A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Chapter 4 — Future Directions & Obstacles

Included in this Section

4.1 – Avoiding Regulatory Drift and Distrust

4.1.1 – What steps should regulators consider to enable more effective culture risk supervision?

  • 4.1.1a Some participants described the importance of establishing a firm legal basis for supervising culture.
  • 4.1.1b Other participants noted the importance of addressing culture across both conduct and prudential regimes.
  • 4.1.1c Participants noted that greater transparency and accountability in supervisory processes would improve outcomes and preserve independence.

4.2 – The Pressure to Innovate

4.2.1 – What steps should supervisory bodies consider to help drive their own culture change?

  • 4.2.1a Participants noted the importance of supervisory cultures supportive of innovation and a readiness to adapt to change.
  • 4.2.1b Other participants noted that training and upskilling is required to incorporate behavioral science and culture assessments into supervision.
  • 4.2.1c Participants also recognized the need to develop new capabilities and frameworks

4.3 – Making Room for New Metrics & New Tools

4.3.1 – What systems and structures are needed to help supervisors and firms alike to find, evaluate, and easily adopt new technologies and methods as they come available?

  • 4.3.1a Participants discuss the need to establish a common evidentiary basis for culture assessment, among firms and within their own agencies alike.
  • 4.3.1b Participants note the value of digital ‘sandboxes’ and similar structures for both firms and supervisory bodies to test and evaluate new technologies and approaches to culture risk governance and supervision.

4.4 – New Approaches & New Partnerships

4.4.1 – What would a global initiative to transform culture risk governance and supervision in the financial sector look like?

  • 4.4.1a Participants noted that global standard-setters have yet to prioritize culture risk governance and supervision, and urge that greater attention to such would be helpful.
  • 4.4.1b Participants described the need to have a forum where public and private sector participants can collaborate to reach consensus on new approaches to culture risk governance and supervision.
  • 4.4.1c Other participants express concerns that while coordination may be helpful, that pursuing a uniform approach across jurisdictions may exceed supervisory mandates.
  • 4.4.1d Participants argued that supervisors can draw on third-party experts to help establish a common framework for culture risk governance and supervision.

Chapter Questions and Comments

4.1 – Avoiding Regulatory Drift and Distrust

4.1.1 – What steps should regulators consider to enable more effective culture risk supervision?

4.1.1a Some participants described the importance of establishing a firm legal basis for supervising culture.

“We also looked at existing legal obligations. For example, under anti-corruption laws in the UK, directors can be held liable if they don't have a proper system of checks and balances for bribery. It’s the same in most countries with occupational health and safety; directors can be held liable if there isn't a system to monitor and avoid problems. So, the law, to a large extent, already extended to conduct in certain areas and held directors liable where the problem was a culture of poor conduct.”

“I think the legal profession is not always so helpful for culture, frankly, because the legal profession is about ‘what am I allowed to do?’ And there's a presumption that, as long as what I'm doing is legal, then it's okay to do. And the reality is, that's just not true in my opinion. 

The legal profession is always going to be behind — the laws and regulatory structures are always going to lag behind the current reality. People are going to innovate to get around legal constraints. So I think part of what we probably should be looking at is the rule of law versus the rule of reason. That’s sort of the classic issue, from a legal perspective. 

Maybe we need to think about how we promulgate regulations and supervision that are more based on the rule of reason than the rule of law, more focused on what outcomes we are trying to achieve, as opposed to what constraints we are putting in place.”

“If something else happens that sends the financial industry into another crisis, that'll put things on pause, depending on what it is. But we don't need legislation to make this happen or to take on the kinds of actions that might be outlined for the future.”

“Anything involving people is emotional — much harder than numbers or models. These are the most difficult supervisory decisions because you don’t have codified triggers — no ‘capital ratio below X, stop the dividend.’ But in the absence of codification that would make life easier, you still have a responsibility to turn the ship. 

Supervisors must be prepared to demand personnel changes in senior positions. But you need the legal basis to permit that. You need the ability to intervene in the appointment or removal of key people — with safeguards against arbitrariness, of course. That’s probably the only way to effect rapid culture patches. Then you want to see a management team with a clear mandate for change.”

“Late in 2017, the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was established. As the biggest New Zealand banks are Australian-owned, questions were asked about whether similar misconduct was occurring here. There were calls for a similar commission to be established to investigate activities in New Zealand. 

In response, the FMA and the Reserve Bank of New Zealand (RBNZ — the prudential supervisor and licensing agency for banks and insurers) agreed with the Government that a more proportionate response would be to conduct a joint review of culture and conduct within the retail banks and life insurers. 

The findings from this review were published at the end of 2018 and did not find egregious misconduct. They did, however, identify significant weaknesses in the governance and management of conduct risks which could have led to widespread harms over time. Banks lacked proactivity and had been slow to address culture and conduct issues. 

The report made a number of recommendations, including the introduction of a direct legislative mandate for regulating the conduct of providers of core retail banking and insurance services.”

4.1.1b Other participants noted the importance of addressing culture across both conduct and prudential regimes.

“Having both conduct and prudential responsibilities under one entity [at the HKMA] helps us pursue risk-culture efforts holistically. If two separate agencies handle it, you need coordination to ensure consistent outcomes.

And repeated conduct failures erode trust and can lead to adverse prudential outcomes. We’ve seen that multiple times. That’s why supervisors and regulators care more about repeated findings. And that should be a core value for institutions: if you see the same problem again and again, don’t just double down on past approaches — ensure it doesn’t happen a third time.

Some of the issues people cite — failure to hold anyone accountable for limit breaches; undue frontline influence over risk processes; bending risk metrics to fit customer profiles — these are not merely conduct problems. They’re failures of the accountability framework; they’re risk-culture failures. And if they’re not the first occurrence, supervisors should look at them accordingly.”

“As a prudential regulator, probably one of your best early warnings of potential prudential problems is to look at the culture question.

Regulatory regimes that put too much confidence in capital buffers can be missing a wider picture. That's where the cultural piece absolutely comes into it. You do need a mixture of metrics here. Some are very easy to define, measure, and use as a communication tool. A central bank can say, ‘I've given you a bigger capital buffer because I'm not confident.’ 

Within a Twin Peaks model, you can think of culture as going across the pair of peaks. 

As a prudential regulator, you should think very carefully about cultural issues. Often, you are looking at the same underlying issues the conduct regulators are looking at even if the presenting problems are different.”

"From my perspective, it all ends up with the prudential supervisor. So, strong cooperation between conduct and prudential regulators is crucial. Conduct regulators sometimes see cultural issues earlier, especially through client interactions. Prudential supervisors usually look at the broader framework. But cultural issues affect both."

“Despite the successes of the Financial Services Board, [there was a] clear need for South Africa to reform its regulatory architecture, and to improve the conduct oversight of its financial institutions. South Africa required two regulators to make financial services safer, to reduce potential threats to financial stability, and to ensure that the sector is working in the interest of all South Africans. 

This was implemented through a Twin Peaks regulatory model — the FSCA being one of the two regulating bodies, with the Prudential Authority (PA) being the other. The FSCA supervises how financial institutions conduct their business and treat their customers, and empower customers to make better financial decisions through financial literacy initiatives, while the PA supervises the safety and soundness of all financial institutions.”

