Global menu

Our global pages


Regulating firms’ culture - The increasing focus by financial regulators internationally on supervising firms’ culture

  • Netherlands
  • Banking and finance



Financial services firms’ corporate governance and risk cultures is a ‘hot’ topic with financial regulators globally. Regulators have noted that serious corporate governance and conduct failings of financial services firms have not simply been the preserve of a few ‘bad apples’; rather, they can be the outcome of wider culture issues. As stated by New York Federal Reserve President Bill Dudley in a January 2017 speech:

“The manipulations of LIBOR and foreign exchange rates prompted the New York Fed’s work on culture. The LIBOR and FX collusions were not occasional atonalities in an otherwise harmonious financial system….. serious misconduct is not confined to a single jurisdiction or a business model. The evidence, which now stretches over a decade, has only reaffirmed my initial belief that there is an industry-wide problem.”

The European Central Bank has stated that internal firm governance is one of its top supervisory priorities under the Single Supervisory Mechanism (SSM). Supervising a firm’s internal governance is not, however, merely a matter of reviewing a firm’s processes and procedures (the internal governance principles it espouses), it is also (and perhaps more importantly) a matter of reviewing what the firm actually does in terms of its corporate governance and why ie, its corporate governance culture.

As noted in the Basel Committee’s 2015 Guidelines on corporate governance for banks “a fundamental component of good governance is a corporate culture of reinforcing appropriate norms for responsible and ethical behaviour”. 

What is a firm’s culture?

The concept of a firm’s ‘culture’ has usefully been described by the UK Financial Conduct Authority’s Director of Supervision, Jonathan Davidson, in a recent speech as “the typical, habitual behaviours and mindsets that characterise a particular organisation. The behaviours are the ‘way things get done around here’; they are the way that we act, speak and make decisions without thinking consciously about it”.

Also, as stated by the Dutch regulator, the DNB, in its ground-breaking book ‘Supervision of behaviour and culture; foundations, practice and future developments’:

“For employees, organisational culture is the social glue that holds the organisation together by providing appropriate standards for the ways employees should behave. As a consequence, culture reduces employees’ uncertainty and anxiety about appropriate and expected behaviours”.

Why does a firm’s culture matter to the regulator?

The regulatory concern is well explained in the following terms in a recent speech by Danièle Nouy, Chair of the Supervisory Board of the SSM:

“Culture and ethics are at the heart of banks’ decisions in terms of risk-taking and safe and sound management practices. This means that understanding culture – what one does ‘when nobody is watching’ ….can help us to recognise, and even predict, some behaviours.”

Also, according to Ed Sibley, Director of Banking Supervision at the Central Bank of Ireland:

“The culture within an institution is a key factor in determining its safety and soundness, as it is key to the effectiveness of its governance arrangements. It drives the values and beliefs which govern how individuals treat others, perform their tasks, take decisions, assess risk, and perhaps most importantly, do the right thing to ensure they operate in a safe and sound manner. It is the foundation upon which a strong governance framework is built.”

Indeed, as noted by the Financial Stability Board (the international organisation established by the G20 to promote reform of international financial regulation) in a 2014 document:

“Weaknesses in risk culture are often considered a root cause of the global financial crisis”.

What indicators of a firm’s culture does a regulator focus on?

In 2014, the Financial Stability Board issued guidance, setting out a framework for regulators to assess a firm’s risk culture. It identified the following four indicators for assessment of a firm’s risk culture:

  • Tone from the top ie the extent to which the leadership promotes, monitors and assesses the firm’s risk culture.
  • Accountability of all employees, on the basis that they understand the core values of the firm, are capable of performing their prescribed roles and understand that they will be held accountable for their actions in relation to the firm’s risk-taking behaviour. 
  • Effective communication and challenge within the firm.
  • The financial and non-financial incentives of the firm for those it employs support the espoused core values and risk culture.

