Just a few bad apples? The importance of culture and governance for good banking

Speech by Andrea Enria, Chair of the Supervisory Board of the ECB, at a Conference of the Federation of International Banks in Ireland, Dublin, 20 June 2019

It seems fair to say that the public image of banks has suffered quite a lot over the past few years. For a start, there was the financial crisis. Banks took on excessive risk, the entire sector came close to a meltdown and, to bail it out, taxpayers’ money had to be deployed on an unprecedented scale. Growth and jobs in our economies suffered greatly as a result.

Then, the culture and practices that had become commonplace in the run-up to the crisis generated a wave of scandals, which further tarnished the image of banks. Banks helped to launder money and evade taxes; they manipulated market benchmarks, thus harming their own customers; and they tried to alleviate funding and profitability pressures by mis-selling their products to retail clients. Only some of them did this, of course, but they destroyed a great deal of trust in the sector as a whole.

The initial reaction of banks was to attribute responsibility to a few “bad apples” and to distance themselves from the problem. But when the pipeline of scandals showed no sign of drying up, it became clear to everyone that simple PR efforts were not enough. In the banks’ own interests, more profound changes to culture, organisation and practices were needed. After all, banking is built on trust.

And progress has been made in recent years to improve governance, conduct and culture. Still, I will argue that the journey is far from complete. Because the challenge is not to get an issue fixed, possibly with the help of consultants, and forget about it. As recognised in a recent G30 report[1] persistent and focused efforts are still needed to achieve a “permanent mindset change”.

Good governance, good decisions, good results

The problems we observed in the banking industry had one thing in common: they all started with someone taking a bad decision. Someone decided to take on too much risk, to put the immediate interest of the bank before the longer-term interests of the customers, or even to break the law. And from there, problems emerged – from small losses to high-profile litigation to full-blown financial crisis.

Hindsight, of course, is always 20/20. It is easy to identify a bad decision after its destructive consequences have materialised. But it might not be so easy ex ante – unless intentional misbehaviour is involved. Research in the field of cognitive science, for instance, shows that each of us is prone to taking bad decisions. Daniel Kahneman and Amos Tversky[2] have provided us with plenty of examples of everyday decisions we take wrong, We frequently takethem in the heat of the moment, without making good use of the information available to us. If we add factors such as incomplete information or conflicts of interest into the mix, the decision-making process becomes more complex still.

Repair measures thus need to focus on the fundamental drivers of decision-making at banks. First and foremost, culture. Decisions are always embedded in and guided by culture. For banks, this aspect has received more attention since the crisis. And the importance of culture is backed up by research. Experiments indicate that bankers behave differently when reminded of their professional identity – and not always in a good way.[3]

The tone from the top has an important role to play, but it is not enough: a sound culture has to be embedded at all levels of the organisation, with particular attention to middle management and frontline business. A working environment has to be created in which staff are not afraid to speak up and challenge decisions, so that the organisation is not hostage to groupthink. A cultural shift is needed also in the set of incentives provided at all points in the decision-making chain.

I realise that the European banking industry now faces a steep challenge to recover profitability from very unsatisfactory levels; but it would be a mistake to focus solely on quantitative profit targets, at the expense of integrity, customers’ interests and the long-term viability of the institution.

As supervisors we take a close look at a bank’s culture, and its risk culture in particular. But ultimately, culture is defined by those who work at the bank. A true cultural shift has to come from within.

Culture defines the soft rules that people play by. But there are more tangible rules as well – and this is where regulators and supervisors come in. I am thinking of governance, of course. And to give you a headline figure: in our 2018 Supervisory Review and Evaluation Process, or SREP, around 75% of banks scored at the lower end of the scale on governance and risk management.[4]

This shows two things: first, it takes time for reforms to set in; second, banks have not done enough so far. Thus, there is an issue. Because it is the governance framework of a bank that defines the internal checks and balances, the processes and safeguards that keep decision-making on track.

But what does “on track” mean? Where do the tracks lead? Sometimes, it is straightforward. When it comes to legal requirements, the objective is clear-cut: play by the rules. But sometimes, it is less straightforward. For risk-taking, things are more ambiguous. Here, it is up to the banks to define their objectives. Each bank has to carefully define its own risk appetite and stick to it.

Straightforward or not, staying on track is as much about control as it is about incentives. A good governance framework addresses both these things. Let’s first take a brief look at control mechanisms, starting at the very top, with bank boards.

The role of bank boards

Boards are the top layer of any system of control – the last line of defence, if you like. It is up to them to oversee and challenge the work of executives and of control functions such as risk management. Boards play a key role in good governance, and banks have certainly come a long way on this since the crisis. But there are still areas for improvement.

It all starts with the people, the board members. Here the usual “fit and proper” criteria apply. Board members must have the right experience, and they must be free from conflicts of interest, for instance. While these criteria are all laid out in the Capital Requirements Directive (CRD IV), Member States have implemented them in different ways. This should change. We need fully harmonised criteria in order to properly assess the suitability of board members across the entire euro area and to ensure a level playing field.