“The 'Twin Peaks' model exists for a reason: it's not about entirely separate mountains. They are distinct parts of one landscape. Whether supervising individual entities or the sector broadly, you must consider how these elements interact within one system.

Culture is crucial for both prudential and conduct supervisors. For conduct supervisors, it's especially important because culture ultimately defines how people conduct their business. It's about how people behave, and behavior directly impacts conduct. Therefore, as conduct supervisors, we must understand the drivers behind people's actions and why misconduct occurs. 

We don't want to be merely the ambulance at the bottom of the cliff, cleaning up the mess that results from misconduct and trying to set things right. If we aim to be more forward-looking and prevent misconduct from occurring in the first place — to 'build a fence at the top of the cliff' — we must engage in dialogue about why misconduct happens initially. 

This is where the intersection with prudential supervision becomes clear. Prudential supervision, like conduct supervision, focuses on business sustainability: does the business have a viable model? Can it meet its financial obligations as they become due? It's about good risk management, just as conduct is, but viewed through a financial rather than a non-financial lens. The key point is that they all intersect.”

4.1.1c Participants noted that greater transparency and accountability in supervisory processes would improve outcomes and preserve independence.

“One more cultural issue that is very difficult to deal with is the issue of transparency. My entire professional life, I have been in favor of transparency, and there have always been others who have told me that transparency is bad. 

The basis of that argument is that, if people truly understand what's going on, they'll take their money out. And if people are informed, there's no time to quietly fix the problem. This creates a constant tension between transparency and how you deal with issues — how open you need to be about what’s going on.”

“Supervisors lack vehicles to tell their story credibly, and others control the narrative. Take crypto ‘de-banking.’ Crypto firms accused banks; banks pointed at regulators. It’s an uncomfortable conversation to tell a client, ‘We don’t understand your business; KYC/AML costs are too high; we’re out.’ So it’s easier to say, ‘the regulators made us.’ 

Meanwhile, do we think FTX should have been banked? No — banking a fraudulent enterprise enables harm. In 2022 there was widespread crypto fraud, (Celsius, Three Arrows, etc.). Banks had reasons to be cautious. 

This isn’t a pogrom by supervisors; it’s messy reality meeting safety and soundness. But supervisors can’t explain that publicly because of confidentiality.”

“You have a conflict right now between the fact that confidential supervisory information is confidential, yet oftentimes it's material from the perspective of the stock price, and yet the company can't disclose it. 

I'd like to see all supervisory actions that are truly a restraint and material to the firm have to be disclosed, with a lag — not necessarily the day of the finding, but maybe six or twelve months later. 

It creates better incentives for firms. They are now really well-motivated because, let's say the timeline is six months, they’d better have a pretty damn good plan for how they're going to mitigate this problem. That creates more focus from senior management on the issue and also gives shareholders a better sense of what's really going on. It seems like a win-win.”

“Historically, the Federal Reserve’s independence in bank regulation and supervision has also provided stability and consistency to regulated institutions. This is not to suggest that bank regulation should remain static in the face of change.

To the contrary, the Federal Reserve’s regulatory approach must be capable of addressing and adapting to new banking activities and new risks but also must be aligned with furthering our statutory objectives.

Of course, this independence in bank regulation must be accompanied by accountability, to both Congress and the American public. Accountability is no less important for bank regulators than it is for banks. We should embrace holding ourselves to high standards — just as we hold banks to high standards — and do so in a way that promotes public accountability.

Accountability also requires transparent policies and procedures and conducting supervision in a way that is predictable and fair. These actions demonstrate to the public and regulated institutions that the agencies hold not only those institutions but also themselves to high standards. 

Transparency builds legitimacy by demonstrating that the Federal Reserve executes its responsibilities fairly across all regulated institutions. Transparency assists in ensuring accountability, in addition to building legitimacy and public trust. 

That same transparency helps show that we regulators are holding ourselves to high standards — that we are appropriately exercising the power granted to us by Congress and have done so in a way that supports due process and fairness. We should not be afraid to show our work in the execution of our regulatory or supervisory responsibilities. 

Accountability promotes healthy bank regulation and supervision, just as accountability promotes a healthy banking system. We should embrace holding ourselves to high standards — just as we hold banks to high standards — and do so in a way that promotes public accountability”
 

"Independence often gets misunderstood. When you talk to a government minister and say the supervisory agency should be independent, they might blow their top and say, 'They're not elected leaders; they can't be independent.' Then you have to explain what you mean by independence. 

Independence is not autonomy, nor is it free will. Independence means you let them do their job. If they don't do their job, then you can hold them accountable, but you cannot interfere in how they do it. Because if you do that, they're not going to be able to perform.

That's why I say that independence should always be used along with accountability. Those two have to go together. 

Building an accountability system and an independent system requires design at a level of structure, reporting, transparency, and public communication. All of that together builds the credibility of the supervisor so that people can say, 'Okay, we can expect these guys to do what they're supposed to do.'"

4.2 – The Pressure to Innovate

4.2.1 – What steps should supervisory bodies consider to help drive their own culture change?

4.2.1a Participants noted the importance of supervisory cultures supportive of innovation and a readiness to adapt to change.

“Because the world and the bank you're supervising are always changing, the job of a supervisor is never really done. You have to continue to evolve your own understanding of the institution. As the risk landscape, macro environment, and risk outlook change, you also have to keep your own thinking up to date on how you're going to look at these issues.”

“Staff must also feel supported in decisions they take — a particularly important point when confronting recalcitrant boards and management teams.”

“Supervision is asymmetric. When times are good, you’re blamed for holding things back. When times are bad, you’re blamed for not doing enough. And supervision’s successes are invisible. Because supervisors are typically only noticed only when things go wrong, they become defensive. 

After SVB, members of Congress were talking about ‘matters requiring attention (MRAs)’ — an internal tool — out of context, as part of a blame game. Put yourself in a line examiner’s shoes: your instinct becomes ‘check every box,’ so no one can blame you.

That’s the supervisory version of a defensive mechanism — and it doesn’t yield good outcomes. Good supervision requires judgment, expertise, and knowing when to call for help — behaviors that don’t fit well in blame-centric environments.

There are hundreds of dashboard issues in any given week; supervisors nudge banks constantly — ‘measure this differently,’ ‘tighten this control’ — and most of it is unseen even inside firms. Publicly, you only see one failure every decade.

Post-Crisis, agencies get defensive and default to checklists because that’s what quality assurance reviews and oversight bodies test: “Did you follow procedure?” Box-checking is safe — but it’s not good supervision. That’s a serious challenge. 

A helpful model is the National Transportation Safety Board. After an accident, the NTSB culture is to avoid finger-pointing and analyze system failures dispassionately. Complex events rarely have a single culprit. Politically, money invites blame; but an NTSB-like approach — ‘figure it out first, then assign responsibility sensibly’ — would produce better outcomes. It’s hard because simple blame gets headlines; nuanced explanations don’t.”

“We've got to adapt the financial services sector and regulation to the future needs of today's and tomorrow's customers. And honestly, we're not there in New Zealand at the moment. We've got people looking for products that just don't exist at the moment. We've got people looking for services that are quite nascent in this country and there are plenty of opportunities and risks to developing those products, both from a regulator and a supervised perspective. 

We've got to have a mechanism to think our way through those challenges and ensure we aren't restricting what customers can access by either our regulations or the way we supervise while also still balancing appropriate protections. We also must avoid influencing the cultures of these firms to be so simple and safe that they are not ultimately sustainable over the long term and capable of providing the products that people want in the future."

“I think supervisors must be disciplined in implementing digital tools and ensuring that people change their behaviors to use these tools. For me, that's all about what we've learned regarding how digital people [e.g., IT developers] and supervisors work together. It requires two things: digital people trying to listen to what supervisors need, and ultimately the supervisors must actually use the digital tools, and this typically requires a change in how supervisors conduct their day-to-day business.”

“If you look at the way that we supervise in culture and conduct, it's way more intrusive than what we would do for any other area of risk… When we try to broach the topic of how do you measure good conduct? How do you foster good conduct and good organizational culture within your organization? Firms very often tell us, ‘How do you define culture? How do you measure culture?’ And we found ourselves stuck in that level of conversation.

So by taking the bull by the horns, going in using insights from behavioral science and techniques from psychology, we hope to demonstrate to financial institutions that it is possible to define this, to measure this and to help make improvements in this area. 

Over time, the hope is that supervisors will increasingly shift the burden of measurement and monitoring to financial institutions. And we, over time, would pick up that supervisory oversight as we ordinarily do.”

“Regulatory modernization is not the same as deregulation. Some argue we should just wipe the slate clean. That’s deregulation. And while I understand the frustration behind that instinct, I don’t think it’s the right approach. You can’t have a safe, stable financial system without meaningful oversight. But at the same time the system can’t be so weighed down by outdated, redundant, or overly complex rules that it becomes dysfunctional. 

Modernization means doing the hard work — going rule by rule, process by process, and asking: ‘Is this regulation achieving its intended purpose? Is it still relevant in today’s financial landscape? Is it creating unintended consequences that outweigh its benefits?’ That’s the kind of rigorous review we don’t do enough of.”

“Banking supervision and central banking will have to evolve if we want to continue delivering on our public mandate in this era of rapid technological change. This means embracing innovation while carefully managing the associated pitfalls and risks. 

Banking supervision needs to harness the benefits that technology can offer given the rapid rate of technological progress currently underway. Technological innovation can deliver the speed, scale and scope required to properly identify and address governance concerns in the banking sector. This is especially true where technological advances make it possible to sift through vast amounts of data, potentially making it possible to rapidly detect any misalignment between management expectations for a strong risk culture and reality. 

In a rapidly evolving world, we must match the pace of change. One of our objectives at the ECB is to harness the power of AI to make our supervisors’ jobs easier while remaining mindful of the related limits and risks. We aim to put our supervisors firmly in the driver’s seat, empowering them to apply supervisory judgement effectively in our revised supervisory process supported by innovation.”

4.2.1b Other participants noted that training and upskilling is required to incorporate behavioral science and culture assessments into supervision.

“Culture needs to be part of the inspection process and the training and development process for supervisors from day one, because it's not. Nor is management. That's left to the person in charge of the inspection to make a judgment at the end of the day based on their gut feeling. There needs to be much more uniformity than just somebody with 10 years of experience knowing better than somebody with three.”

“For many years in the Toronto Centre, one of the main training issues has been moving supervision from ‘ticking the boxes’ to risk-based supervision. This is indirectly a cultural issue: if I just tick the boxes, I can never be wrong. Things can still blow up, but I did nothing wrong — so don’t blame me, blame those who decided those were the boxes.”

“These days you can get a lot of data, and that has to be intelligently interrogated. So, regulators need better skills in that area. Some regulators well understand that and are taking steps to get data analysts, data scientists, people like that into the organization that can properly interrogate data. 

Regulators also need people who understand the business model, and this is where AI won't replace people. You need people who can actually go in and know what the institution is trying to achieve because of its business model. So, you need to have the right sort of people in the regulator.

I think career regulators are really valuable, and you need them, but you also need up to date market expertise.”

“Supervisory culture is important, and we should work on it day in and day out. 

We’ve incorporated culture into training. A core value we pursue is ‘supervisory certainty’: the same conditions should lead to the same supervisory outcomes — consistently. We have to demonstrate to banks that we have systems to deliver that certainty and consistency. 

I run a prudential department with about 150 people and a conduct department with about 70. If those 220 people go out and say different things under the same conditions, we’re in trouble.
We’ve built regular dialogues with banks — a balanced and responsive supervisory process — to get feedback. We have a small team that goes out to talk to banks individually on a regular basis: are our colleagues doing what we preach? If banks think we’ve departed from consistency — ‘How did these similar cases lead to different outcomes?’ — we bring those cases into the dialogue with groups of banks, see if there are problems we need to fix, or explain why approaches differ and how we’ll ensure consistency going forward. 

If banks say, ‘The US handles this more smartly,’ we look at that and maybe we adjust. We have systems to pursue the supervisory values we espouse.”
 

“Supervisory skill sets and resourcing is another challenge. [MAS brought in a] behavioral scientist to help with culture assessment, and the involvement of our Chief Data Officer. Each brings value but may not be ‘fit for purpose’ alone. 

Traditional supervisors are strong in financial analysis, modeling, and compliance. But assessing culture demands different capabilities: behavioral economics, sociology, HR management, organizational psychology. 

Building that into already lean teams is hard. Telling supervisors preoccupied with hard metrics, ‘By the way, look out for culture,’ can be unclear in practice — even with internal guidance. Consistency suffered. 

So what we did was to focus on was skill sets. To assess culture, we asked, do supervisors need training in behavioral economics or organizational psychology so they know what to look for — and can ask insightful questions about incentives, groupthink, and challenge mechanisms? We wanted to be more ‘scientific’ in equipping supervisors to do a better job. So, it was less about our own culture, and more about building the right competencies.”

“Back in 2012-2013 we engaged with De Nederlandsche Bank (DNB) on their culture work. They brought in the specialized skill sets in behavioral science. We even had one of their people do a two-month pilot on an institution — it was a phenomenal exercise and generated new insights into risk management effectiveness. 

We [subsequently] set up a conduct group and brought in outside expertise from anthropology and psychology. And we did get a more structured way of thinking — culture risks rather than risk culture: organizational behaviors that can lead to bad outcomes for risk control. But it was still judgment — just a psychologist’s judgment this time. ‘This behavior could lead to these incentives and (therefore) that form of risk-taking.’”

“I think what's very important is that at least a significant share of our people should be coming from the private sector. 

While institutionally we should be fully independent — because that relates to accountability to the public; how else can the public trust the system if they see links between the supervisor and the supervised entities? — I think it is important to have the right mix of perspectives and experiences in supervisory authorities. 

Therefore, I insist on having people from the private sector in our supervisory organization, which truly requires additional recruitment effort.”

4.2.1c Participants also recognized the need to develop new capabilities and frameworks

“While the risk issues for supervisors are different to those faced by regulated firms, accountability is central to embedding any desired risk culture. 

