in the current COVID-19 environment. One risk to watch out for is the potential for financial institutions to embed subconscious nudges within their digital platforms to unduly pressure customers into taking up products and services. For example, time limits to complete transactions could increase the risk of hasty financial decisions. We do not think this is prevalent now, but nonetheless bears close monitoring, amongst other potential risk areas.”

“It is important for banks to assess whether the culture initiatives are effective in driving behavioral changes among bank staff. Along this line of thinking, the HKMA announced three supervisory measures for bank culture reform in December 2018, namely: self-assessments, focused reviews, and culture dialogues. 

As banks map out their own paths towards sound bank culture, they need to have a self reflective capability to understand what their desired culture might be, and to identify the gap between their current progress and the realisation of the desired culture within the bank. With this in mind, the HKMA first commenced the bank self-assessment exercise in early 2019. 

The HKMA identified several common themes in the self-assessments… For instance, the HKMA sees that assessing culture remains a key challenge for many banks. While recognising that there is no single way nor uniform set of indicators for banks to make use of when assessing culture, a more sophisticated culture assessment approach must not look at individual indicators in isolation, but must instead combine both quantitative and qualitative data from multiple sources to allow for the different culture indicators to be triangulated. 

This is where technology can play a role in assisting banks to address the challenges they face in assessing culture. With the right tools and technology, a potential exists for banks to deliver a ‘big picture’ analysis, with meaningful culture insights, to inform Boards and senior management alike. 

Such tools would permit banks to assess how close they are to achieving their desired culture, and will help them to understand what enhancements may need to be implemented in order to drive effective cultural change.”

“Our assessment process looks at several dimensions: tone from the top, leadership, communication, diversity and challenge, incentives, and accountability. Like all our other supervisory work, we have a toolkit. We look at evidence, including how meetings are held, documents, and data. We may observe the board.”

To support APRA’s supervisors from a view of risk culture of the entities they supervise, APRA’s Risk Culture team developed the Risk Culture 10 Dimensions (RC10D) in late 2019. As well as supporting supervisors in their [Supervision Risk and Intensity Model] assessments, the RC10D is used as part of all APRA’s risk culture initiatives, giving APRA a structured approach to help assess the risk culture of entities as well as to track and benchmark their progress over time.”

3.3.2 – What have we learned from past approaches to culture risk governance and supervision?

3.3.2a Participants noted both opportunities and challenges in connection with individual accountability regimes.

“You can say things like, ‘Firms must hold people accountable.’ But the way accountability is enforced can produce dramatically different cultural outcomes in how the firm operates.”

“Senior manager accountability regimes add value beyond the ’08-’09 remuneration principles. If you can’t work in the sector again, you’ve been excluded from the financial ecosystem — that’s reputation, ego, brand, and real career harm. In our experience, discussing removing an officer or director focuses minds immediately. Understanding your personal liability matters.

Here's a thought experiment: How would behavior change for certain decisions if limited liability didn’t exist? Time horizons are too short. While some individuals think in terms of long term stewardship, many don’t. Do you truly bear the weight of your decisions throughout your lifetime? How can you simulate that to encourage long-term incentives? That’s the tricky part.

There are two issues here: (1) the difficulty of assigning accountability for culture specifically; and (2) what you can do to mitigate culture risks that lead to bad outcomes. 

I still believe that establishing more personal liability, rather than implementing purely financial measures, can mitigate some of the more egregious cultural risks. However, culture is a shared responsibility, which, by definition, diffuses accountability. If something goes wrong, one could argue that the entire board is responsible. 

This doesn't negate the merit of individual accountability regimes but does complicate matters. By embedding sharper individual incentives, you can collectively improve culture risk management. While it doesn't solve cultural accountability directly, it can influence overall outcomes for risk control.”

“Individual accountability regimes such as the UK’s PRA Senior Managers’ regime are helpful, because they make clear which individuals bear responsibility for taking action to address risks to safety and soundness. Remuneration also needs to be linked to these accountabilities. These measures are necessary but not sufficient.”

“Focusing on conduct and culture, and holding individuals accountable, can send the message that — regardless of who you are, the revenue you bring in, or the role you play — misconduct can be career-ending, or at least career-limiting. 

Demonstrating a focus on these issues can also result in a decrease in the amount of money paid in settlements to customers or regulators. Such settlements can have reputational impacts for the firm. And while not readily quantifiable in dollar terms, there is certainly a financial and reputational impact for recidivist firms.”

“We see the [Individual Accountability Framework (IAF)] as an important addition to the wider regulatory framework — one which will help underpin sound governance across the financial sector by setting out clearly what is expected of well-run firms and responsible role holders. 

The overarching aim of its introduction is to strengthen and enhance individual accountability in the financial services industry. It also seeks to ensure that there is clarity within firms on the responsibilities and functions of senior executives — providing transparency to supervisors and the public, but also empowering role holders-by making clear what they are responsible for.
While the IAF is an important step in a regulatory framework designed to foster a well-run and stable financial sector, it goes without saying that ensuring and delivering good corporate governance will remain the responsibility of firms themselves. 

Over time our strategic hope is that, along with our other efforts, the IAF will help make firms take more ownership and responsibility for running their business and addressing any risks or deficiencies they may have. Our supervision will continue to take a risk-based, proportionate approach, reflecting the context of smaller, less complex, and/or less risky firms.”
 

“When it comes to identifying who is specifically responsible for mismanagement, the answer is often unclear — a systemic issue driven by two factors. First, there’s the 'accountability firewall,' a breakdown in information flow that disconnects the top leadership from the ‘engine room’ of the bank, shielding senior executives from accountability. Second, collective decision-making fosters what’s known as the 'Murder on the Orient Express Defense': when everyone is to blame, no one is truly accountable. Together, these dynamics erode individual responsibility.”

“When someone is dismissed from a firm and a new firm hires that person or is thinking of hiring them, the firm calls the old firm, and the old firm's incentives are on the side of ‘no comment’ because they don't want to risk being sued. They don't want the potential legal liability. And so that allows bad actors to essentially move around the regime. 

It would be pretty simple to set up a registry that people could query to ask ‘what are the reports about this person?’ And if there was a consistent story of bad behavior, then people would be aware of it. 

The purpose is not just preventing bad people from being hired again. It creates a different set of incentives: if I know that I do something bad, and not only am I going to cost myself a job at my current firm, but it might cost me my career in the industry. That raises the bar considerably.”

3.3.2b Many participants reflected on how a focus on Tone-From-The-Top, while necessary, has had limited success.

“A healthy risk culture is critical to the safe and sound operation of a bank and that culture starts at the top. The OCC’s heightened standards for large banks make it clear that executives are responsible for fostering a healthy risk culture. It’s something examiners are trained to look for, and it something the agency discusses with the executive teams and directors of the institutions it supervises at every opportunity.”

“Tone at the top is not just a set of statements — it’s about consistency. It’s elevating responses, handling customers in a way that’s rational, transparent, and consistent. That means asking: what are the risks in this product? What conflicts exist in how we sell it or advise on it? 

This was true 12 years ago when we sought to address culture at FINRA, and is true today. Whether it’s stablecoins, digital assets, or private capital, the challenge is the same: give customers access to opportunities while managing conflicts and risks. 

