Australian banks, including Commonwealth Bank, remain complacent about risk culture, even though the prudential regulator has been pushing their directors to give the area sharp focus, according to leading academics and other observers of bank compliance policies.
Research by Elizabeth Sheedy, an associate professor in the applied finance centre at Macquarie University, has found bank leadership is arrogant about risk culture, which refers to how staff identify, understand, discuss and act on the risks a bank confronts and takes.
“Senior leaders of large banks are confident about their own risk culture. They think they’ve nailed it. But our previous research identified that the senior leaders had a ‘rosy’ view of their culture and were somewhat out of touch,” Professor Sheedy said.
In new research released last week in association with Finsia, Dr Sheedy found that pay incentives, culture and employee attitudes all contribute to the failure to comply with policies and regulations. Her studies involve participants across the banking sector rather than focusing on CBA specifically.
With the Federal Court set to examine whether the culture at CBA led to lax suspicious matter reporting, Dr Sheedy’s research has found bank staff in Australia have high levels of “avoidance”, which refers to thinking that some breaches of some legal duties – such as anti-money laundering (AML) compliance – will be tolerated or swept under the carpet.
“Any commercial business has obligations to turn in a buck. But at the same time more and more people are complaining about their compliance obligations, of which AML is one of many, and there is a tension,” she says. “Sometimes that means you have to turn away profitable business or ‘waste’ time on compliance when you could be generating profits.”
Others say it’s remarkable that CBA chairman Catherine Livingstone’s statements last week addressing the AUSTRAC allegations did not make specific mention of risk culture, given it is one of topics the Australian Prudential Regulation Authority has being trying to drill into bank boards after introducing its prudential standard CPS 220 in January 2015.
This requires boards of directors to form a view about their bank’s risk culture and to identify how it could improve. The CBA board is believed to have provided its first CPS 220 assessment of the risk culture at CBA to APRA around a year ago; the assessment has not been made public.
“The statement released by the chair of CBA was comprehensive and informative. It was a mea culpa and commitment to spend the necessary dollars and implement the compliance technology to solve the problems,” said Martin Kelly, founder and managing director of Riskflo, a regtech start-up that makes collaboration software for teams in banks to identify and reduce risk.
“What was notably absent from the chair’s statement was any mention of risk culture.”
The Australian Securities and Investments Commission is examining whether a case may be brought against CBA’s board for failing to protect the bank’s reputation.
On Friday, Reserve Bank of Australia governor Philip Lowe said it was crucial for banks to have a culture that respects the law, while the Australian Prudential Regulation Authority said on Friday it cannot comment on the CBA AUSTRAC matter, including whether it pointed to risk culture deficiencies. APRA is prevented by its enabling legislation from commenting on its interactions with any individual financial institution; breaking this law is a criminal offence.
But last October, APRA released an information paper, which noted that if a bank is found to have indicators of a poor risk culture, APRA’s “supervisory attention” on the bank will increase.
“APRA cannot regulate sound risk culture into existence. However, APRA will apply greater supervisory intensity to institutions that are either unwilling or unable to address behaviours that are inconsistent with prudent risk management practices,” APRA chairman Wayne Byres said in a release accompanying the risk culture information paper.
Mr Kelly said banks can do much more to improve risk culture. Knowledge and expertise “is often fragmented across the organisations silo’s and management hierarchies”, he said.
But “getting the information, consolidating, sharing and challenge amongst multiple-stakeholders is a collaborative, social and dynamic process. Current GRC [governance, risk and compliance] technology architecture doesn’t start with these social design principles. They can digitise, but that don’t socialise. That’s a problem.”