For supervisory agencies, this requires clear accountability and escalation channels, as well as effective internal governance and communication processes. Embedded in these processes are decisions around the degree to which supervisory decisions are automated or allow some discretion. Ideally there should be clear supervisory processes that embed within them an element of discretion, facilitate timeliness by not being too rigid or complex, and which have the right checks and balances along the way.”

“Going forward, I see two scenarios. 

 

In one, supervisors don’t change much; frustration with Type I/II errors rises [e.g., false positives and false negatives], and a translator or 3rd party solutions layer grows between banks and supervisors to fill the gap. 

In the other, supervisors focus, recognize the moment, and re-architect to meet the moment — i.e., the ‘denominator’ (scale/complexity/speed of the banking system). In that scenario, the gap is filled by the agencies themselves. 

Agencies need a clear sense of direction: ‘We’re here; we need to get there.’ Without direction change will be incremental, and the gap will grow — the translator layer will harden. The risk is creating a permanent translator layer — which often ends badly for firms that over-rely on it. But a capacity-building, time-boxed model that gets agencies moving in the right direction in bold ways could add real value.
In equilibrium, the ‘numerator’ — agency resources and capabilities — must catch up to the denominator — scale/complexity/speed of banking. Some agencies can do that in-house; others will need help. External forces that accelerate that path can be positive, provided we avoid creating a permanent dependency. 

Either way, the core currency is credibility. I’ve delivered very bad news to banks that they hated but accepted because it was credible. I’ve also seen weak findings trigger steam-from-the-ears frustration because they lacked credibility. The former yields grudging respect; the latter erodes the supervisor’s standing. Leaders must discern: is current criticism a sign we’ve lost credibility, or just garden-variety pushback?”

“To my mind, how about some notion of a periodic review of how supervisors are doing things? For example, the Fed is now doing a five-year monetary policy review. The ECB does a five-year monetary policy review. Why don't we do periodic reviews of supervision and ask, ‘What's working, what's not working? Where can we peel back?’”

“Over the past five or six years we’ve found that peer comparisons are very helpful — and that can only be done at the supervisory or system level. 

Supervisors have to step in. Supervisors and regulators should specify the structure of what we want to see. You can’t let institutions design completely different risk-culture frameworks. So we set the headline elements: have a risk-culture statement and tolerance levels; communicate properly with employees; measure feedback and understanding regularly; set an accountability framework. 

Within that, institutions have a high degree of freedom to design the core elements. We tell banks: design it, show us how it goes, and if we see problems, we’ll tell you. It becomes an iterative process.”

4.3 – Making Room for New Metrics & New Tools

4.3.1 – What systems and structures are needed to help supervisors and firms alike to find, evaluate, and easily adopt new technologies and methods as they come available?

4.3.1a Participants discuss the need to establish a common evidentiary basis for culture assessment, among firms and within their own agencies alike.

"A common evidentiary basis is what's missing.”

“This links to a broader ‘holy grail’ in supervision: How do we know we’re effective? We lack a universally accepted set of KPIs for supervision effectiveness because there is (thankfully) a dearth of default data. We can count operational measures, such as actions and enforcements, but can we show we materially moved PDs [probability of default] on our banks? We believe so, but we’re hard-pressed to always prove it empirically. Asking supervisors to opine on culture magnifies this problem.”

“Ultimately, there are only two solutions to a cultural problem. One, more financial resources — acknowledge the bank’s riskier and push it further from failure through capital requirements. Two, get the top of the bank to become part of the solution — so they fix themselves. 

If supervisors want to change the culture, persuading the board of the firm that it has a problem is vital, as change is impossible without full buy-in from senior management. A supervisor can’t improve culture if the people running the bank aren’t fully bought in. This requires compelling evidence. Subjective supervisory assessments are unlikely to be sufficient. Possible sources of evidence are:
 

  1. Opinions of experts (internal and external). A big question for culture supervision is whether all regulatory agencies should have teams of organizational psychologists (either in-house or external) in the same way as we have experts in credit and market risk. I am open minded but have yet to see strong evidence of their effectiveness;
  2. Crystallized risk from actual incidents with root cause analysis leading back to culture; and
  3. Data-driven analysis. This is perhaps the most interesting new area. Staff survey results are well established. But other data might include, for example, network analysis of electronic communication within the firm.”

"Do we have a fully-fledged framework for all of culture? No. But for parts of it — especially risk culture — we’re pretty close. What we need now is judgment. How do we anchor supervisory discretion in data or general guidelines, so our decisions have a legal basis?"

“A shared framework, interoperable tools, and a common evidentiary basis… yields the best result for the least regulatory burden.”

“I always ask the same question when we receive research: What do we do with it? Institutions are busy. We’re criticized for not focusing on the most important things. When a psychologist or anthropologist offers high-level observations, a board will ask, ‘Great — but what do you want me to do?’ 

The gating issue for much of this type of discussion is materiality. What makes this a top-three board priority this year? We don’t have a denominator that lets us weigh non-financial risks alongside financial ones — no analogue to RWA that travels across risk types. We stalled there. 

Maybe we were asking economists to apply their paradigm to a framework they’re not best equipped to judge — that’s a fair challenge. And that’s why I haven’t given up on the culture experiment; we just need another serious run at it. 

However, we must also be able to translate any cultural observations made by supervisors into a language that the financial industry can understand and accept. After the fact, you can point to a bank failure or another case and say, ‘See? That mattered.’ Ex ante analysis remains difficult. 

Prompt and corrective action matters. But we need evidence to act early. That’s the Holy Grail: can we get objective evidence out of something that still feels subjective? 

We’re getting closer with culture risk. But it’s hard to draw deterministic lines. Not like a capital number. So yes, this remains our challenge — and anything we can do to narrow the scope of curiosity and research will help.”

“You don’t know and you have to be honest that you can’t know everything. But if you have a framework for thinking about these things you can use simple cost-benefit logic to justify resource allocation.”

“Because we lacked quantifiable metrics, it was hard to say — firm to firm — ’this is good culture’ versus ‘this is bad culture’ without some subjectivity, even with ‘science’ behind it. 

We tried to collect data and analyze it — so our judgments wouldn’t feel airy-fairy, dependent on whether the supervisor was ‘benevolent’ or ‘harsh.’ We looked for other observable manifestations: HR data, complaints, incidents, audit findings. It becomes a massive data collection exercise — then an integration and analysis challenge — even inside a single large bank. 

And even then, causality is hard: did a cultural trait cause a prudential or conduct failing, or is the observed culture the intermediate outcome of something else — like a control breakdown or leadership failure? 

Global benchmarking would help. Supervisors need reference points for ‘good’ or ‘bad’ cultural indicators to identify outliers at risk.“

“We became aware of the work that the De Nederlandsche Bank (DNB) had been doing. We thought, ‘This is interesting. We should learn more about this.’ So we spent time with [Mirea Raaijmakers] and others at the DNB learning about what they did and thinking through what we could do in New York that might look like that, because we thought there was real value there, there were real cultural issues. 

The thing about the DNB's approach was that it wasn't just a reaction to bad behavior; it was a disciplined approach. It didn't come across as crazy. It came across as well-studied and evidence-based. ‘Here is the reason to do this.’ ‘This is what we're looking at.’ It wasn't just made up.”

