First published in the 1LoD Global Benchmarking Survey & Annual Report 2019

Banks should take the opportunity to both better harness and use their valuable and expensive data. Intelligent use of conduct risk metrics can and will make compliance functions more effective and efficient. John Coley, Head of EMEA, Regulatory Compliance Consulting & Lisa Lee Lewis, Head of Advisory, Regulatory Compliance Consulting at Norton Rose Fulbright explain how.


While most banks and corporates already have access to vast piles of data, about everything from their financial performance to their employee call lists and social media impact, these are often gathered from multiple sources and monitored in silos. Data that was expensive to gather and could provide invaluable insights into an organisation’s ethical business conduct therefore goes under-used.

While the 1st line of defence is increasingly excited by data triangulation – using different methods to gather information about a topic, then cross-referencing data sets to spot patterns – few have worked out how to apply this to conduct risk. Even fewer are doing so to a degree that approaches its potential.

This puts organisations at a disadvantage with regulators, whose growing focus on evidence and personal accountability around conduct risk often sees them ‘drill down’ into how behaviour impacts the culture, ethos and running of a firm plus the actions of its employees.

But while many organisations believe they must build complex risk metrics from scratch to meet regulator requirements, most already have the raw materials they need. What they’re missing is a robust mechanism for collating, analysing and presenting those disparate metrics in a more coherent and aligned way.

Where to start?

There is a wealth of internal and external data that banks and corporates can start to mine and analyse as they embark on this journey. Consultants with hands-on industry experience can help organisations test and experiment with data-point combinations to create a system that meets their needs.

From an internal perspective, simple metrics such as whether employees have completed training in conduct risk or ethical business conduct can offer more valuable insight if they are triangulated against other employee data such as use of whistleblowing lines. Similarly, monitoring the proportion of employee speak-ups that occur through anonymous lines can provide a useful indicator of culture. The length of time it takes for internal investigations to be conducted can reflect an organisation’s commitment to addressing and resolving conduct breaches.

Many of these metrics are subtle and taken alone they often have limited or singular use. However, when examining them together along with trend correlations over time they can be very powerful tools to help provide helpful insights into the effective workings of a firm.

For example, as an organisation conducts more investigations into fraud cases that are triggered by whistleblowing, this can help it form root cause categories and identify outliers that could indicate higher levels of conduct risk in certain business lines, geographies or employee groups.

From an external perspective, customer complaints can also provide a rich vein of conduct-related data, if mined, formatted and analysed correctly, and displayed clearly. For example, trends in complaints could be used to identify anything from improper use of products to unethical sales practices. This carries particular weight for financial services providers and their treatment of vulnerable or unsophisticated clients which may result in harm to the client, the firm and the industry.

More advanced models

Lessons can be learned from the world of trade surveillance, where experiments in data triangulation are more advanced. Historically, models used here have been simple and linear, with surveillance providers seeking, for example, to identify signs of wash trades or spoofing, and then targeting them as they arise. Now, however, they are seeking to identify behaviour patterns among traders, monitoring multiple sets of data simultaneously, including those of their peers, and then looking for deviations from the norm.

One US power company, for example, has built its own in-house NoSQL database environment that allows it to place all its trader communications, contacts, activity and positions in a single database, weave them together, flag unusual events and look for correlations. That company then routes any alerts directly to the individual causing the alert for documentation before the alert is forwarded to compliance personnel. This adaptation of data aggregation with multiple layers of analysis with collection of documentation before arrival at compliance for review provides a view of how conduct oversight can evolve.

Creating such a sophisticated conduct risk dashboard is of course not easy. There is no one-size-fits-all model and solutions must be customised to reflect an organisation’s industry, operations and risk profile. For global banks and firms that have grown through acquisition, a multiplicity of legacy systems adds another layer of complexity.

It is clearly early days for conduct data triangulation. Whether or not it is possible to ever develop industry-standard measures such as those used for credit risk, key performance indicators will certainly be less granular. But as conduct risk continues to be at the forefront of regulators’ agendas, doing nothing is not an option. Banks and corporates that are ahead of their peers in building such capabilities will not only enjoy stronger risk controls, with all the associated commercial and organisational benefits, but will be able to demonstrate this to regulators as their demands expand.

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .