Outrageous behavior by employees within the global financial services industry have put boards and regulators on high alert regarding whether their companies are acting in the best interest of their customers. Recent scandals include Wells Fargo’s cross-selling program, where employees were pressured to open new bank accounts and issue credit cards for customers without their knowledge. At Australia’s Commonwealth Bank, some financial advisors charged clients service fees even when there was not any record of services being provided. The fallout from these and other scandals has included massive dismissal of staff, millions of dollars in fines, loss of customer confidence, and reputational damages.
Successful financial services companies view their customers as the heart of their business. These companies are focused on the continuous delivery of quality products and services that produce a fair and suitable outcome for their customers. Regulators and corporate boards expect companies to measure and demonstrate appropriate conduct toward their customers. Inappropriate, unethical, or unlawful behavior by the organization’s management or employees that lead to poor customer outcomes is not acceptable.
Today, conduct issues pose a great risk to a company’s success and sustainability. In addition to regulatory fines, companies that do not mitigate conduct issues may face a quick trial by “word of mouth” in social media that could result in reputational damage and loss of trust. It may be nearly impossible for an organization to manage the crisis and respond timely to correct the misconduct once the story gains traction on social media. That’s why internal audit departments should play a significant role in assessing whether their organization’s conduct risk framework is fit for purpose and identifies potential blind spots that management needs to address.
Conduct Audit Tips
Effective mitigation of conduct risk looks beyond mere compliance with laws and regulations while putting the customer’s interests first. Auditors charged with assessing conduct risk within an organization should:
- Avoid a “check-the-box” approach.
- Be customer-outcome focused by looking at behaviors from the customer’s perspective. For example, in looking at a product offering, auditors should ask whether the company did right by the customer.
- Go beyond regulation to call out detrimental conduct risk that is embedded in the organization’s strategy, values, and culture.
- Don’t just focus on “hard” controls. Auditors should look at soft controls that can give them a feel for how business is conducted outside the formal audit program. For example, does the culture encourage employees to meet aggressive or unrealistic sales targets?
- Seek specialist knowledge from external experts if the organization lacks such expertise in-house.
- Emphasize reporting and data analytics to identify potential conduct blind spots.
The main challenge for internal auditors is that each organization’s conduct risk profile is unique and there is no “one size fits all” prescribed framework for assessing behaviors toward customers. As a result, there is no standardized approach to auditing conduct risk. As large financial services organizations operate in multiple jurisdictions, with different legal and regulatory environments, the ability to design an audit program that can depict a timely and holistic view of conduct becomes complex.
Another challenge in assessing conduct risk is that public sentiment and societal norms are constantly evolving. What was considered acceptable behavior in the past may be viewed differently today. For example, in the past it was considered acceptable to smoke in the workplace, but today smoking in offices is viewed as unacceptable and is illegal in many places.
Similarly, in the financial services industry, the adoption of technology and democratization of information have dramatically changed what are considered acceptable fees to charge for mutual funds. Average mutual fund fees or expense ratios have declined substantially over the past 20 years from in excess of 1% in 1996 to a fraction of a percent in 2019. Auditors need to understand not only their organization’s operations intimately, but also the regulatory and societal expectations.
To evaluate whether an organization is acting with integrity in dealing with its customers, internal audit should assess whether the business designs and sells products and services in the best interest of the customer. As culture and conduct risks are interconnected, auditors should consider multiple factors that drive conduct and behaviors, including:
- Corporate governance.
- Incentive schemes.
- Product development.
- Sales practices.
- Fees and charges.
- Customer service.
- Complaints handling.
In general, a strong customer-focused culture leads to fewer conduct failings and helps to mitigate conduct risk. Internal auditors should leverage any previous audit work covering corporate governance, culture, and ethics in their conduct assessment. They should align their audit approach to the scale, business model, complexity, geographical reach, and regulatory environments in which the organization operates. Auditors should provide assurance on the design and effectiveness of controls over conduct risks and determine whether the controls in place are adequate and effective to mitigate the risk of poor customer outcomes.
In developing a structured approach to systematically assess conduct risk, auditors need to determine whether a top-down, bottom-up, end-to-end, or integrated audit is best suited for their organization. Regardless of what approach auditors select, the organization’s conduct risk framework is key. This framework should be anchored around the organization’s business strategy, risk appetite, culture, and values.
Top-down The top-down audit approach starts by assessing the adequacy of an organization’s conduct risk framework and how the framework translates into policies. Then it drills down into how existing processes and controls over governance, risk appetite, culture, and behavior mitigate conduct risks.
Bottom-up In the bottom-up audit approach, auditors assess the processes and controls within a business unit to determine whether conduct risk is mitigated. Auditors then can aggregate the conduct risk results of each audit into a thematic paper for effective communication to the board and senior management.
End-to-End This audit approach evaluates the customer interaction value chain in its entirety. The customer interaction value chain comprises:
- Product design.
- Sales practices.
- Claims handling.
While comprehensive, drawbacks to this approach are the manpower necessary to complete the audit and potential untimely communication of any findings.
Integrated In the integrated audit approach, internal auditors consider aspects of conduct risk in every audit of a business unit (see “Integrated Audit Example,” at right). Such audits can range from an evaluation of sales practices during an underwriting audit to looking at incentive schemes and training programs during a regulatory compliance audit. Auditors would report any conduct risk findings as an issue in each applicable audit.
Conduct Blind Spots
Internal audit’s holistic view of an organization positions the department to identify potential conduct risk blind spots by assessing the organization’s underlying culture and conduct toward customers. Moreover, in their advisory role, auditors can highlight specific departments and individuals as role models whenever they find exemplary behavior and best practices in conduct risk mitigation. These actions can help ensure the organization’s conduct stays on the straight and narrow.