“Human beings are not machines, and their behaviors are not entirely predictable. That being said, looking at prior behavior to predict future behavior has value. But everyone should have a fair shake. Employees can learn and be coached. Not everyone subject to discipline in an organization is a repeat offender.
Proactive oversight, coupled with a way to close the gaps on opportunities or ensure more enhanced oversight, can have its benefits. You always want to prevent misconduct from occurring, particularly where it impacts clients, but models used to do so must be free of bias and recalibrated as new predictive attributes are identified. It is an art and a science, not pure science. If it was clear to predict who would have conduct issues in an organization, they would never get hired in the first place.”

“With regard to the CAMELS rating system, my initial instinct is that management and governance weaknesses ultimately surface in the quantitative elements — capital, asset quality, earnings, liquidity, sensitivity. They’re often early warnings further up the causal chain. 

The farther out you are on that causal chain, the harder it is to measure consistently. But over time, the problems that we seek to capture with the “M” rating (Management Quality) flow through to the quantitative elements. 

I’m open-minded about metrics, but it’s genuinely difficult work. Those are my initial thoughts as I continue to learn.”

4.3.1b Participants note the value of digital ‘sandboxes’ and similar structures for both firms and supervisory bodies to test and evaluate new technologies and approaches to culture risk governance and supervision.

“We have rolled out suptech tools for use by both ECB staff and [national competent authorities (NCAs)]. Success was made possible by leveraging our diverse talents, adopting a user-centric approach and ensuring seamless collaboration, especially between colleagues on the IT side and supervisors within the ECB and the NCAs. The focus is on active collaboration rather than a top-down approach characterised by development of solutions that are distant from the end user.

Investment in technological innovation has become an imperative, not only for the private sector but for public institutions as well.”

“Take speech-to-text. If you ask each bank to build its own engine, they can only train it on their own data. In some jurisdictions that may be enough; in many, it isn’t. We have 28 retail banks. If each builds an engine alone, they may not have enough data points to train it. Supervisors may need to collate data and help develop a ‘public-good’ engine. The biggest banks can build their own; smaller ones can’t. In those cases, supervisors need to step in.”

“Financial regulators will also be looking to technology to enhance their oversight programs, increasingly so. Artificial intelligence and machine learning tools adopted by financial institutions and regulators could radically change, and hopefully improve, financial regulation.”

“When we explored doing cutlure reviews at the NY Fed, the banks were curious about running pilots. Many at the time dealing with scandals across FX, LIBOR, and other rate-rigging. So there was some level of curiosity about whether this kind of effort, either by the organization or by us, would have been able to identify those kinds of problems. 

I also think the organizations thought they had good cultures, so they believed this was going to validate something for them.”

“Innovation comes with costs and risks both to individual firms and the system. It often requires significant upfront investment, often with uncertain outcomes, as well as long-term planning. 

These risks can be financial, arising through new or more complex risk profiles of innovative products. They can be operational, for example as firms transition to new technologies or embed dependencies on new third parties. Or they can be conduct-related as financial services are delivered to new sets of consumers or through different ways. 

This means that we need to take a thoughtful approach to our regulatory framework, if we are to support innovation by giving firms sufficient certainty and confidence to invest in new technologies and approaches in a way that ensures that risks are appropriately managed.”

4.4 – New Approaches & New Partnerships

4.4.1 – What would a global initiative to transform culture risk governance and supervision in the financial sector look like?

4.4.1a Participants noted that global standard-setters have yet to prioritize culture risk governance and supervision, and urge that greater attention to such would be helpful.

“It’s everyone’s job — regulators, academics, firms, and ultimately taxpayers. 

Academics, particularly in behavioral economics, have made strides in the last 20 years. But central banks remain quite conservative. Their research departments often stick to traditional macro topics — capital adequacy, inflation/unemployment tradeoffs — because they’re more amenable to established methods. 

But understanding behavior during a crisis — on both the bank and depositor side — is first order important. It’s central to financial stability. And yet, we devote few resources to it. We should be doing more. 

Central banks put huge weight on inflation expectations, but we don’t fully understand how people form those expectations — or whether changes in expectations actually drive changes in behavior. 

My colleague Jane Risen, here at the University of Chicago, has studied ‘magical thinking’: you can convince someone that flying is statistically safer than driving, and they’ll still ask for the car keys. That disconnect is real. It can be studied. We just need to care enough to do it. 

I’ve made arguments publicly and privately to encourage focus on these issues. Richard Thaler's work has helped to move behavioral economics from the fringe to the mainstream — even here at Chicago.”

“The last time this culture question was really examined closely was when Julie Dickson chaired the Supervisory Intensity and Effectiveness group under the FSB, after the Financial Crisis. That was around 2010 or 2011, so some 15 years ago. Even then, there wasn’t a proper cross-sectoral comparison; it was more of a theoretical look at the core features of proper risk-culture efforts: risk-culture statements, communication, accountability, etc. We haven’t taken a hard look since at how we’re actually faring since. We should benchmark and learn from each other.

A benchmarking exercise, or even a list of parameters supervisors should look at when thinking about outcome measurement, would be useful. The difficulty is data sensitivity: benchmarking behaviour requires data, and extracting that from a jurisdiction can be sensitive. 

A body like the BIS — given its experience anonymising and standardising data — could help make it less sensitive.”

“This is an issue for international standard setters to take up…. Bringing supervisors together… to explore how best to replicate good practices around the world would be a welcome endeavor.”

“For banks, the Basel Committee is the natural place for standard setting [with regard to questions of culture risk governance and supervision]. For a broader set of financial institutions, it could be one of several other standard-setters — or the FSB.”

“The problem is that in Basel, the BCBS, is really too narrow and technical and there are no other committees that it really fits into. The FSB seems like its mandate is too broad relative to banking. So it’s a good question [to ask who can lead related global efforts].”

“On culture regulation, I don’t think regulators can tell firms what their culture should be. Good regulation can be very simple: firms should define a desired culture consistent with regulatory objectives, assess their actual culture effectively and have a program to close any gap. OSFI’s recent guideline is the best. And it is very short. 

I am not sure there needs to be international standards. But I do think it is helpful for supervisors to share ideas and experience on metrics to assess culture.
For example, what has been their experience with assessment techniques such as:

  1. deep dive reviews by organizational psychologists;
  2. the use of staff surveys;
  3. systematic recording of observations on culture by supervisors; and
  4. the use of Big Data techniques.

It is likely that different techniques are suitable for different cultural problems: for example, if the problem is a passive board or dominant CEO, supervisors might use a different technique to a problem where the first line has little respect for the second line.”

“Supervisors are far from having an internationally agreed framework or the necessary skillsets for comprehensively reviewing culture within banks and other financial institutions, let alone agreeing an approach that could be applied to supervisors themselves. 

Despite repeated shortcomings being identified, relatively little has been done over the past couple decades, from an international perspective, to support the strengthening of supervisory mindset and culture towards one of action. 

Supervisory successes — problems averted — are largely unseen. Yet, when problems in the financial sector occur — as they are wont to do — the supervisor will often be critiqued and told it should have done more. It is the supervisor’s lot to grapple with this tricky balancing act. More support from international bodies to help national supervisors strike this balance this would be a welcome development.”