Firms that do this well continually ask two questions: How do we provide better products and opportunities? And how do we make sure clients understand the risks they’re taking? That ongoing internal dialogue — at the top and in middle management — is the hallmark of a good firm. Regulators want to see that. Ideally, they judge it continuously, not only when something goes wrong.”

“A sound risk culture encourages open dialogue at all levels of an organisation and welcomes challenge. This is applicable to both regulated firms and supervisory authorities. The key messages that drive the behaviours leaders are trying to instil in an organisation should be kept simple, repeated often, and lived throughout the organisation. It is important to avoid high-level platitudes that no one really believes.”

“A strong tone from the top for an appropriate risk culture is set by leadership that builds, invests in and continuously, genuinely supports an environment where employees feel empowered to speak up, which encourages constructive criticism and challenge. The tone from the top is a crucial element in delivering on the right culture. But it is not the only one.

Risk culture is supported by structures that enable it to flourish in an organisation. These structures are like the timbers that hold a house together in a storm. Strong policies and processes represent the key structures building a good risk culture within a bank. Policies creating appropriate incentives and establishing clear lines of accountability and ownership as well as necessary checks and balances, and processes promoting diversity of thought and a culture of effective challenge all immediately come to mind. But there is far more to it than that.

A culture must also be reinforced by risk management, legal and human resources structures that are aligned, underpinning an overall governance framework at the supervisory and management body levels that is healthy. The structures that support the governance framework and risk culture need to be tested and monitored to determine whether they operate as intended and can withstand stress. And coherence across all elements is essential.”

“Well, my view is that culture and conduct risk issues should be owned at all levels of management to have the broadest impact on the organization. But the tone at the top is critical, starting with the board and executive leadership and continuing with business line leaders. The first line plays a fundamental role in setting the tone around what is acceptable and what is not. The second and third lines also play an important role in the process, but the buck stops with the first line.

We can’t lose sight of the important role that middle management plays in setting the tone for employees who do not have regular exposure to senior or tenured leaders in the organization. It is impossible to hold C-Suite executives responsible for the conduct of a first-year analyst. It is the influence of those middle managers that will have the most significant organizational impact, establishing what it takes to be promoted.

Employees will take their lead and imitate the behavior of those with whom they work most closely: middle managers. What often motivates people is how they will be paid. So, the question that organizations should ask is, ‘how do culture and conduct issues impact compensation and promotion in the organization?’ If there is no impact, that sends a strong message that those things don’t matter.”

“Reference to a code of conduct has a number of salutary features. For one thing, referring to a code of conduct when providing non-legal advice allows an attorney to stay within a legal framework. After all, the code of conduct is an internal rule and has implications under many public laws. For another, referring to the code of conduct reinforces its salience in day-to-day decisions, helping the document to obtain greater traction within the organization. This may help curb the perception of some (perhaps justified) that codes of conduct are ‘little more than worthy statements with little or no impact on behavior’. A code of conduct, of course, does not provide an answer for every ethical dilemma. A code may, for example, mandate that employees act with integrity at all times. But what does that really mean in an actual, real-life situation? The attorney can be a partner with the business line and others in reaching a decision. The attorney must also be a guardian of the firm’s integrity by raising the question if no one else has.”

“Tone from the top is a necessary but not sufficient condition for a good culture. It gets you about 10% of the way. If you don't have the tone from the top, you haven't got a hope. But just getting it right does not get you there. It is absolutely possible to sit atop a company and not know what's going on.

Tone from the top includes what the board and C-suite say and what they do. There are examples where leaders said the right things, but major events later showed the risk culture wasn’t there. There are also examples where public statements aspired to one culture, but behaviors, controls, and internal discussions sent a different message. Actions matter.”

“Everyone talks about tone-from-the-top as if it magically translates into something within the firm without ever actually investigating whether that's the case or not.”

“Many firms have striven mightily to improve the clarity of ‘tone at the top’ and have deployed countless employee engagement surveys in an effort to measure their staff’s commitment to the firm’s stated values and to identify troubling subcultures. The frustration, however, has been that these activities haven’t really moved the needle very far.”

“Phrases like ‘tone at the top’ risk reducing culture to optics or slogans. The real supervisory challenge is diagnosing the operating culture at all layers of the institution.”

“Virtually every publication on culture asserts that the ‘tone from the top’ is critical in any organization… However, more important than what is being ‘said’ at the top is what is being ‘heard’ and experienced in the middle. Front-line supervisors are the ones who translate the tone from the top and communicate supervisory culture outward to the regulated community. 

And this is precisely where the message gets obfuscated. 

If the experienced culture of the organization is not consistent with the tone from the top, action is needed… It may well involve altering message delivery so it is properly heard, understood, and acted upon.”

“Culture runs down the organization, not just at the top. As a supervisor, you want leadership to influence all the way to the grassroots. Good people in good governance that never reaches the bottom won’t help you.”

“Our on-site inspections … typically involve in-depth conversations with a large number of employees across all levels of seniority and across the three lines of defence. Qualitative data from these conversations are analysed to distil insights on organisational values and shared norms, as well as areas of potential concern. The work is resource-intensive, but it brings a level of understanding that we would otherwise not have gained. 

Common themes and patterns emerging from these conversations are shared with senior management for reflection and action — a common one being how organisational values, even though regularly communicated by senior management, are not translating into desired behaviours on a day-to-day basis.”

“To know whether employees understand the board’s desired values and behaviors, you need mechanisms to monitor and measure behavior on the ground. 

Many jurisdictions, including ours, make sure institutions — banks in my case — have feedback mechanisms to collect what’s happening on the ground. Some banks do short employee surveys on a regular basis to monitor aspects of risk culture and to understand whether frontline colleagues grasp what senior management or the board ask them to do — or not to do. 

If there are whistle-blowing cases, you need a positive speak-up culture. If someone sees something wrong, they should feel comfortable to speak up, and there must be a mechanism that allows it. You need these feedback loops so that senior management can periodically form a view of how well colleagues understand the expectations. 

That’s an outcome-driven way of looking at whether the core values are being propagated. It’s easy to say, ‘We’ll hold regular town halls,’ but that’s just a mechanism. The important point is making sure town halls are effective — and that people act accordingly afterwards. You can only do that with proper feedback loops built into the framework. 

Of course, it’s difficult to gauge the accuracy of surveys, and whistle-blowing can sometimes be the expression of a disgruntled colleague. But you only need one useful case out of a hundred to understand what’s happening. So those mechanisms remain important — but quality control is key. The fact that people may not speak up is not a reason to forgo them.”

3.3.2c Some participants noted challenges associated with utilizing compensation and incentive schemes to drive cultural change.

“Compensation practices are deeply intertwined with an organisation’s culture. They are pivotal in shaping employee behaviour and aligning employees’ actions with the long-term goals of financial institutions. Conversely, compensation schemes that prioritise short-term gains can incentivise excessive risk-taking, potentially leading to financial instability or misconduct.

Compensation is not merely a financial mechanism; it also serves as a significant cultural signal within an organisation. The way employees are rewarded sends strong messages about what behaviours are valued and encouraged. Establishing and maintaining a sound risk culture, with a clear tone set from the top, is fundamental. Incentive schemes are an important element of any such ‘tone.’

