Perspectives on conduct risk in wealth management

| Article

Imagine you wake next Sunday morning to an alarming headline about your financial institution: “Advisers found misusing funds” or “Firm chose to ignore problem affecting 1,000 customers.” Conduct risk—including questionable sales practices and breaches of fiduciary duty—has shot to the top of the regulatory agenda in wealth management, and the repercussions are rippling out across firms and markets. In this article, we examine why conduct risk has become such a burning issue for wealth managers and set out four principles for ensuring that risks are raised and handled appropriately.

The emergence of conduct risk

All financial institutions and businesses have been affected in recent years by an increasing urgency surrounding conduct risk, wealth management being no exception. Among the many factors that have contributed to the heightened focus has been high-profile failures in the retail-banking sector. These have put increased attention and pressures on wealth managers operating in universal banks and bank holding companies.

Wealth managers with retail-banking affiliates can reasonably assume that new standards on the effective management of customer complaints and employee allegations will be applied at the enterprise level to universal banks. In the United States, wealth managers operating within the legal entity of a bank holding company can expect the Federal Reserve to focus on wealth-management businesses, even if they fall outside the legal entity of the subsidiary bank. In addition, recent feedback from regulators indicates that firms will be expected to use all available data to identify issues (for instance, by performing extensive account-level analyses) and quickly determine whether they are one-off events or symptoms of broader problems.

As regulatory scrutiny increases in developed markets, customer protection has drawn particular focus. In Europe, the introduction of MiFID II (the second Markets in Financial Instruments Directive) has increased both the operational complexity of the investment-advisory business and the inherent conduct risk for wealth managers. The new directive includes new requirements and processes concerning conflicts of interest, price transparency, product suitability, and best execution—the obligation that an investment firm obtains the best possible result when executing client instructions. In North America, regulators are shifting to a more data-driven approach. An examination might once have begun with a review of policies and procedures, followed by a random sampling of customer accounts to identify exceptions or violations. But regulators are now requesting comprehensive data sets up front, running analyses to identify unusual or anomalous accounts and adviser portfolios, and seeking to understand patterns, underlying causes, and management’s ability to identify and monitor corresponding risks. At the same time, the Financial Industry Regulatory Authority (FINRA) now provides a risk-ranking for every financial adviser it regulates.

Apart from regulatory scrutiny, financial advisers also face rising expectations from their customers. One reason for this is the growth in competitive alternatives, ranging from robo-advisers and exchange-traded funds (ETFs) to the expansion of full-service regional private banks. Another factor is customers’ ability to communicate instantly and broadly via social media, creating a context in which a perceived lapse in conduct can rapidly translate into reputational damage.

Managing conduct risk

How should firms respond to the emergent perils of conduct risk? Unlike many other types of risk, conduct risk crosses functions and lines of business. An issue in one area can easily affect others. Actions must therefore be coordinated across disparate parts of the firm. This will create challenges for such activities as risk identification, assessment, monitoring, and remediation. Each responsible group must ensure that the affected parties have the information they need in order to act. Handoffs between legal and HR to frontline managers and executives in charge of risk oversight will need to be carried out smoothly and efficiently.

An improved customer experience—including enhanced avenues for customer feedback and fully digitized transactions—can reduce risk exposure while also stimulating revenue growth. Below, we offer four principles for organizing conduct-risk management, each based on the conviction that strong risk management and superior customer experience go hand in hand.

Maintaining a healthy skepticism

In practical terms, skepticism will mean probing below the surface, especially in areas where the news is always good or where returns never stray from the positive. While success is important, managers need to keep testing results, to affirm strengths but also to uncover weaknesses. Firms often find systemic issues arise in specific areas. In our experience, three areas stand out: those that are actually independent of the wider organization, those within the organization that operate in a siloed manner, and those whose activities are not very transparent to the rest of the organization and whose leaders cannot easily describe the details of day-to-day operations.

Would you like to learn more about our Risk Practice?

A case in point from commercial banking is a regional bank that failed as a result of massive fraud in a subsidiary leasing company. This company did not use the bank’s own systems and had maintained separate auditors. In capital markets, the collapse of Barings Bank in 1995 followed speculative investments made by a single trader; in 2008, the insurance giant AIG was brought to the brink of failure by massive losses in credit default swaps incurred by activities in its financial products division.