“I fully agree on the importance of international collaboration, and indeed my own career has involved extensive international work. Simply looking at the global nature of the financial sector, the case for global cooperation is clear. 

What we have also seen in the last few years is that, with a rapidly changing financial sector, the importance of engagement with a wide variety of stakeholders has increased.

Going forward I expect such engagement to only become more important — particularly in the context of an uncertain and changing world, not to mention the increasing digitalisation of finance — with increasingly complex inter-linkages and dependencies outside of the financial system being something that regulators cannot and will not ignore.

We also regularly engage with the public — through regional outreach events and meeting members of the public, as well as our extensive links to academia through our work, including our Research Exchange — a forum for research engagement between our teams and external experts and researchers. Such engagement is crucial to retaining the trust placed in us as a central bank and financial regulator — by building a shared social understanding of the benefits of our work for the public, consumers, and the wider economy.”

“I would say having that discussion at a global supervisory level would be incredibly valuable because supervisors need to be helped to understand why this is important. It should be evident in the prudential role that you play, and for a conduct regulator, the same applies: this taps into why this should be part of your role and responsibilities to address as well. 

On a global level, we should initiate a capability — thinking of an organization like the BCBS — with enough mandate and expertise to truly standardize an approach that can be rolled out across different countries. This would create a global standard for how to do deep dives and for the annual risk identification process, allowing for an industry-wide view. You need to have both of those capabilities. 

There should be a global structural capability to develop and implement this approach across countries, which could then be done in different phases. This is important, along with having ownership within a global group that drives these developments.”

“International bodies have scarce resources, and priorities shift. If members think there are bigger fish to fry, this culture topic falls down on the list. But if we can round up like-minded supervisors around the world — even for a pilot, as a public-private collaborative initiative — that would be worth pursuing. 

International processes of this sort do two things. First, they help ensure we pursue a problem along a similar wavelength — using similar structures — so there’s consistency. US banks operate in Hong Kong, Singapore, Tokyo; cross-border benchmarking is needed. Multilateral benchmarking beats a patchwork of bilaterals. 

Second, major jurisdictions have already invested heavily in this space. It’s in their interest that what they’ve done is exported elsewhere. That makes life easier at the group level — easier to measure performance — so I would expect major jurisdictions to step forward to influence the process and export their values through international work. 

There will be pushback: each jurisdiction is different, with local specificities. Still, if designed properly, it would help — at least around core values, communications, and measuring frontline understanding of risk culture statements.”

“Some standards exist, but most of the standards which mention culture address the culture of the supervised bank and not the culture of its supervisor. So far as supervisory culture is concerned, there are a few expectations that are mostly implicit rather than explicit in publications by the Basel Committee and the Financial Stability Board. 

The periodic Financial System Assessment Program reviews by the IMF can also help to identify cultural shortcomings at supervisors. However, compared to the number of standards which relate to the culture of supervised banks, the standards applying to supervisors and the controls to ensure those standards are followed are not very extensive, rigorous, systematic or transparent.”

4.4.1b Participants described the need to have a forum where public and private sector participants can collaborate to reach consensus on new approaches to culture risk governance and supervision.

“A public-private initiative could be useful, particularly if it is about sharing best practice — what’s proven to work, and where people struggled in the absence of a framework. 

It may lead to a call for accountability regimes for key position holders, enabling evidence based judgment calls and rapid changes. Because if you’ve got a bad apple at the top, just telling those people to write a new policy won’t help. 

This is about the human factor and human interactions. It’s open-heart surgery on corporate governance — and that can be very difficult and emotional.”

“Bureaucratic inertia is a powerful obstacle particularly in developing international conventions. To get traction among supervisors, we’d need a combination of (1) the emergence of a compelling data-driven method for assessing these culture questions, and (2) we’d need that to be presented at a time when the world has been moved off its inertial access. This may be such a time. 

And inertia in the supervisory system can be overcome through leadership from industry. I think there would be less inertia among banks which, right now, are looking for what concrete things they can do to help demonstrate that they are worthy of confidence — from their supervisors, their depositors, and the market. Firms should view this moment in time as an opportunity to demonstrate leadership on this culture issue.”

“MAS closely partners with the industry to elevate culture and conduct standards in our financial institutions. The Association of Banks in Singapore Culture and Conduct Steering Group (ABS CCSG) and the Insurance Culture and Conduct Steering Committee (ICCSC), both established in 2019 and chaired by banks and insurers respectively, are two industry working groups at the heart of such partnerships.”

“It's better if the banks understand that it's in their interest to own this — because not only can it lead to better outcomes, less risk, fewer blow-up kind of events, but it can also lead to better relations with their regulators, better trust, more scope to do what they want to do from a strategic perspective. So I don't really see this as regulator-driven.”

“Both regulators and industry wanted to avoid cycling endlessly through failures. The question is: how do we create tools to make it less likely that good firms will fall short? 

Ideally, both regulators and firms would work on this together. Regulators bring rigor and contrarianism; firms bring practicality. Alone, neither side will get it right. 

And this is where a trusted intermediary could play an important role — to ask the hard questions that regulators may avoid but firms won’t ask themselves.”

“In some markets we are seeing encouraging examples of cooperation — of firms working with one another and with their regulators — so as to better address significant regulatory or systemic risks. US regulators have stayed very informed about those efforts and have encouraged this sort of industry cooperation. 

If a number of firms stepped forward and proposed employing one or more culture diagnostic tools to determine better how to incorporate that into control environments, I think regulators would likely view that quite positively.”

“While we have progressed in our culture and conduct supervision, much more work lies before us for all involved. The regulatory community can benefit from working closely together to share good ideas and sharpen our approaches.

The industry must also own this journey because rules and regulations can only go so far in influencing behaviour, and it is the day-to-day decisions at the financial institution that determine the final outcomes in risk-taking and how consumers are treated. The ultimate goal is clear — a financial sector where sound organisational culture drives prudent risk management and excellent customer service. Strengthening this will remain a priority in our supervisory agenda.”

“It feels like we've got to figure out where interests are aligned. That's where things like supervision actually tend to work — where you've got interests that really are aligned. And so it doesn't take a whole lot for the industry to say, ‘Holy crap, we do need to do that.’ 

It's the leadership. It's the right mix of leadership between the public, private, academic, and industry sectors. It’s having the courage and the wherewithal to push ahead. 

This requires the public and private sectors getting together, but somebody has got to be the leader. We tried a couple of times to get the banks to get together and figure this out. The UK did it with their banking conduct organization [FSCB], but nothing happened in the U.S.”

“We also use regular industry engagement to understand the demand to innovate, for example through regular roundtables and conferences, as well as ad-hoc meetings and supervisory engagement. Through these, we seek to understand where firms are looking to evolve how they operate, or the services they provide, so we can consider how our regulation can support those efforts to develop in a resilient way. And to inform our overall approach to innovation we arranged a bespoke roundtable for industry participants.”

“A big part of our work is broader engagement with colleagues like yourself [Starling Insights], academics, researchers, and very importantly, with civic society. 