Some key learnings can be drawn for designing appropriate compensation schemes:

  1. Compensation schemes should be aligned with the long-term objectives of the organisation.
  2. Financial institutions should integrate risk management into their compensation frameworks.
  3. Clear communication about compensation policies and their rationale is essential.
  4. Compensation practices should be consistent with the broader culture of the organisation.

Despite the clear benefits of well-designed compensation tools, their implementation remains challenging.

  1. Clawback provisions are particularly challenging to enforce due to legal and cultural hurdles.
  2. Implementing compensation tools such as malus and clawback involves significant administrative effort.
  3. Compensation structures are becoming increasingly complex, challenging to implement, and difficult to communicate effectively. This complexity can result in unintended consequences.
  4. Compensation tools can impact the ability of financial firms to attract and retain talent. Regulatory requirements in remuneration are not fully aligned across jurisdictions, creating an uneven playing-field and potentially disincentivising employees from joining firms with stringent compensation frameworks.

The effectiveness of compensation tools also hinges on their integration into the broader risk culture of the institution, with proportional application being crucial to maintain a balance between attracting talent and ensuring robust risk management.

  1. Strengthen the Board and Remuneration Committee Rules: Firms should ensure that their Boards and Remuneration Committee members have the necessary skills and independence to oversee and apply compensation tools effectively. Further, they should seek to enhance governance frameworks to support their Boards in making informed and balanced decisions regarding compensation adjustments.
  2. Foster a Strong Risk Culture: Compensation practices should be deeply intertwined with organisational culture. A culture of accountability and strong risk management is essential.
  3. Enhance Transparency and Simplification: Clear communication regarding compensation frameworks is crucial, as is clear discussion of how compensation outcomes link directly to firm performance and its prudent risk management.
  4. Regulatory and Supervisory Roles: Regulators and supervisors play an important role by setting expectations and monitoring the use of compensation tools through the guidance they offer, the standards they establish, and the supervisory activities they conduct. To ensure that compensation tools are legally sound and aligned with regulatory expectations, firms must engage with regulatory bodies to develop clear guidelines and support for the effective use of compensation tools.”

“It wasn't long ago that a trading desk team would be allowed to share around 30% of the trading profits for that year as a bonus. I think that's wrong. These are the brightest people in the world, but they are risking the bank's capital. If they win, they get 30%; if they lose, the worst that can happen is they get fired and go somewhere else. You get situations like the ‘London Whale’ at JP Morgan. That colossal loss was manageable for JP Morgan's balance sheet, but imagine if it happened to a different bank.”

“I do think it is very important to align pay programs with performance, but also with risk governance.”

“A lot of times, if you don’t like the outcomes, it’s usually because the incentives are misaligned. I’ve argued that having more of the compensation be deferred, long-term subordinated debt — sort of mimicking a partnership-type structure — might create different incentives for risk taking, a longer time horizon, and greater consequences if the firm were to get into great difficulty or even fail.”

“It becomes clear why laws and regulations are insufficient to address the root causes of misconduct. Laws might provide the outer guardrails for what is ok and not ok. They can make certain kinds of transactions illegal — wash sales, or trades that artificially manipulate a fair market price. Within those boundaries, however, regulated firms and individuals make judgements about what is right and not right. 

Take compensation — a feature of European banking regulation, but not a significant component of US law. It’s one thing to impose caps on bonuses, or to mandate deferrals across several years. It’s another to decide, within the legal limits, the right level of compensation to help achieve desired outcomes. Each firm needs to decide for itself how it wants to operate, what kind of culture will achieve its goals, and what kind of incentives will reinforce that culture. I don’t think laws and regulation alone can get the job done.”

“One major lever is incentive systems. Incentives drive culture. You must understand what people are rewarded for. There is of course the element of supervision regarding compensation, which is perhaps more of a European thing.”

3.3.2d Participants highlighted how difficult it can be to push through meaningful culture change and the tendency towards superficial fixes.

One approach is to set a regulatory expectation that firms define a desired culture consistent with regulatory objectives, assess actual culture effectively — this is key — and then take steps to close the gap between actual and desired culture. 

The New York Fed has convened supervisors on this for a while, and many have tried things. Maybe they’ve had better results than I’ve seen — but it doesn’t feel ‘cracked.’

We see the announcements, posters on walls, focus groups, surveys with ‘right’ answers. We see remuneration and promotion changes. But are behaviors actually changing? Everything we read says they should — yet behaviors tend to come back.”

“I've had many conversations over the years where it took me quite a bit of time to convince senior bankers that no, fixing the problems the supervisors have uncovered is not sufficient. It’s necessary, but it’s not sufficient.

You need to be able to figure out how to do this on your own. And only when you do it on your own will you be where you need to be in terms of the supervisory community. 

A classic example is the three lines of defense for risk. I think it works as long as people understand what each line is supposed to do… For a long time, banks didn’t really get that the first line needed to own it.

And for many, many years, banks didn't get that when the supervisor came in and had a finding, it wasn't sufficient for the bank to remedy the failure that was uncovered. The bank really needed to get to the point where they could identify the problems and fix them on their own.”

“In APRA’s experience the most important indicator of whether change is embedded is evidence of a self-sustaining culture of continuous improvement. 

A successful transformation moves the dial from a reactive and complacent culture to a mindset of ‘chronic unease’ that values constructive challenge and continuous improvement.”

“Occasionally, both as a consultant and historically as a regulator, you'll get people who come along and say, ‘Please give me a tick list for what's a good culture.’ Well, that's almost an immediate fail, if you think it's a tick list. 

If you remove discretion and judgment from your senior and middle leaders, it almost becomes a scenario in which they believe they can do anything they want as long as they feel they have ticked the right box. And that's an incredibly dangerous place to be. 

This, I think, is one of the most scary things: ‘We've ticked all the right boxes, and these other 15 people have ticked all the right boxes, so this decision must therefore automatically be right. Don't rock the boat.’ 

Things like the Consumer Duty [in the United Kingdom] actually reinforce that idea of an expectation of judgment being applied. It is the role of senior leadership not just to follow the rules, but actually to apply judgment around those commercial situations where you think about the spirit as well as the letter of what's trying to be achieved. 

It is the role of senior leadership not just to follow the rules, but actually to apply judgment around those commercial situations where you think about the spirit as well as the letter of what's trying to be achieved.”

“It’s easy to talk about the importance of leadership standing up, about senior and middle management delivering the same message. I absolutely believe those are critical. But in practice, drilling down into them is hard. I’ve sat with firms and heard their various approaches, and from the standpoint of developing culture risk ratings, it’s not simple. 

Don’t get me wrong: the fact that it’s hard is not a reason not to try. Improving the predictability of how culture is assessed and improving outcomes for firms is absolutely worth pursuing. 

That’s why we went down this road 10-11 years ago at FINRA. We saw it as important then, just as it is today. You want to feel confident in how a firm will respond to new challenges — sales practices, transparency, consistency. Culture is crucial. It’s just hard to pin down.”

“Reference to a code of conduct has a number of salutary features. For one thing, referring to a code of conduct when providing non-legal advice allows an attorney to stay within a legal framework. After all, the code of conduct is an internal rule and has implications under many public laws. 

