group work


The global regulatory landscape on conduct risk for the financial services industry

Conduct and mis-selling continue to be areas of intense scrutiny for regulators, investors, and consumers, as financial institutions (FIs) in particular respond to the perceptible decline in consumer trust that institutions of all kinds are experiencing.

August 30, 2018 | Financial services

Years after the global financial crisis, the regulatory focus on conduct continues to persist and firms continue to face regulatory pressure to have the necessary frameworks in place to manage conduct and culture.

Culture, conduct, and compliance represent three inter related dimensions that intersect to create fair outcomes for customers and help protect market integrity. Conduct is a lens into the culture of the organization. Conduct failings have materialized across several jurisdictions, cut across the organization, and can be characterized as workplace misconduct, poor sales practices/mis-selling, and market misconduct.

Conduct is when an organization’s behaviors and practices deliver fair and suitable outcomes for customers, employees, suppliers, and markets.

– The Deloitte perspective

This blog will focus on mis-selling and the regulatory changes taking place in Canada, Australia, and the United Kingdom, and will provide a point of view on what proactive organizations should consider as they keep in line with the evolving global regulatory expectations in this domain.


Misconduct and mis-selling are not new topics; Canadian regulators have been addressing a series of misconduct issues in recent years:

  • In 2014, a large Canadian bank came forward following allegations by the Ontario Securities Commission (OSC) staff that there were "inadequacies" in their investment services' systems of controls and supervision. Similar allegations for other major Canadian banks followed. The OSC and bank settled for penalties and reimbursing mischarged clients.
  • In March 2017, whistleblowers at a large Canadian bank spoke out to “Go Public” CBC Media on the "incredible pressure" to squeeze profits from customers by signing them up for products and services they do not need.
  • Following the CBC Go Public report, The Financial Consumer Agency of Canada (FCAC) announced its next review of business practices in the federal regulated financial sector will commence April 2017 and released its public review of domestic banks' retail sales practices on March 20, 2018.
  • The “FCAC found that retail banking culture encourages employees to sell products and services, and rewards them for sales success. This sharp focus on sales can increase the risk of mis-selling and breaching market conduct obligations. The controls banks have put in place to effectively monitor, identify, and mitigate these risks are insufficient.”
  • On May 28 2018, the FCAC Commissioner Lucie Tedesco presented at the hearing of the House of Commons Finance Committee for the study of Consumer Protection and Oversight in Relation to Schedule 1 Banks.
  • During the Commissioner’s briefing, she stated that the FCAC’s report published in March 2018, titled Domestic Bank Retail Sales Practices Review, did not “address alleged breaches of the consumer provisions of the Bank Act or relevant regulations. If potential breaches were identified during the course of the review, the allegations are being investigated separately as part of our normal enforcement process.”
  • Potential cases of banks breaking the rules during the review are under investigation.
  • The FCAC will reinforce its supervisory and enforcement teams and implement a modernized supervision approach that will allow it to monitor banks more proactively.


Australian Prudential Regulation Authority

The Australian Prudential Regulation Authority (APRA) launched a prudential inquiry (August 2017) that identified weaknesses in the Commonwealth Bank of Australia (CBA), concerning its non-financial risk management practices.

  • In the final report released in May 2018, APRA disclosed the results of the formal prudential inquiry that identified the shortcomings and the root causes in CBA’s non-financial risk management practices.
  • Although the investigation focused on CBA’s non-financial risk management process, the scope, underlying approach, and recommendations from the prudential inquiry provided insights on how other similar organizations could enhance and improve their non-financial risk management process.
  • The inquiry revolved around the term “non-financial risk” which refers to compliance risk, operational risk, and conduct risk.
  • APRA included conduct risk as one of the three key pillars of “non-financial risk” in parallel with operational risk and compliance risk, highlighting the significance of conduct risk when it comes to non-financial risk management.
  • CBA has also entered into an Enforceable Undertaking (EU) with APRA. One of the terms of the EU require appointing an APRA approved independent reviewer to report to APRA every three months commencing September 30, 2018, in compliance with the EU.
  • In addition to the focus on CBA, APRA requested all large regulated entities perform a self-assessment using the same terms of reference as those used in the prudential inquiry of CBA.
Royal Commission investigation 2018