In the eyes of the public, particularly after the Global Financial Crisis, expectations for proper governance, risk management, and a healthy firm culture have really come to the fore. We also think about the ultimate goal of what we're trying to do, which is to deliver safe and sound banks for the public. A key element of that is how they're run — the nature of how they're run in the risk management and culture.

 I am generally in favor of international dialogue. Why? Because we don't know everything, and we have to have a certain dose of humility.

Even when we take actions or make supervisory interventions, they may not be fully effective or deliver the desired outcome. Other things can happen in the macroeconomic or financial environment that cause issues, so we are not all-knowing. For that reason, dialogue is very important to get different perspectives. 

But it's also really important that it's not just about industry perspectives. I've mentioned the important role of academics, think tanks, and civic society. I agree that there are common issues and outcomes we want to achieve between the supervisor and supervised entities, and our interests can be aligned. 

We supervise a very large part of the global banking system, so we feel a huge responsibility to participate in international standard setting institutions. We also see an important aspect in benchmarking ourselves: What are we doing? How does that compare with others? Are we keeping up our supervisory standards as things evolve globally? This is all part of being involved in implementing standards and the direction of travel set out by international bodies.”

“The HKMA believes the time is right for closer collaboration among the banking industry, the technology community, and the HKMA to further facilitate the adoption of Regtech in Hong Kong.”

“What often creates problems are new regulations without even consulting the financial industry. Then that is put into a legal text, passed as a law, and then the industry is asked to do an impact assessment to see how things map out. That’s usually not the best way to regulate. 

What is needed is working on regulatory initiatives together. One might find the proposed regulation triggers important unintended consequences. One can then work to eliminate those before going live with a regulation. 

Part of what I’ve really wanted to achieve was more mutual recognition of both sides — public and private — to develop a better appreciation for how either side is doing its best to achieve a common good.”

4.4.1c Other participants express concerns that while coordination may be helpful, that pursuing a uniform approach across jurisdictions may exceed supervisory mandates.

[Responding to whether there is a need for a public-private initiative] “I haven’t found my way to that yet. It would be arrogant of me to say ‘no,’ especially since we have done that in other areas — non-financial risk, integrity and security. So I wouldn’t rule it out. 

But I haven’t seen the need. The most positive impact we can have is to hold boards and senior managers to core principles, and give them comparative feedback on how they’re adhering to those principles relative to peers, without violating confidentiality. 

But going further — into frameworks and metrics — makes me nervous. That’s where we risk crossing the line and starting to define what the ‘right’ values are. And that, to me, is a red line. As soon as OSFI starts defining values for boards, we’ve overshot our mandate. We’ll lose credibility — and our license to supervise. So unless I’m proven otherwise, I’d say: no. The risks of overreach are high. The upside is uncertain. I’m not willing to take that risk.”

“Whilst supervisors might well agree such a framework would be useful, I’m sure they’ll diverge on timing and priority. Standards are set by standard-setting bodies. But priorities matter, and capacity matters. This hasn’t been built before because it’s hard to do and other priorities have taken precedence — right now, for example, Basel implementation, in multiple jurisdictions.”

4.4.1d Participants argued that supervisors can draw on third-party experts to help establish a common framework for culture risk governance and supervision.

“Third parties are already used for some things. On the quantitative side, we’ve used independent experts to review areas like regulatory reporting across firms and allow us to make cross-firm comparisons. 

Firms also commission their own board-effectiveness reviews, which touch culture and governance, from independent experts who can benchmark them. That informs both firms and supervisors. 

It doesn’t have to be the supervisor doing every assessment, though we have a strong interest in the outcome. It could be a third party.”

“Ultimately, this comes down to leadership. If central bank governors and deputy governors don’t prioritize this, nothing happens. If they do, they create powerful incentives for research departments to engage. Yes, it’s high-risk research, and yes, there will be dead ends — but that’s the nature of innovation. You learn even when something doesn’t work. 

In traditional areas, incremental progress is easier to measure. In behavioral and culture-related areas, the payoff might be harder to define, but potentially much larger. You have to design institutions that reward calculated risk-taking in research, just like in the private sector. 

First and foremost, you need senior leadership — presidents, governors, chairs — saying: “This is a priority.” Without that, nothing moves. Then, assign a point person internally. Make it someone whose job it is — publicly and privately — to champion this. That person can then use the institution’s convening power to bring in outside voices — academics, behavioral scientists, organizational psychologists. 

The leader should show up. Deliver opening remarks. Sit in the sessions. That signals seriousness. It also incentivizes PhD students and academics to do work that’s relevant to central banking. There’s a wealth of underused data in financial services that could be mined with fresh behavioral insights. But unless the institution makes it a priority — and allocates resources accordingly — nothing will happen at scale. 

Institutions like the BIS could play a role, since they cut across jurisdictions. 

Look at what Mark Carney did with climate risk. It was previously seen as irrelevant to central banking. Now almost every central bank is doing work on it. Some more than others, but still, it’s on the agenda. That shift started with a leader who cared, made hires, convened discussions, and gave the issue status. Culture could follow that path. But it takes leadership.”

“Culture is important across all financial institutions, not just banks. Thus the development of identifiable markers of culture should be sponsored by a body that spans all financial institutions — which, in our current international regulatory architecture, is the Financial Stability Board. 

The FSB worked with the private sector over many years in a public-private partnership to develop and encourage the use of broad disclosures on exposure to climate risk (the Task Force on Climate-related Financial Disclosures, or ‘TCFD’). A similar project on data-driven cultural metrics would be a very sensible topic for the FSB.”

“I still think we need to refresh governance expectations first and situate culture within risk governance. Much of that work hasn’t been updated in a decade. 

Ultimately, I don't think this is for the FSB to solve. Additionally, I believe that a different subject matter expert is needed beyond those who specialize in capital and liquidity. Therefore, I’m not sure if standard setters alone are the answer either. 

The TCFD climate work is instructive as an analogy: new groups of SMEs formed, moved the dial, and then it circled back to standard setters for consideration and, where applicable, integration. 

I’d do something similar here: don’t punt it directly to standard setters. They’re already figuring out their role in a changed world. If we want traction, we should create a focused initiative — not a research project, but a purpose-built venture that can deliver, then hand off to whoever’s best positioned to operationalize. In short: an incubator, not a standard setter.”

Responses to Chapter Questions and Other Commentary

4.1 (a) What is needed to ensure that culture risk supervision becomes a durably embedded and routinized feature of supervisory regimes, rather than a secondary or transient concern?

See response to 3.1.(a).

– American Bankers Association

4.1 (b) What structural, political, or institutional barriers have hindered progress on developing sound protocols for culture risk governance and supervision? What conditions are needed to overcome them?

As stated previously, ABA recommends that the supervisory agencies issue interagency, nonbinding, principles-based supervisory guidance providing examiners with guiding markers on how to assess an institution’s Risk Management Practices. The focus should be on material financial risks and provide that supervision should be tailored to the institution’s size, complexity, and risk profile. Recognizing differences among the institutions the supervisory agencies examine – community banks, mid-sized financial institutions, and larger, more complex financial intuitions – ABA acknowledges that developing interagency guidance would be challenging and will require careful tailoring.[6] However, providing principles-based guidance will provide financial institutions with a starting point in developing or enhancing their Risk Management Practices.