For another, referring to the code of conduct reinforces its salience in day-to-day decisions, helping the document to obtain greater traction within the organization. This may help curb the perception of some (perhaps justified) that codes of conduct are ‘little more than worthy statements with little or no impact on behavior’. 

A code of conduct, of course, does not provide an answer for every ethical dilemma. A code may, for example, mandate that employees act with integrity at all times. But what does that really mean in an actual, real-life situation? The attorney can be a partner with the business line and others in reaching a decision. The attorney must also be a guardian of the firm’s integrity by raising the question if no one else has.”

3.3.2e Participants highlighted how difficult it can be to push through meaningful culture change and the tendency towards superficial fixes.

“Some regulators around the world see everything through a prudential lens, where a capital scaler can deal with pretty much most things we might think of as culture or conduct. In other words, your behaviors will improve as long as we make it sufficiently commercially painful in terms of capital requirements.”

“Some regulators around the world see everything through a prudential lens, where a capital scaler can deal with pretty much most things we might think of as culture or conduct. In other words, your behaviors will improve as long as we make it sufficiently commercially painful in terms of capital requirements.”

“In a world where complex non-financial risk is growing rapidly, global regulators are increasingly recognising that the key to viability is not only to require more capital and liquidity, but also for supervisors to require good governance and a sound risk culture.”

“For supervision to effectively complement regulation, the deployment of well-defined qualitative measures is essential. Supervision cannot rely solely on adjusting quantitative capital or liquidity requirements to banks’ specific circumstances. 

No feasible amount of capital or liquidity can compensate for risks arising from poor governance or unsustainable business models. By contrast, early supervisory dialogue and moral suasion can often resolve directly issues identified during supervisory reviews.”

“How does a supervisor make a bank remediate its culture issues? The problem is not so much that when the bank is hit with a capital scalar related to culture issues, it just shrugs and says it's the cost of doing business. It's more that the bank may genuinely not know how to turn its culture around. 

It's a difficult thing because a lot of these banks are federated in terms of their cultures and there are long chains of command to different business units. So trying to send a message down those chains about the desired culture, and to get that message turned into action, is difficult.”

“It is far too easy for many to conclude that additional capital and liquidity are the answer to culture issues. But increased capital should not permit for a tradeoff that allows bad culture to prosper.

Credit Suisse had one of the highest capital standards in the world. It didn't help. That's a culture issue. No amount of capital or liquidity saves a bank — even a G-SIB — from weak management and poor corporate culture.”

“Recurrent breakdowns — in conduct, governance and stability — demonstrate that resilience is not achieved through capital alone. Resilience depends on decision-making. And decision making is shaped by the norms, incentives and behaviours that define how institutions operate. It is shaped by culture.”

“Work on corporate governance was one element of a multipronged effort undertaken by the Financial Stability Board (FSB) and standard-setting bodies to strengthen the overall safety and soundness of financial institutions in the wake of the Global Financial Crisis.

This effort led to the introduction of a range of new measures aimed at strengthening governance frameworks and practices at financial institutions. It covered board effectiveness and risk management, senior management accountabilities and responsibilities, risk culture, and financial and non-financial incentives:

  • The FSB Principles for Sound Compensation Practices, issued in 2009, provide guidance on how financial institutions should design and implement compensation policies that are both transparent and subject to appropriate governance and oversight and that align employees’ incentives with the long-term profitability of the firm.
  • Supplementary Guidance to the FSB Principles, issued in 2018, provide firms and supervisors with additional guidance and a framework for considering how tools, such as in-year bonus adjustments, malus or clawback, can be used to reduce misconduct risk and address misconduct incidents.
  • In 2013, the FSB published Principles for an Effective Risk Appetite Framework to provide guidance on how to develop and implement a risk appetite framework that specifies the level and types of risk that an institution is willing to accept in pursuit of its strategic objectives.
  • In 2014, the FSB provided guidance to supervisory authorities on how to assess and promote a sound risk culture within financial institutions that is aligned with the institution’s values and strategy and ensures that risk management is an integral key part of the institution’s operations.
  • In 2018, the FSB published a Toolkit for firms and supervisors to use in order to tackle the causes and consequences of misconduct.

So why have regulatory reforms to date failed to prevent governance failures? One possible explanation is that supervisors and regulators have been too focused on technical measures, such as capital requirements and risk management practices. Capital, liquidity, and related standards are essential to a stable financial system. Compliance and risk management processes are necessary but not sufficient.”

3.3.3 – What are the informal challenges with integrating culture supervision into regulatory bodies?

3.3.3a Still others describe cultural barriers to trialing new approaches and encouraging the internal risk taking that innovation demands, making it difficult to drive change in practice.

“I also wouldn’t underestimate the frustration felt by regulators, who are increasingly open to seeing RegTech solutions trialed, and especially where we have seen repeated risk management failures. Institutions need to move past this frustration and work on improving risk management through investing in innovative solutions to reduce the reputational and financial costs of noncompliance.”

“Over the last decade, I would say, we've been moving from a more compliance-based approach into one that's more outcomes-focused and risk-based. That shift requires different skills from our supervisors. 

It's comfortable for supervisors and firms to have a more prescriptive idea of what 'good' looks like — to go in and say, 'Okay, if you meet these criteria then that's fine, you guys carry on.' The conversations we're having now, and have had for the last few years, are very different. They revolve around how firms assure themselves that they have set themselves up well to be sustainable, to manage their risks effectively, and to achieve their strategic outcomes, particularly customer outcomes from our perspective. 

It's about supporting people to ask the right questions, and having the confidence not to feel you always need to have the answers as a supervisor, or indeed to always expect the firm to have them. Sometimes these challenges aren't binary or straightforward — it's not just 'do this, do that.' It's sometimes about working through them together.”

“Two types of errors loom: 

Type I (false positive): calling out problems that aren’t really problems. These are costly ‘inconveniences’ that accumulate and erode trust between banks and supervisors. 

Type II (false negative): missing real problems — like SVB in 2023, or the Financial Crisis in 2008. These are catastrophic errors. 

Historically, the pendulum has swung between a ‘tougher’ and ‘looser’ regulatory environment, mapping crudely onto those error types. We should aim to minimize both. That requires openness by supervisors to reduce false positives without blunting detection of true risks. 

After 2008, the intent of being ‘tough’ wasn’t to create useless headaches for firms; it was to address big risks. Likewise, the industry pushing back wasn’t about inviting future blow-ups. 

It’s not just about ‘gas’ or ‘brake.’ Some industry arguments are ‘full brake,’ others are ‘full gas.’ Neither is sustainable. But policy has defaulted to these kinds of binary moves and emotions are running high on both sides. 

What doesn’t help is each side retreating to its echo chamber to get hyped by friends. Leadership has to call a time-out, identify credible mechanisms or projects, and create space for objective work. We need a third way — something to permit for better ‘steering’.”

“Establishing the right supervisory mindset and culture — especially a bias to action — is critical to effective supervision.

That seems fairly well accepted in principle. So the relative lack of attention given to the issue by the relevant international bodies tasked with promoting good supervision (primarily the BCBS, IAIS and FSB) is perhaps somewhat surprising.