So, the individuals you have on a board are important. But ultimately, the whole is greater than the sum of its parts. In other words, boards need to have the right mix of members. There is a need for diverse perspectives, experience and knowledge. Each member of a board does not need to know everything there is to know about any one thing. But collectively, they should. Otherwise, the board will be less able to challenge decisions and do a good job. Gender diversity also plays an important role.

And this is a continual learning process; the business of banking is constantly changing, and boards have to keep up. Take digitalisation as an example. It not only introduces new tools, such as artificial intelligence. It also changes business models and the way banks work – think of outsourcing to cloud services. And while this offers new opportunities, it also creates new risks. Boards must understand how these new things work because only then will they be able to assess both the opportunities and the risks. This is what we expect from boards and we certainly see room for them to improve in this regard.

Let’s assume that a board brings together the right people – independent thinkers with just the right knowledge. That would be great, but it’s not enough. These people would still depend on good information, on sound data. Here, the Basel Committee on Banking Supervision guides banks through its BCBS 239 standard on risk data aggregation and risk reporting. To me, this is a key standard, but we find that many banks have been slow to implement it – for instance when it comes to having the right IT infrastructure in place. So, we will continue to focus on data quality, and we will keep digging deeper, not least through on-site inspections and deep dives. And this applies to all banks, large and small, taking into account proportionality, of course.

All the things I just mentioned serve one purpose: to ensure a good debate within boards and to ensure that no decision is taken before different views have been considered and the related risks have been assessed. And again: all this is in the banks’ own long-term interest. Banks are highly leveraged institutions and crucially depend on the trust of depositors and creditors as well as on the continued provision of key services to local communities. They cannot be left at the mercy of the supposed genius of dominant CEOs.

The three lines of defence

As I said, the board is the last line of defence in the battle against flawed decision-making. But there are three more lines of defence. The first is formed by the business areas themselves – the frontline, if you like. The second line is mainly formed by risk management and compliance – those who challenge the decisions taken in the business areas, those who measure, monitor and mitigate risks. And the third line is internal audit – those who assess how effective the internal controls, risk management and governance processes are. These three lines of defence are equally important, but they are not all working equally well.

The first line of defence is where a cultural shift is needed most, and still lags behind at many banks. The frontline business units, at all levels, should continuously check whether their behaviour is in line with the declared values and desired conduct of the bank. They sometimes fail to do so because they are obsessively focusing on meeting quantitative targets, for instance. If this is the case, though, it is very difficult for the other two lines of defence to ensure proper behaviour and a genuine and lasting cultural shift. Only when a strong risk culture and sound standards of conduct are fundamentally embedded in the behaviour of the business areas will good decisions become the norm. And this will then be reflected in the scores that banks achieve in our assessment of governance.

Compliance issues have recently made a lot of headlines. Compliance is all about playing by the rules, respecting the law and following regulation. And as I already said, one might think that this is a fairly straightforward matter.

However, looking back at recent scandals, it would seem to be somewhat less straightforward. Many of these scandals featured bankers who broke or bent the rules; who violated standards – ethical or otherwise – and who didn’t take the law as seriously as they should have. The fact that this happens shows that there is a need for change. In the first place, it is up to the banks to ensure that their staff comply with regulations and standards, as well as with the law.

And this is also a question of control, with the compliance function playing a key role. Its job is not – as some say – to prevent business; its job is to prevent bad business. The compliance function ensures that everyone sticks to the relevant laws, regulations and standards. And given how much regulation has changed, the compliance function has also assumed the role of advising boards on how to deal with the reformed rulebook.

All this is very important, and banks have to ensure that their compliance functions can do a good job. Compliance functions need to be independent; they need to be well staffed; they need direct access to the top. They need to cooperate closely with the other lines of defence and, above all, to be taken seriously at all levels.

Over the past few years, we have seen some progress here; banks are starting to take compliance more seriously. Compliance functions are now better placed within banks, better governed and more independent; they have more staff and somewhat better processes.

But there is more to be done, and we are closely monitoring developments on a number of fronts. Many banks could still improve their compliance processes – for example when it comes to product approval and the monitoring of compliance risk, particularly in connection with remote entities. And the need for improvement is all the more acute when banks operate on a global level. Global banks are larger and more complex; compliance risk is thus higher and control mechanisms are even more important. There is a need to harmonise these mechanisms across entire banking groups.

It is mostly up to the banks to improve and harmonise their defences, of course. But in certain areas, public authorities have to act as well. Money laundering is a prominent issue which by its nature reaches across borders. Thus, we need to tackle it not just at the national but also at the European level. And here, we need to go beyond a directive. What we need is a truly harmonised set of rules which enables all relevant authorities to cooperate in their fight against money laundering and the financing of terrorism.