Effective organizations maintain a clear and comprehensive view of the flow of conduct issues so that key responsibilities are identified, communicated, and understood throughout the organization (Exhibit 1).

1
Tracking issues as they flow through an organization, from identification to remediation, exposes gaps and supports improvements.

Understanding how culture shapes conduct risk

The prevailing cultural environment can either mitigate conduct risk or heighten exposure to it. By understanding the behavior favored by their culture, institutions can identify effective interventions for better managing conduct risk.

Leaders have found that the best way to begin is by articulating the behavioral characteristics and actions of the desired culture. By themselves modeling expected behavior, top management can ensure that everyone in the organization understands the cultural model. Exemplary conduct might include leaders’ welcoming questions and dialogue, staff confidence in raising issues in a timely and appropriate way, and businesses working collaboratively with risk management and compliance instead of treating these functions as obstacles.

At the same time, institutions need vigorously to assess their risk culture, identifying strengths and weaknesses and marking outliers and cultural hot spots for more focused attention. Initiatives can then be developed to address the weaknesses while robust monitoring ensures that progress is being made.

In analyzing its risk culture, a large bank found that a business unit was performing poorly. It had recently undergone a change in management, so the bank assigned risk specialists to work with the new leadership. Together, they developed targeted interventions to improve communication and challenge the front line through training and coaching, role modeling, and formal problem-solving sessions. The next time this business unit was evaluated, the results showed that it was performing better than other parts of the bank and peer institutions.

Risk culture can be evaluated in a variety of ways, but most institutions use some form of employee survey. In our experience, signs that conduct risk may be elevated are negative survey responses concerning openness, communication, level of insight, and speed of management reaction to issues (Exhibit 2). The negativity often arises from employee beliefs that their opinions are not valued, that management is not communicating a clear and consistent message, that risks in day-to-day business practices are poorly understood, and that little action is taken when issues are raised. A particularly strong predictor of underlying cultural problems has been the emergence of a steep decline in positive response rates between top executives and midlevel managers.

2
A risk-culture survey can uncover potential risk issues.

Mining data for insights and actions

Many institutions have found that the effects, good and bad, of the prevailing risk culture on employee conduct (such as sales conduct and client interactions) can be determined through benchmarking performance against industry peers. An outside-in comparison of account-level risk and performance data can also add valuable context to compliance efforts. To develop such a view, firms can cooperate in a consortium that pools transaction data across peer institutions. The data must be detailed enough to allow users to detect anomalous behavior at the level of transactions and households as well as by financial adviser.

Another productive approach is to build an analytical engine and reporting tool that allows risk managers, compliance staff, and frontline supervisors to quickly identify any emerging behavior that may be inconsistent with the institution’s culture and values. This involves the use of customer and employee data, which is regulated to various degrees, depending on location. Institutions must comply with all applicable regulations on data privacy and security.

When firms monitor transactions for suspicious activity, the programs they use are often insufficiently sensitive, given the investigative resources available. The common experience is that an enormous majority of flagged transactions turn out to be perfectly legitimate. Better algorithms and machine learning can greatly improve the efficiency and effectiveness of risk detection. Likewise, to improve conduct-risk programs, leading firms are adopting digital processes that link data sources with analytical engines all the way through to final reporting. They streamline risk-management and oversight processes by giving frontline employees analytical tools that spot anomalous behavior using outlier analysis. Findings are translated into an easy-to-read dashboard that allows financial advisers and managers to see at a glance how their client portfolios and transaction levels compare with those of peers. Any deviation can be quickly assessed and, if unintentional, quickly remedied. This not only helps advisers manage risk better but also reduces the number of cases that require detailed investigation and follow-up by the oversight function. And as monitoring is conducted systematically, rather than sporadically, it picks up anomalous behavior that accumulates over time (see sidebar, “An end-to-end view of conduct risk through digital processes”).

McKinsey on Risk Issue 4, winter 2018

McKinsey on Risk, Number 4, Winter 2018

The next step is to combine these analyses with industry data to calibrate what is deemed normal not just within the firm but also across the sector. Automated tools generate reports (“dashboards”) displaying performance by client segment, region, branch, and adviser. The dashboards allow executives to view activity at the level of individual households and accounts, enabling them to pinpoint areas of high risk for remedial action (Exhibit 3).

3
Reporting tools with executive dashboards can pinpoint conduct-risk areas for greater focus and remedial action.

Conduct risk and the customer experience

Smart institutions use the feedback they collect via customer-experience programs not only to improve the experience itself but also to monitor for conduct risk—a step many firms miss. Well-designed customer-experience programs should provide helpful insights for both purposes. This type of monitoring will not substitute for layers of compliance controls, which remain crucially needed. But the best-practice approach to conduct-risk management will combine these controls with customer insights.

Firms can also harness some of the forces reshaping customer experience in financial services to reduce conduct risk. Examples include the following:

  • Automated advice. Consumers are now able to make even wardrobe choices with the help of a robo-adviser. In financial services, automated advice in the form of an initial personalized algorithmic recommendation will become increasingly available. This recommendation may lead to added customization from a human adviser, but it will in any case provide a basis for reviewing conduct risk. For example, if large numbers of people contravene the model’s recommendations, then the model should be reviewed for bias and revised to ensure that it is not a source of conduct risk.
  • Customer affinity. The difficulty some firms have in ensuring that customers understand their products and services is one source of conduct risk. Some financial-technology firms (fintechs) are tackling this issue by offering targeted services to defined segments, such as Ellevest’s wealth-management offering for young professional women. As technology becomes more modular, incumbent providers will find it easier to offer similar targeted services for such segments as new parents, parents of college-age youths, or people starting new businesses. Robo-advisers and other automated solutions can help firms enter previously uneconomical areas, supporting, for example, self-directed and managed options to lower-asset segments for lower fees. More diverse and targeted products and services that are more relevant to customer needs will reduce the likelihood of misunderstanding or misperception.
  • Digital-first sales and service. One of the most powerful ways for firms to improve customer experience and reduce risk is to expand the role of digital sales and services. Conduct risk can arise from manual processes, creating poor customer experiences. Increasingly, customers are preferring the freedom and autonomy digital channels offer for researching and selecting products. Customers provide their own information to the bank and use sales employees as coaches when needed. This is how airline tickets and even cars are being sold today. For investment products, this approach brings the added advantages of educating customers about digital tools, improving data accuracy, and allowing employees to focus on customer needs rather than administrative tasks.
  • Complaints management. Leading firms are finding that automating complaints management can effectively please customers, reduce conduct risk, and drive revenue growth (or prevent revenue erosion). By capturing customer feedback from all available sources and deploying machine learning and natural-language processing to identify underlying themes and trends, top firms are now able to detect, in close to real time, operational deficiencies such as system outages or slow adviser responses. Addressing these glitches as quickly as possible has a direct and measurable impact on the customer experience, which in turn drives customer acquisition and retention.

Getting started

To address heightened supervisory expectations and put these four conduct-risk principles into practice, institutions can begin by reviewing the strength of their existing conduct-risk framework. Senior management can ensure that core elements are in place and working effectively. These elements begin with a groupwide definition of conduct risk and its relation to other risk types in the risk taxonomy. Business standards and a code of conduct should underlie all policies, guidelines, and procedures. Employee training on conduct risk and related matters, such as fair treatment of customers and financial-market integrity, should be mandatory.

Core processes such as the approval of new products should be subject to conduct-risk reviews, while responsible governance forums should review conduct-risk reporting and emerging conduct-risk themes. Conduct-risk identification should be robust. Whistleblowing protocols and complaints handling, backed up with an analysis of themes, will help identify issues requiring action. The potential drivers of conduct risk within the corporate strategy, business model, and compensation and incentive plans can be reviewed and changes introduced as needed. Peer conduct-risk events should be studied and an internal check for similar issues initiated if warranted. Employee surveys to identify specific issues in conduct, culture, and behavior can also be highly useful.

Finally, firms need to have in place dedicated reporting, analysis, and monitoring of conduct-risk metrics to identify concentrations of activity in certain products, sectors, and regions and to detect likely signs of misconduct (such as business performance that is far out of alignment with targets and the wider market).


Most firms can significantly improve their management of conduct risk by reviewing and refining their approaches according to the four principles we have been discussing—probing successful results, understanding and improving risk culture, using data to gain insights and shape actions, and integrating conduct-risk management into the customer experience. Since the expectations of both regulators and customers for better conduct-risk management are rising, the business advantages of doing this are undeniable.

Explore a career with us