Globally, supervisors have rightly recognised governance and culture as important contributors to the financial safety and soundness of regulated firms. More attention has therefore been given to drivers of culture, and particularly to the design of incentives for risk-taking. And yet this attention to culture within firms has not flowed into similar international efforts to strengthen the mindset and culture of financial supervisors.

The current guidance on establishing an effective supervisory function focuses primarily on the necessary infrastructure — mandates, legal powers, skillsets, etc — but neglects any mention of the role of leaders in setting the right culture for their organisation. We have learnt that this emphasis on risk governance infrastructure over risk culture is insufficient in financial institutions, and it’s no different in supervisory agencies.”

“The supervisory personnel are talented, experienced, and smart people, it’s just really hard to determine the key things for an institution that need attending to, and it’s hard to devise a way of measuring things that are hard to measure, so it all just ends up being very diffuse. That’s a supervisory culture issue as much as a bank issue. 

We need a supervisory culture that is less focused on administration and more focused on key risks that can be measured and ameliorated — which again puts a premium on seeking to find ways to measure and monitor key cultural risks.”

3.4 – Re-setting Institutional Memory

3.4.1 – How can supervisory bodies move to embed culture risk into supervision and governance frameworks?

3.4.1a Participants describe current efforts to incorporate culture risk into supervision and highlight the questions that such efforts raise.

“Success in culture supervision would involve:

  1. Identifying firms with cultures that pose risks to safety and soundness;
  2. having effective supervisory techniques to diagnose the specific problem behaviours accurately;
  3. persuading senior management that the firm has a problem and overseeing an effective program by the firm to tackle it; while, in the meantime,
  4. requiring additional financial resources against the higher risk. 

All of these elements are very hard to achieve. An open question for me is whether the cost/benefit of putting more resources into this aspect of supervision is worth it in a world of limited supervisory resources and limited political capital.”

 

“[Post GFC], the FSB’s work moved from risk governance to risk appetite and then on to risk culture, getting at the link between incentives and risk-taking: inadequate controls, inadequate capital, and so on. ‘Culture’ became a convenient wrapper for describing that ecosystem of risk control. 

But walking into an institution and saying — even with common terminology — ‘we think there are problems with your culture’ is tough. It’s even tougher to explain what effective remediation looks like for situations that are highly subjective. 

It’s case- and situation-dependent; it’s about how behaviors shape decisions and the circumstances under which these are affected. Sometimes command-and-control behaviors might be necessary given the operating environment, even if they create other risks. 

So, this isn’t work for the inexperienced supervisor or the ill-informed — and even for the experienced and informed, it’s a minefield of difficult decisions that are hard to make practical and [ultimately] enforceable.

I’m not sure what effective culture supervision really looks like. Incentive work matters. Remuneration reforms started and then stalled. Clawbacks and deferrals attracted workarounds — maybe they weren’t as meaningful as intended in ’08-’09. Accountability regimes get closer to the nub of the issue — ensuring people own and understand the consequences of risks they take — but that still leaves supervisors opining on individual performance and accountability. How objective can that be, and do we even want the moral hazard of stepping into those decisions?”

“For us, in the guidance that we give to firms, we talk about things like norms, attitudes, and behaviors related to risk awareness, risk-taking, and risk management. We also look at the controls around how decisions are made. We believe risk culture influences the decisions made by employees and management in individual firms. While that may sound hard to pin down, it goes to the fundamental idea that these norms, behaviors, and attitudes inform decision-making and risk-taking. Since we are concerned with decision making and risk-taking, we should be concerned with these norms. 

We directly supervise over 100 so-called significant institutions — the largest banks in Europe. The ECB also oversees the supervision of many thousands of other firms, the less-significant institutions supervised by national competent authorities. These issues of governance, risk management, and culture, of course, prevail across all these banks. We must find a way to put a framework around them and think about these issues.”

“Supervision has to be judged against its objectives. For the PRA, our primary objective is the safety and soundness of supervised institutions. That doesn’t mean firms won’t fail; it means we’ll have analytical framework and mechanisms to ensure we can identify which firms pose risks to our objectives, including that they may fail, so we can ensure they can fail without threatening the system. 

Good supervision involves: individuals or teams with the knowledge, empowerment, and tools to assess a firm against a defined supervisory framework at the firm level; who can judge whether the firm meets requirements and benchmark it against peers; who can form judgments about where risks of falling short may come from; and who can communicate those judgments effectively to the firm in a way that’s understood and actionable.”

“APRA’s supervisory risk assessment process considers: governance, culture, remuneration and accountability risk for every entity, alongside more traditional risk types, with more detailed assessment for the largest entities.”

“The supervision of risk culture has been an elevated area of strategic focus for APRA in recent years and is a key part of APRA’s ‘transforming governance, risk culture, remuneration and accountability’ community outcome outlined in its Corporate Plan. 

As supervising risk culture requires different skillsets and approaches compared to traditional areas of prudential regulatory focus, APRA has established a specialist Risk Culture team which has enabled APRA to enhance its focus on risk culture through a broad range of activities. 

These activities include: the development of a risk culture framework, the roll-out of a risk culture benchmarking survey, the completion of a number of deep dive reviews of entities, and the up-skilling of supervisors in how to assess an entity’s risk culture. 

The team has also harnessed a range of innovative tools such as natural language processing and developed a risk culture transformation toolkit to help embed risk culture change in the long-term.”

“I think the significance of culture is that it's become a very useful compendious concept to help us understand what's going on in organizations and how to improve them. Historically, what's probably happened is that we underestimated the importance of culture. And what we've learned is that it's actually really important. What we're grappling with now is how to integrate that into our whole approach to supervision.”

“Markets work best when investors and participants trust that the rules are clear, that misconduct will be addressed, and that outcomes are not skewed by asymmetric information or unmanaged conflicts of interest. IOSCO enables this trust by fostering consistency in regulatory standards, supporting supervisory and enforcement cooperation, and encouraging compliance with high conduct expectations.

Since the global financial crisis, regulators have increasingly focused on organisational culture as a critical area of interest. Culture drives behaviour, and behaviour determines outcomes — not only for individual firms but for the integrity of markets overall. 

Regulators are not in the business of prescribing corporate culture. However, we do have a role in assessing whether firms are actively managing culture in ways that reduce conduct risk and promote good outcomes.”

“Culture isn't a theoretical, philosophical topic. It's a hard reality, an obvious reality that needs to be examined from a regulatory lens. And the conduct rules can serve as the conduit to hardwire culture within the regulatory framework as they are the things that are enforceable when things go wrong. They're the things that can create a structural framework within a firm that a firm itself can apply to its own conduct and its own values. 

Integrity is also an obligation and a value that people need to demonstrate and express in some tangible way. It's something that firms need to be able to examine and assess by asking themselves the following set of questions: Do we have the integrity that we're meant to have? Do our staff have the integrity they're meant to have? And how do we know that? What assurance do we have? Is negative assurance enough, or do we need more positive evidence that the people that we trust in these positions of responsibility actually have the integrity that they need to have?”

“During my time at the FCA, we used a useful tool in supervising banks that approached this challenge in a useful way: the Five Conduct Questions. The questions were extremely simple and powerful ways in which firms could interrogate themselves in a way that then allowed them to provide helpful information to the regulator. 