Remuneration – setting the right incentives

So far, I have focused largely on control measures, which are the natural remit of banking supervisors. I mentioned that a true transformation in bank culture has to come from within, and real progress lies beyond the direct reach of supervisors and regulators.

There is one area, though, in which we can have an impact: remuneration. Financial incentives are extremely important. When taking decisions, people do consider what might earn them a bonus and what might get them promoted. It is common wisdom by now that, before the crisis, compensation schemes were skewed. They encouraged people to take on too much risk; they encouraged people to concentrate on short-term profits rather than long-term viability. Complex structured products might have helped to rake in the money, but not in a sustainable way. Implicit government guarantees and the “too big to fail” doctrine supported short-sighted assessments by investors and market analysts, who were more interested in short-term profits than in long-term risks.

The aim should thus be to ensure that banks align their compensation schemes with prudent risk-taking and capital planning. And the rules that were put in place after the crisis seek to support this objective by forcing banks to give greater weight to sustainability.[5] Here in Europe, we now have bonus caps; we have rules that determine the composition of bonuses in terms of cash versus payments in other instruments; and we have rules on deferrals and on malus and claw-back arrangements. All these rules are important, but there are two things we must keep in mind.

First, we must ensure that the rules work under all circumstances and not just at a given point in time. The world is constantly changing, and the most obvious change in this context is the up and down of the business cycle. Research indicates that compensation rules have different effects in different phases of the cycle.[6] What dampens risk-taking in an upturn might spark it in a downturn.

Second, compensation schemes are complex, and there are a lot of moving parts. So by tweaking small details, banks can still increase incentives for risk-taking. A recent study by the Bank of England points in that direction.[7] That’s why we supervisors assess compensation schemes in detail. We take a close look, for instance, at risk modifiers and key performance indicators, and we expect banks to fully align them with their risk appetite.

So, compensation schemes are something that we care about a lot. First, because they are important; and second, because quite a few banks still fall short of our expectations.

Bonuses are, for instance, still paid out mostly in cash instead of stocks or other financial instruments. Thus, compensation is decoupled from the sustainability of the bank. This fosters a short-term view, where today’s profits take precedence over tomorrow’s stock price and ability to pay creditors. The same is true for deferral rules, wherever they are not applied as intended.

Some of these issues stem from the fact that, across Europe, countries implement the same rules in different ways. This is not ideal, and the forthcoming update of the Capital Requirements Directive and Regulation thus seeks to ensure a more harmonised approach. But in any case, banks need to realise that compensation schemes play a key role in ensuring their long-term survival.

Conclusion

Ladies and gentlemen, decisions were at the core of my argument. And a lot of the time, it’s hard to say whether a decision will turn out to be a good or a bad one – particularly when it comes to risk-taking, which is all about uncertainty and probability. Bankers and supervisors might have slightly different views on risk. Bankers think more about potential profits, while supervisors think more about potential disasters. This difference is probably even more pronounced in times like these, when banks are struggling to remain profitable and might take on too much risk in their search for yield.

Take all this together and you see why we supervisors focus so much on processes. It might look like boring stuff, but sound internal governance ensures that conscious decisions are taken. It ensures that different views and perspectives are properly taken into account in the decision-making process. It ensures that potential, often short-term, gains are weighed against potential, often long-term, risks. It all comes down to how decisions are taken; and if the “how” is sound, the actual decision will be sound as well.

In the end, governance is the nuts and bolts that keep a bank together over the long term; not exciting, perhaps, but crucial to survival. Since European banking supervision was established, we have seen a lot of progress in key areas of post-crisis repair such as capital adequacy, liquidity buffers, asset quality and the reliability of internal models. In governance, however, we have not seen this kind of progress. In fact, last year we even recorded a slight deterioration in the SREP governance scores of banks.

Strengthening internal governance and restoring profitability are complementary objectives which banks must pursue jointly with great strength and focus to regain the trust of the communities they serve and demonstrate that they are indeed serving their customers and not themselves. This will allow them to finally turn the page on the burdensome legacy of the financial crisis.

Thank you for your attention.

[1]Group of Thirty (2018), Banking Conduct and Culture: a Permanent Mindset Change.
[2]D. Kahneman, Thinking, Fast and Slow, Penguin Books, 2011.
[3]Cohn, A., Fehr, E. and Maréchal, M.A. (2014), “Business culture and dishonesty in the banking industry”, Nature, Vol. 516, pp. 86-89.
[5]See, for instance, Financial Stability Forum (2009), FSF Principles for Sound Compensation Practices.
[6]Ongena, S., Savaser, T. and Sisli-Ciamarra, E. (2018), CEO Incentives and Bank Risk over the Business Cycle, forthcoming.
[7]Harris, Q., Mercieca, A., Soane, E. and Tanaka, M. (2018), “How do bonus cap and malus affect risk and effort choice? Insight from a lab experiment”, Bank of England Staff Working Paper, No 736.

Speaking engagements

Schedule of events

Media contacts