[6]. The Office of the Comptroller of the Currency (OCC) issued a notice of proposed rulemaking (Proposal) to amend its guidelines relating to heightened standards for insured national banks, insured Federal savings associations, and insured Federal branches (Guidelines). In the Proposal the OCC acknowledges that the Guidelines, as currently formulated, establish overly prescriptive standards for banking organizations’ design and implementation of a risk governance framework and how boards of directors must carry out their oversight responsibilities. ABA recommended the OCC rescind the Guidelines, or in the alternative, to revise and replace the Guidelines with nonbinding, principles-based supervisory guidance.

– American Bankers Association

4.1 (c) How can transparency in supervision be advanced in ways that protect confidentiality but also strengthen public trust, enable peer learning, and reinforce the legitimacy of culturerelated interventions?

4.2 (a) What enabling conditions can foster innovation — within supervisory bodies and among firms alike to help accelerate the development, testing, and adoption of new tools, metrics, and practices for addressing culture-driven risks?

Can innovation – new tools and metrics – give supervisors a better sense of an institution’s culture? As part of an examination, supervisors review strategic plans, risk appetite statements, policies and procedures, Risk Management Practices, committee and board minutes, incentive compensation and performance management programs, and various reports and dashboards. Through this review examiners try to figure out if the institution’s practices align with policies and procedures – basically, are the institution’s employees really doing what their frameworks, programs, and policy documents say they should be doing? Are examiners, however, getting a sense of what the firm’s culture truly is just by reading documents and reviewing metrics in reports and dashboards?

For example, examiners can review loan committee minutes to see if any loan policy exceptions were discussed or if any “effective challenge” took place; however, that will depend on what was documented in the minutes. Examiners have loan discussions with management and senior lending officers, but those conversations typically focus on individual credit relationships and any adverse classification. Examiners may also review an institution’s incentive compensation program, but most likely focus on compliance with outstanding interagency guidelines.[7] This is well and good, but will the examiners have a true sense of what activities are really being awarded? Examiners could interview an institution’s employees and ask probing open-ended questions to get more details; however, how open and transparent will an employee be to an exam team to help them understand the institution’s culture?

The question for supervisors is how best to train examiners to understand an institution’s risk culture efficiently and effectively beyond written documents and various metrics? And, how does an examination team determine what the institution truly values? It is one thing to read a strategic plan, an incentive compensation program, and a loan policy for compliance with laws, regulations, and supervisory guidance. But, it is a completely different thing to connect what is written in these documents to what an institution’s employees are actually doing to determine its culture. It gets even harder when examinations are moving to hybrid and spending less time on site.

Pointing out the challenges of this aspect of supervision is not to say that they are insurmountable, and certainly not that the question is unimportant. These concerns do, however, underscore the modesty and circumspection with which supervisors should attempt to define the role of an institution’s culture in the supervisory process.

[7]. See Guidance on Sound Incentive Compensation Policies published at Federal Register, Vol 75 No. 122, 36395 (June 25, 2010).

– American Bankers Association

4.2 (b) What can be done to help supervisors move promising innovations in culture risk supervision beyond pilots and into more widespread and durable practice?

4.2 (c) What barriers do firms face in evaluating, testing, and implementing new tools or innovative governance frameworks for addressing culture risk governance?

Firms need to stress alignment among risk management policies and business practices, e.g., assuring that risk management considerations receive appropriate consideration alongside opportunities for increased sales, revenue generation, etc. Important elements are hiring and compensating risk managers as well as first-line managers and personnel and compensating and promoting staff consistent with stated risk management policies in addition to achievement of other business metrics. Moreover, the firm should make clear that risk management is part of everyone’s job description in appropriate ways, and management should train and mentor more junior staff in appropriately balancing returns and risk.

In addition, after prescribing all the appropriate elements, firms must establish means of confirming consistent performance. Aligned behavior should be confirmed in day-to-day management oversight of employees, through performance evaluations and informal feedback, and, as noted, through aligned compensation and promotion. Staff should see that rewards accrue from the behavior, including risk sensitivity and controls, that the firm says it desires. It is axiomatic that staff will observe any inconsistencies and adapt to what the firm actually rewards. Management must develop methods appropriate to the specific firm to confirm that its directions are followed.

– American Bankers Association

4.3 (a) What kinds of tools, processes, or evidence trails might help to enable boards and executives to demonstrate credibly that a firm’s cultural dynamics are aligned with its governance structures, business model, and risk tolerance?

The answer to this question is necessarily highly firm-specific. As noted in 4.2(c), however, management can be vigilant in aligning compensation and other personnel decisions with the behaviors it requires of staff. Tracking compliance with risk limits, e.g., violations of trading position or exposure limits, can identify failures of risk governance (specifically, behavior inconsistent with policies, thus cultural failures as defined, at least when the failures are persistent) before actual losses occur. Tracking such instances with reporting to senior management, including managers outside the specific first-line function in question, are commonly used processes to demonstrate to what extent the culture of risk management and compliance is effective.

Also relevant to compliance, but transcending it, is monitoring of customer and vendor/counterparty complaints and other performance issues. An employee compliance hotline or second channel through which concerns (whether about management of material financial risk or something else) reach senior management are also useful early warning tools. As noted earlier, some but not all cultural concerns are appropriate subjects of supervisory interest, and channels like these can capture those as well as others of concern to management.

– American Bankers Association

4.3 (b) How might the industry and supervisory bodies come together to establish a common evidentiary basis for assessing culture risk governance?

In most if not all of the issues ABA has addressed, the first response is the responsibility of firm management. When management addresses risk management, compliance, reputation, and brand, supervisors can assess the subset of those issues appropriate for their consideration and review the consistency of the firm’s actual operations and results with its stated principles.

– American Bankers Association

4.4 (a) What is the ideal forum for encouraging public and private sector participants to work together in an effort to reach consensus around common approaches to culture risk governance and supervision? What factors need to be in place to support success in that direction?

In theory a global consensus may sound desirable. Though global collaboration has produced many useful innovations in financial regulation and supervision, e.g., the Basel Committee on Bank Supervision, it does not include private-sector participants.[8] Moreover, in addressing supervision of risk management governance, it is essential to keep in mind not only that each firm has specific needs and standards for addressing them, but also that global financial services markets are highly diverse, and both institutional structures and supervisory regimes differ significantly across those markets. Thus, a single approach is unlikely to work well across markets, and different concerns will likely arise from one to another.

At the same time, globally active firms must not face undue burdens from conflicting national supervisory standards. Markets are highly efficient channels for moving capital and allocating credit, and erecting barriers in one sector (such as regulated financial institutions) will quickly lead to changes in flows, including movement of financial activity outside the regulated and supervised part of the market altogether. The ultimate goal of effective risk management therefore again requires a careful balance.

[8] It does, however, routinely propose draft policy positions and draft regulatory text for public comment.

– American Bankers Association

4.4 (b) Who should take responsibility for leading international collaboration on culture risk governance and supervision, and what kind of mandate or structure would give such leadership legitimacy?

Thank you!

Your submission has been received.

Submit Your Comment

Drop files here or click to upload