The FCA produced a report every year about how these questions had been answered by firms. Looking at each of those reports in succession, they start off talking about tone from the top as the way in which firms were proactively implementing this kind of approach. Then they started talking about the tone from above, which is the tone from your immediate line manager. And then finally, they started talking about the tone from within. And this is starting to really get to grips with the culture within the firm. 

It's one thing to have an idea about how your CEO or line manager might respond in a situation. It's another to be clear about how you might respond on your own and why. Whether stated directly or not, the development of tone from within via training, self-reflection, and self-challenge can be a precursor to wider corporate change. Now I think that's starting to create something really specific, tangible, and real within a firm that's valuable not only to the firm, but to the regulator as well. 

Good supervision should be in the interrogative mood, to use a grammatical term. It's not an interrogation in the sense that it's like a cross-examination, but it is an interrogation in the sense that supervisors need to be on the front foot asking questions. And the five conduct questions are exactly that. And they're a useful tool for firms to use to start to build some evidence about what sort of culture they really have.”

“[O]ne area we should explore is operational resilience. As the pandemic unfolded, global regulators significantly increased their scrutiny of operational resilience. A next step would be to consider tools, like stress testing, that would allow for a more systematic assessment of operational resilience — and allow us to ‘test’ resilience across the different constituent elements beyond financial resilience — to include areas like operational resilience and organizational resilience. 

It’s this last piece — organizational resilience — where I see the opportunity to draw the linkage between operational and organizational resilience, and more specifically to conduct and culture — and to consider questions like:

  • Is your organization — your workforce/your people — resilient to the next crisis? How will the organization react to the next event — and will your organization be able to ensure that critical operations and activities continue to run as expected?
  • Is your culture strong enough to withstand the types of changes that could come in the next type of crisis? What are the critical aspects of your culture that ensure that your organization can adapt — and what are the ways that you can reinforce and build that now?

In the same way that regulators were able to identify weaknesses in financial resilience — both quantitatively and qualitatively — and ensure that financial capacity was reinforced to withstand the stresses over the past couple of years, now would be a good time to focus attention on a similar approach to non-financial risks (e.g., operational, operational resilience, etc.).“

“In 2019, [the FCA] set up a working group to explore the concept of purpose and consider the business case for purposeful cultures. The working group was made up of representatives from firms and professional bodies, as well as academics and subject matter experts.

When we launched our Transforming Culture initiative, it was rare to hear the concept of ‘purposeful cultures’ discussed in the same sentence as financial services. But, during the time since, there has been a huge increase in attention to the topic and, now, it is rare not to hear it discussed when considering the elements needed to drive a healthy culture. 

The purpose of a firm sits at the heart of its business model, strategy and culture. There can be a tendency to determine business model and strategy first, and to then try and retro-fit purpose. But this is the wrong way around. Organisations need to ask themselves what their purpose is, and then determine a business model and strategy that aligns with it. 

At the FCA, we describe purpose as ‘what a firm is trying to achieve — the definition of what constitutes success’. A firm’s purpose is its own responsibility, and should not be prescribed by a regulator, but we want firms to recognise its importance in driving behaviour and the culture of an organisation. Firms and leaders who don’t recognise the importance of purpose may be more likely to drive behaviours in their organisations that could lead to misconduct. 

So, purpose is one of four drivers of culture upon which we focus in our supervision of firms, alongside leadership, approach to people, and governance. To understand culture, we assess the effectiveness of these four drivers in reducing the potential for harm that could arise from a firm’s business model or strategy. When considering the effectiveness of purpose, we look at: how a firm describes its aims through its narratives; how these are understood by staff and whether they are aligned with good outcomes; how purpose is reinforced, communicated and demonstrated by leaders; and the extent to which a firm acts as a good market participant. 

If a firm’s purpose and associated business model, strategy or activity is contributing to — or exacerbating — the risk of potential harm, then firms can expect increased supervisory scrutiny.”

“We should be talking about governance with firms in a way that asks — quarterly and annually: is your culture consistent with your stated values? And what do we think needs to change about you leading the firm to ensure that alignment? As regulators, we should ensure that discipline is happening. But it’s the board’s responsibility to handle the substance.

We should ask: have you explicitly articulated your institution’s core cultural values? Have you documented them? How do they relate to creating shareholder value? Are you actually monitoring whether those values are lived throughout the organization? What’s your review process? Do you assess compliance annually? Do you examine how your values contribute to performance? 

Now, there’s an element of faith in this. We have to believe that if we focus on the discipline of governance, and make sure culture is being examined regularly, the desired outcomes will follow. 

That’s not a guaranteed link — but I’d rather take that leap of faith than try to define culture for every institution. That’s a slippery slope. Suddenly we become the cultural overlords — defining corporate culture across the financial system. That’s not our mandate. 

Shareholder value and financial stability are tightly aligned. Our job is to focus on the discipline of process, not to pass judgment on outcomes. As a board, are you ensuring your values are being carried through the organization? If you are — and if it’s credible and reasonable to us — you don’t have a problem. And if, despite that, something goes wrong, we’ll deal with it. But we’re not going to over-engineer our involvement just to prevent a black swan event. That’s not our role.

Let me give a related example: CEO or Board Chair succession. Don’t tell us who you’re appointing — we don’t need to know. But show us that you ran a principled process. Did you define the role’s requirements? Did you consider a slate of candidates? Did you engage stakeholders — shareholders and employees? If that process is there, we’re satisfied. 

And it’s the same with culture. We don’t dictate outcomes — we ensure there’s a credible, disciplined process in place.”

“If avoided persistently, the ethical dimensions of problems become less recognizable. When a truly serious ethical dilemma arises, employees will have little preparation for identifying it, much less resolving it. That concern motivated the New York Fed to launch the Education and Industry Forum’s case study project. Ethics is a skill and should be a habit. Like playing the piano or hitting a curveball, it requires sustained practice to maintain any facility and acquire some degree of mastery.”

“Across regulators and firms, we’re moving to a more holistic, sophisticated approach that balances qualitative insights with data — skills, governance, autonomy, reporting lines, and legal dynamics. That allows better judgment about collaboration norms, stakeholder engagement, including with regulators. 

ESG has also helped. The ‘E, S, and G’ inherently involve culture — respect, trust, integrity, looking beyond dollars and cents. ESG has accelerated focus on culture. 

In insurance, for example, advisors’ conduct, incentives, and reward systems loom large. My general sense is that focus has stepped up — in firms as much as among supervisors.”

3.4.1b Participants also described the role of the supervisor in making culture risk governance tangible for supervised firms through training, tools, and targeted frameworks.

“The reality is, maintaining an ethical culture is really, really hard. One, we're often talking about very large organizations. By the time you've got 10,000, 50,000, or 100,000 employees, getting your middle and even senior leaders to act consistently is incredibly difficult. 

The incentives and structures are nearly always stacked against someone with sufficient seniority coming in and saying, ‘Hang on a minute, have we quite got this right?’ And particularly in a large organization, is that information even going to reach them? 

There are lots of temptations along the way to make exceptions, especially when commercial targets are under pressure. ‘Let's not worry about that too much because the situation we find ourselves in at the moment overrides where we are.’ 

