Revisiting conduct risk management in the COVID-19 era with updated DOJ criteria

Abstract

Conduct risk refers to behaviours of firms, including financial institutions, which may result in poor outcomes for the consumer. Conduct risk arises in financial institutions due to the nature of various client relationships, many of which include fiduciary duties, as well as due to the impact that financial institutions make on the world’s financial markets. Financial institutions have always managed conduct risk. In the years since the financial crisis, conduct risk has been the subject of increasing scrutiny, as regulators across jurisdictions expanded requirements to address various types of misconduct. The coronavirus disease 2019 (COVID-19) associated health and economic crisis has created new pressures, incentives and opportunities that can lead to heightened conduct risk exposure as institutions adapt to an ever-increasing volatile market and changes to their operations and control environment (eg professionals now must work from home). As individuals attempt to exploit the pandemic, both the institutions and customers are at greater risk. Regulators, aware of the changes brought about by COVID-19, continue to expect firms to take responsibility, and identify and manage their risks and regulatory obligations. COVID-19-heightened conduct risk exposes financial institutions to large fines and penalties, regulator imposed business restrictions and brand dilution. Senior management face potential regulatory disciplinary action and loss of professional reputation. On 1st June, 2020, the Criminal Division of the US Department of Justice (DOJ) published updates to its guidance on the Evaluation of Corporate Compliance Programmes. This guidance helps institutions to assess the effectiveness of their compliance programme through the consideration of various factors, including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance programme. This paper suggests practical steps to identify and mitigate increased conduct risk arising from COVID-19. Financial institutions subject to US jurisdiction can apply these same steps to meet the June 2020 updated US DOJ criteria of corporate compliance programmes and enable firms to assess the effectiveness of its compliance programme in identifying and managing risks arising from COVID-19. Companies that meet the DOJ criteria earn substantially reduced penalties and stand a good chance of avoiding criminal charges and a government-imposed monitor. The first step is to transfigure (mis)perceptions that Conduct Risk Management is bad for business and convert detractors into supporters by demonstrating a positive ‘return on investment’. It is essential to include stakeholders across first line of defense business units and second line of defense control functions. Firms should fully document efforts to address conduct risk and ensure a culture of compliance and integrity so that the organisation gets full credit for its work to prevent and detect misconduct, should a regulatory inquiry arise. With this firm foundation, financial institutions should update the conduct risk assessment as an ineffective risk assessment is the common root cause for corporate scandals. Once they identify new and emerging inherent risks, financial firms should test the efficacy of responsive policies, processes and controls to determine residual risks that create a reasonable likelihood of significant legal, reputational or financial impacts arising from misconduct strengthening or expanding forensic data science and analytics can be particularly helpful in limiting opportunities for would-be wrongdoers. With this effective framework in place, financial institutions can mitigate often overlooked or underestimated conduct risks either amid a crisis or under business-as-usual conditions.