Tone from the top is key. As noted in a very comprehensive 2015 G30 report, entitled “Banking conduct and culture: A call for sustained and comprehensive reform”:

“Boards should ensure that oversight of embedding values, conduct and behaviours remains a sustained priority, with the primary responsibility resting with the CEO and executive team for ensuring that the ‘tone from the top’ has a clear and consistent ‘echo from the bottom’.”

More recently, in a speech the Central Bank of Ireland’s Sylvia Cronin listed a number of indicators of a firm’s culture that the regulator would look at, including:

  • ‘Tone at the top’; the way decision-making occurs and how this is communicated.
  • Board membership and performance, including the quality of board effectiveness reviews.
  • What evidence is available to demonstrate the effectiveness of the risk, compliance and internal audit functions.
  • The governance and internal controls in place and the level of compliance or non-compliance with these. Do firms follow their own procedures or are workarounds allowed and commonplace?
  • What are ‘accepted’ behaviours in the organisation.
  • Remuneration and reward models.
  • The skills, knowledge, competence and on-going training.
  • The way the firm engages with the regulator, whether the relationship is open and co-operative or guarded and suspicious.
  • The firm’s approach to compliance; whether it complies with the letter of the law but not the spirit of the regulation.

Looking at what firms do, rather than merely what they say they do

An important issue for the regulator is that a firm may have excellent processes and procedures in place, but these may not reflect the firm’s actual behaviours. As noted by the Central Bank of Ireland’s Sylvia Cronin:

“We have seen that many companies may have the right structures in place but we have not seen the supporting behaviours. Nearly every organisation has the three lines of defence model on paper, multiple committees exist and reams of policies and procedures have been developed. However, where we have seen a common and significant cultural risk is that often a risk and compliance culture is not embedded in the first line of defence, committees do not operate in line with their terms of reference and often policies and procedures are well designed but people don’t follow them in practice.”

In the three lines of defence model, the first line is the revenue-generating business line, the second comprises the risk management and compliance functions and the third is internal audit.

In this regard, the influential research into firm culture and regulation carried out by the Dutch regulator, the De Nederlandsche Bank (DNB), is interesting. According to the DNB, its research shows that “internal supervisors always have a stronger influence than external supervisors” and the DNB “strongly believe” that in the future “internal supervisory mechanisms will play an increasingly larger role” in financial firm supervision – hence the importance of ensuring that the three lines of defence operate effectively, both in theory (in terms of having appropriate structure, policies and procedures in place) and in practice (in terms of actual behaviours).

What do regulators expect of firms?

Regulators internationally are increasingly expecting firms, as good practice, to define what their culture is and champion this culture ‘from the top’, both in word and deed. Firms should reward what they say is valued and reprimand violations of these espoused values. Also, firms should support the espoused culture through eg appropriate internal training and creating a ‘no blame’ culture through an active issue identification and resolution culture. Indeed, as noted by Sylvia Cronin, firms “need to find a way of measuring your culture and tracking cultural change as “To measure is to know and what gets measured gets done.” Also, as stated in the above-mentioned recent G30 report: “Boards (and/or the relevant committees) should regularly receive monitoring information on culture and values and build a reputation, values and conduct dashboard to monitor progress and facilitate debate and challenge between the board and the executive.”

How Eversheds Sutherland Consulting can help

Eversheds Sutherland Consulting is a service from a leading global law firm, bringing together a mix of highly experienced consultants, lawyers, audit and risk specialists to provide tailored consulting services to clients.Eversheds Sutherland Consulting has particular expertise in the areas of internal governance and firms’ culture and can assist firms to review their internal governance and culture to ensure they meet the requirements of their regulator.

For further information, please contact:

Ciaran Walker - Consultant, Dublin
David Saunders - Partner, London
Matthijs Bolkenstein - Partner, Amsterdam
Scott Sorrels - Partner, Atlanta 
Rebecca Copley - Partner, Dubai


>> Download PDF version of this article