For all the good intent there might be, there are lots of little reasons to say, ‘I just want to make this an exception.’ If you look at where things go wrong, it's often where there's an incentive to break from the good norms of the pack for commercial advantage.”

“Something that could be helpful is more rotation across the different lines. I feel like one thing that could be helpful is if part of a person’s career path was that they actually had to spend some time in the second line. People often don’t understand the perspective of the other side. That makes it harder to solve things in a less adversarial, more coherent way.”

“I’ve also seen this in staff rotations. You don't just rotate to give someone an all-rounder experience. The ones who go in, find practices that need changing, and actually change them — that's good risk culture. You're not just stepping into the old shoes for three years to get a tick and the next promotion. You go in with a fresh pair of eyes, and that's what these rotations are meant for.”

“In our supervision now at the ECB, which is focused on prudential aspects, where you have issues and you look at their root causes, not in every case, but in many, governance and culture are at the heart of it. 

So for me, it's about being efficient and effective as a supervisor. If you want to solve issues quickly, you need to get to their root causes. Being alert to the idea that these factors can be a part of the root cause is very important. The most timely and effective way to deal with things is to mitigate the root cause.”

“[W]here there have been serious control failures, financial firms need to add the necessary resources to remediate their control weaknesses while, at the same time, maintaining their supervision and compliance capabilities across all their business activities. 

Financial firms and regulators need to look towards new tools that help get it right. It is precisely because of this fact that regulators have been so focused on culture issues over the past ten years. You just can’t solve these contentious problems solely through better surveillance tools; you have to work to improve compliance and risk cultures to decrease the likelihood of bad outcomes.”

“Crises don’t always have clear connections. The SVB collapse had no direct link to Credit Suisse, but it sparked concern. Markets often use the same strategy as jackals — look for the weakest in the herd and pounce. Credit Suisse had high capital ratios, but its business model and culture raised doubts. When the market starts asking, ‘What don’t we know?’, and markets may then assume the worst. 

That’s why we need a structured approach to culture. We haven’t done much here, so the marginal return on even modest investment could be high. Not everything will work. But it’s worth trying. Rather than rerunning 50-year debates on inflation-unemployment trade-offs, the payoff could be significant of investing in understanding the behavioral and cultural risks that we’ve largely ignored.”

“Good prudential supervision is important for effective operations of a financial system. That is why OSFI is presently taking steps to modernize our Supervisory Framework to better capture the impact of systemic and macro-centric risks on the risk profile of our [federally regulated financial institutions (FRFIs)]. 

We want to build in flexibility to accommodate new and unforeseen risks, the interplay between financial and non-financial risks, as well as non-traditional business models. Finally, we want to further leverage data and advanced analytics to promote a more risk-based approach to supervision and to inform our future data strategy. Our supervisory approach will aim to build capability and is best suited for the changes in the risk environment. 

Incorporating the need for proactive and ongoing management of FRFI culture and behaviour risks in assessing the effectiveness of corporate governance is an ideal path to supervision. Identifying risks arising from behavioural patterns is important for a FRFI’s board and senior management because it demonstrates how closely the actual culture of a FRFI is aligned to its desired culture. 

OSFI sees the ideal state of the financial environment as one that incorporates a cultural perspective, with strong corporate governance and culture risk management. Through our efforts, the expected outcomes include culture and behaviour that are designed and governed through clear accountabilities and oversight and that the desired culture and expected behaviours are proactively promoted and reinforced. 

This will also help to assure that risks emerging from behavioural patterns are identified and proactively managed. These important areas will not only strengthen the resilience of FRFIs but increase the confidence in the broader financial system. This approach can support sound decision-making, prudent risk-taking, and effective risk management.”

“We always try to ground our supervision in tangible supervisory outcomes. This is no different. When thinking about culture and risk management, we consider the outcomes we want to achieve. The first thing, of course, is that the supervision is in line with the legal framework and mandate we've been given, for instance, the CRD and the guidelines from the EBA. The outcome we're really trying to achieve is well-governed banks with proper checks and balances. We want banks to own and define their culture, ensuring it's aligned with being prudent risk managers.

It’s not about there being no risk. Rather, it's about prudently managing risk. We lean into that through our engagement. We consider it successful when we've thoroughly examined the issues, gathered the necessary evidence, and are satisfied that any concerns have been properly remediated. This gives us assurance that the bank is managed in a very controlled way, with a proper process for paying attention to risks at all levels of the organization.”

“Leadership is important in explaining how to weigh competing priorities internally; then put in place mechanisms and controls to see that those priorities are carried through in practice. Leaders can then be held accountable — by the board, shareholders, regulators, and other stakeholders — but it’s not only about being held to account after the fact. It’s about ensuring the mechanisms are in place to run the organization as articulated.”

“I really think culture and conduct will continue to be an area of supervisory focus for regulators. We're really in a period of significant risk and uncertainty. Sound organizational culture, will be all the more important and needed in times like these to help financial institutions make sound day-to-day decisions, manage their risk well and build brand reputation, and confidence and trust as they navigate the adaptations and changes needed in such an environment. 

I will be the first to say, we do not have all the answers we never had, but all the more, that means we have to work closely together to identify common pitfalls, challenges and share solutions as quickly as possible.”

3.4.2 – How do supervisors need to adapt in order to accelerate progress in culture supervision?

3.4.2a Participants highlight the importance of effectively embedding challenge in their engagements with firms related to culture.

“If banks view the supervisor simply as an adversary — and one that may act unreasonably or inconsistently, without regard to the rules — then the management will view its job as determining, ‘Okay, what’s the minimum amount of effort I need to expend to get this person off my back so I can go back to running my bank?’ This is not the sort of interaction we want in a bank’s relationship with its supervisor.

What needs to be done is something that is very difficult to know how to do — and certainly not something that’s being done on any widespread basis currently. 

We need to try to come up with data-driven methods for testing management’s ability to shape firm culture — credibly, consistently, and with the right degree of transparency — so we can better assure that we’ll see good performance outcomes. 

Nothing of the sort is in evidence today, either within the industry or among its supervisory bodies. And, so, we have inefficiency, delay, and politicization.”

“It’s hard to step into a room with a Chair or CEO and challenge them. These are impressive people who’ve risen to the top. There’s a dangerous tendency toward deference. And when we’ve made mistakes, it’s because we weren’t as awake to that tendency as we should’ve been. That’s where the tension lies — when you walk into a CEO’s office and question governance or culture. That’s a potent conversation.”

“With stress testing around governance, a regulator — as a result of its horizontal reviews and observations of firms’ governance practices — could say to a firm, ‘your stress testing efforts are laudable and noted but here are some other factors you ought to consider.’ A financial institution therefore has primary responsibility to continuously improve its governance, but there is an important complementary role for the official sector.”

“If lack of trust between supervisees and supervisors is getting in the way of effective supervision, something is very wrong. We have to bridge that gap. 

Supervision can be antagonistic by nature, but we shouldn’t let that undermine effectiveness. We keep telling banks that, and banks should be able to challenge us — openly, not behind our backs. 

Supervisory powers should be challenged — healthily — if it leads to better outcomes. That’s why we’re building processes that let the banks tell us where we’ve been unwise or unclear, so we can find solutions together.”