After accusations of customer exploitation and corporate fraud within Australian banks surfaced, the Australian government established the Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry in 2017. The commission is to inquire into and report on misconduct in the banking, superannuation, and financial services industry. The inquiry began in February 2018:

  • The Commission is tasked with investigating whether any of Australia’s financial services entities engaged in misconduct and if criminal or other legal proceedings should be referred to the commonwealth. It’s also been tasked with considering whether sufficient mechanisms are in place to compensate victims.
  • Commissioner Kenneth Hayne said the inquiry would examine misleading and deceptive behaviour in the industry and conduct which fell "below community standards and expectations."
  • With the Royal Commission, that scrutiny has now significantly increased; it is highlighting the costs and consequences of financial services misconduct and has covered case studies of some very poor conduct, with clear and devastating costs to customers.
  • The Royal Commission is bringing transparency to the problems of misconduct in the financial services sector, including consideration of the potential origins of this misconduct, and in doing so, highlighting a new theme within this context of the importance of community expectations and community standards.
  • The Royal Commission will run through the rest of this year. An interim report is due in September 2018 and is due to table its final report on February 1, 2019.
Banking Executive Accountability Regime 2018

Community anger over overpaid bankers treating customers poorly resulted in the Australian government passing the Banking Executive Accountability Regime (BEAR) Bill. The Bill is being implemented in stages which commenced on July 1, 2018. It is an attempt to help restore public trust in banks.

  • BEAR applies to all authorized deposit-taking institutions (ADIs), their subsidiaries, and Australian branches of foreign ADIs.
  • BEAR will require directors and senior executives to meet heightened accountability obligations in addition to deferred remuneration and notification obligations.
  • APRA is responsible for overseeing BEAR and its expectations on banks and other ADIs, as well as senior individuals, to deliver good prudential outcomes, and improve standards of behavior and accountability.
  • Banks now need to prepare to undertake more compliance obligations—defining of roles and responsibilities, and remuneration planning—than what currently exists.

Australian Securities and Investments Commission (ASIC) is incorporating culture into risk-based surveillance reviews for the entities they regulate, looking at remuneration structures, rules around conflicts of interest, complaints handling, whistleblowers, and timeliness of breach reporting:

  • ASIC had been advocating for upgrades to its powers and penalties, in response there was a recent joint announcement from the Treasurer and Minister for Revenue and Financial Services that the government will significantly upgrade ASIC's penalties and powers, following the recommendations of the Enforcement Review Taskforce.
  • The announcement laid out several reforms, which, together with other regulatory reforms will play an important part in addressing the 'trust deficit' and improving standards in the financial services sector.
  • The proposed new reforms will bring accountability to issuers and distributors of products.
  • It will require them to establish processes and controls for ensuring products are designed with customer needs and understanding in mind, and are marketed to the section of the population for whom they are useful and appropriate.
  • The government is still considering the scope of this power, but the reform signals that responsibility for good consumer outcomes runs from start to finish.
  • ASIC has also been developing its use of data analytics to improve its ability to identify, analyze, and respond to risks, and to achieve better consumer outcomes.

United Kingdom

In March 2018 the Financial Conduct Authority (FCA) published a collection of essays on transforming culture in financial services. The intent of the publication was to encourage discussion on transforming culture within FIs. There are four emerging themes from the publication:

  • There is a ‘right’ culture in financial services; dependant on circumstances, but characteristics of the right culture exist and are suggestive of good outcomes.
  • Managing culture—the role of regulation; to use rules and supervision to create the right incentives and to provide tools to diagnose the key characteristics.
  • The role of reward, capabilities, and environment in driving behaviors—influences to create the right incentive for good culture.
  • Leading cultural change—critical for creating the right culture.

In July 2018 the FCA published its Approach to Consumer paper, alongside discussion papers on Duty to Care. These documents outline the measures the regulator will take to protect consumers and sets out when and how the organization takes action. Together, these documents aim to ensure there are no gaps in protection for consumers in the financial sector:

  • The documents explore the possibility of a new duty of care that might enhance good conduct and culture, and provide additional protections for consumers; and provides insight into what these changes might look like.
  • The FCA’s expectations with respect to the Approach to Consumers was initially published November 6, 2017, and outlines how consumers should be treated by financial firms and where the FCA will intervene if things are going wrong.
  • The document also outlines the scope of powers the FCA could administer to ensure consumers are protected, specifically some of the most vulnerable people in society. It also outlines what the FCA believed to be a well functioning market, and how and when the FCA will protect consumers and its policy positions on key issues.
  • The Approach to Consumer and the Duty to Care publications are part of this continuing direction.
  • The FCA is asking stakeholders to review and provide comments by November 2, 2018.

Suggestions for better outcomes

The vast majority of regulators, including APRA, continue to assert that financial institutions have not done enough to understand and improve culture. Regulators across the globe continue to scrutinize financial institutions over misconduct issues, and they will draw on the experience of other jurisdictions. Understanding and addressing the drivers of misconduct are essential steps in improving standards of behavior-wide conduct programs—like being able to identify key conduct risks and designing pre-emptive enterprise—and meeting regulatory and marketplace expectations. Culture and conduct are lenses that surface the drivers of undesirable behavior and detrimental outcomes.

When considering the strength of your organization’s approach to conduct risk, the following questions can be asked:

  • How does the FI’s culture balance commercial drivers and achieving good outcomes for clients?
Governance strategy and implementation:
  • Is there a clearly defined and coordinated governance and oversight structure in place?
Performance and compensation:
  • How do performance management systems integrate both financial and nonfinancial performance metrics that have a greater emphasis on fair consumer outcomes as opposed to customer satisfaction?
Data and analytics:
  • Does the management information system and data analytics provide you with the necessary reporting and insight demonstrating that the organization has taken reasonable steps to understand and manage conduct risk?
Risk and controls:
  • Does the institution perform a comprehensive conduct risk assessment to identify key risks and areas of vulnerability?
  • Does the control framework provide appropriate coverage of all risks based on the results of the risk assessment?

A clear understanding of the gaps between future state and current state of non-financial risk management, and selecting and implementing controls accordingly to close the gaps, can allow bans to achieve long-term sustainability. As the drivers of misconduct can be diverse, the work to gain insight and restore trust can arise from multiple areas and at multiple levels.

Our final thoughts on how to keep in-line with global regulatory expectations as they evolve include:

  • Prioritize financial consumer protection, fairness, and product stability.
  • Ensure that effective monitoring and reporting of mis-selling obligations is embedded into sales practices governance.
  • Improve oversight, management, and reporting of customer complaints.
  • Ensure financial and non-financial incentives motivate employees to work in the best interests of their consumers.
  • Ensure internal controls adequately address sales practices risk and that the risk management function is involved in the right steps of the risk management cycle in order to provide relevant input to the business (eg., not only post fact).
  • Ensure that the roles, responsibilities, and interactions for effective conduct risk management between and among operational risk, human resources, compliance, legal, and internal audit are clear, transparent, and well understood.

Three different regions, many different regulators, one common theme, all FIs are now under the conduct spotlight, judged by the 1 percent of what goes wrong, not the 99 percent of what goes right. Conduct risk will continue to be a growing focus in Canada.

Our Deloitte Canada teams are continuously working with the Deloitte Touche Tohmatsu Limited network of member firms who have been active in working with leading financial institutions responding to sales practices and conduct risks events. We can help you be conduct “fit” for today and more importantly tomorrow. To join the conduct conversation, reach out to Jay McMahan or Luiz Dias.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Contact us

Jay McMahan
Executive director
Center for Regulatory Strategy, Canada
Deloitte Canada


Luiz Dias
Deloitte Canada


Christopher Spoth
Executive director
Center for Regulatory Strategy, Americas
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?