“This is perhaps a controversial view, but I think the asset cap at Wells Fargo was pivotal. Ultimately, culture changes when leadership changes — and supervisors struggle to compel leadership changes at well-resourced firms. The asset cap functioned as a mechanism that gave the board permission to make changes effectively. 

By contrast, Credit Suisse cycled leadership in less healthy ways and lacked a strong mechanism to force change. More pleading wouldn’t have helped there. Supervisory feedback had been given but wasn’t acted upon. 

So the question in such cases is: what if nothing changes? My ‘Too Big to Manage’ escalation logic is: feedback → enforcement → civil money penalty → binding constraint (e.g., asset cap). Different firms have different mixes of ability and willingness to change. Supervisors should give notice and a chance — but if change doesn’t happen, they need mechanisms that enable boards to act.“

3.4.2b Participants note that supervisors should build trust into their approaches.

“Sometimes, the reason the industry does not support the strengthening of supervision is because they lose trust in supervisors not to abuse the additional resources. This can happen despite the best efforts of supervisors to ensure responsible use of their powers. So sometimes we get into a bad place in terms of the level of trust, which impacts the willingness of the industry to finance good quality supervisory technology and the ability of supervisors to build it.”

“The credibility of the supervisory process is vital to financial stability. Without it, people become skittish — quicker to withdraw funds or demand higher protections, which makes the system more brittle.

Trust reduces the friction in financial relationships. You don’t need contracts that anticipate every possible contingency — just shared understanding. Trust between supervisors and firms is especially important. If supervision becomes a ‘gotcha’ exercise, you get cynicism. I saw this firsthand at the Fed. Both supervisors and bankers could fall into a box-checking mindset. 

And it’s not just about the regulator-firm relationship. The public also needs to trust that supervisors are vigilant and thoughtful. That doesn’t mean they’ll prevent every crisis — far from it. But they should demonstrate that they’ve thought seriously about the risks, even those they can’t fully anticipate.”

“About two years ago, we did what we call a ‘bank employee survey.’ We surveyed a large number of frontline staff at 28 retail banks in Hong Kong. The response rate was surprisingly over 70%. It wasn’t compulsory — we, as supervisor, engaged a consultant and sent the survey to frontline staff across those banks. Because it was anonymous, people felt comfortable speaking up, and we gleaned a lot of useful observations. 

We could have asked banks to run their own surveys, but we would lose cross-bank comparison value. At the supervisory level, we have to think about how we help banks assess accuracy and get useful insights into what’s happening on the ground. 

Now this is an important point: if you tell banks, “We’ll use this employee survey data as supervisory input, and if your employees say you’re poor on risk culture, we’ll take action,” then there’s no hope — the management will discourage candid responses. 

We told banks we were not using the survey results as supervisory input, but as supervisory output: we’d feed results back to them and, if we saw weak spots in the risk-culture chain, we’d expect them to act.”

“As policymakers, we must seek additional signals — from the public and elsewhere — about what actually builds trust. People’s perceptions are real; if they don’t trust government, they don’t trust it. Better to face that head-on and try to unpack it. I’ve long argued that the North Star for banking and bank supervision is trust. Money and banking run on trust: when trust is high, the system works remarkably well for the economy, communities, and people. When trust is low, things fall apart.”

“In our Policy Approach document, which we published in February, we described three regulatory ‘foundations’ which represent the ways our regulation underpins the UK’s growth and competitiveness. These are: (i) maintaining trust among firms in the PRA and UK prudential framework; (ii) adopting effective regulatory processes and engagement; (iii) adopting a responsive and responsibly open approach to risks and opportunities.”

“We need to protect supervisory judgment, and we can do this by reinforcing it with more rigour and reliability. This will require investing in the skills and tools necessary to advance efficacy. As with monetary policy, trust in the consistency of supervision will determine its effectiveness.”

Responses to Chapter Questions and Other Commentary

3.1 (a) Should supervisors embrace culture risk supervision as a means by which to prevent future crises, and how would that change how they approach supervision? What steps would you recommend that supervisory bodies take to ensure that efforts to incorporate culture risk supervision into supervisory frameworks are sustainable over time.

Through various economic cycles and political administration changes, one constant should remain the same for financial institutions – sound Risk Management Practices. During various economic and political changes, institutions should continually ask, “are we proactively identifying, measuring, monitoring, and controlling risks?” Consistently having a “risk-management” mindset and embracing the practice of “self-policing” (i.e., monitoring and testing activities, effective challenge, and internal audits) will help ensure institutions longevity through economic downturns and/or administration changes.

As stated previously, regulatory agency examiners can assess risk culture through examining material financial risks and evaluating Risk Management Practices associated with such risks. We believe it would not be an efficient use of institution and examination resources to have examiners separately assess culture under a check-the-box examination module, though an assessment of consistency of implementation of Risk Management Practices is appropriate. Examiners’ evaluation of an institution’s Risk Management Practice will be informed by the institution’s risk culture.

– American Bankers Association

3.1 (b) How do structural conditions — such as legislative mandates, legal frameworks, institutional leadership, and management buy-in — shape a supervisor’s capacity to engage in culture supervision?

3.2 (a) What mechanisms and metrics would enable agencies to embed culture risk governance and supervision into routine examination — and to demonstrate the value in doing so?

3.2 (b) What new technologies and techniques for collecting, measuring, and shaping culture should be incorporated into new supervisory practices?

3.3 (a) What examples of successes in frameworks and governance processes can the industry point to in the area of culture risk governance and supervision?

One specific effort that has demonstrated significant progress since the 2008 financial crisis is the evolution in firms’ approach to managing incentive compensation, particularly compensation for employees in positions most likely to expose the firm to risk.[5] As management of the complex of risks to which financial services firms are routinely exposed has gained greater attention, both firm boards and managers and government supervisors have focused on policies addressing the degree to which incentive compensation can reinforce or hinder effective risk management. Since effective acquisition and retention of appropriate staff (of which compensation schemes are a critical part) is key to a firm’s success, it has appropriately fallen first to senior management to develop an effective and prudent approach. With heightened scrutiny since the 2008 financial crisis, supervisors have carefully reviewed and discussed incentive compensation schemes with management, especially at the largest firms, including those considered systemically important.

[5] Note that the universe of employees, if thought of in terms of job descriptions and responsibilities, that can expose a firm to a given degree of risk is not a static concept, and certainly not a static list. Those who directly commit firm capital, e.g., traders and investment managers, were a particular focus after 2008, but information technology managers, marketing or legal staff, business continuity managers, and a host of others can either bring risk upon the firm or must be accountable for keeping risks within the firm’s appetite.

– American Bankers Association

3.3 (b) What has come of past supervisory approaches for improving culture, including accountability regimes, incentive structures, and tone-from-the-top? What are the limitations or blind spots inherent in these tools, and how can they be addressed?

3.4 (a) How can supervisory bodies support firms in implementing effective culture risk governance?

3.4 (b) How can supervisors build the trust, challenge, and engagement with firms needed for effective culture supervision, while avoiding perceptions of regulatory capture?

Thank you!

Your submission has been received.

Submit Your Comment

Drop files here or click to upload