Since the financial crisis—and more recently in the wake of the Wells Fargo sales practices scandal and the benchmark manipulation enforcement actions—bank regulators in the United States and around the world have become increasingly focused on reforming institutional culture and pursuing other actions to mitigate employee misconduct risk. The Federal Reserve Board’s recent and unprecedented enforcement action against Wells Fargo, which we have discussed previously, is a stark demonstration of regulators’ vigorous focus on these issues. In addition to misconduct that may take place against customers, counterparties, and markets, the recent attention on sexual harassment and employee treatment has also raised questions about the capacity of companies across sectors to address misconduct that takes place within the walls of the company itself.
The Federal Reserve Bank of New York has been at the forefront of this issue, sponsoring conferences, speeches, and white papers aimed at understanding and reforming financial institution culture. A recent white paper, for example, focuses on the role of institutional culture and supervision in mitigating employee misconduct risk, which is defined as the “potential for behaviors or business practices that are illegal, unethical, or contrary to a firm’s stated values, policies, and procedures.” The New York Fed’s efforts have taken place against a larger backdrop of regulators and groups—including the U.K. Financial Conduct Authority, the Hong Kong Monetary Authority, The Group of Thirty, the European Systemic Risk Board, the Banking Standards Board, the Financial Stability Board, the Office of the Comptroller of the Currency, and the New York Department of Financial Services—that are publishing reports or otherwise taking action on this topic.
Financial institutions have taken a number of steps to strengthen compliance and improve culture, including by rolling out dedicated culture and ethics initiatives. In support of these efforts, we summarize below some of the key themes and recommendations in the papers and speeches sponsored by the New York Fed and other regulators and groups. Though these issues have been discussed for years, it is crucial for boards, senior management, general counsel, and risk managers to closely track regulators’ thinking on these themes and to consider additional steps to ensure their institutions are on the leading edge of reform. This memorandum is focused on banks, but the principles we discuss are applicable across financial services firms and other industries.
Diagnosing the Problem
- A recent New York Fed white paper, which was co-authored by the head of the Supervision Group, Kevin Stiroh, describes what institutions should aspire to in terms of establishing strong “cultural capital”:
[M]isconduct risk is low and observed structures, processes, formal incentives and desired business outcomes are consistent with the firm’s stated values and beliefs promoting ethical conduct. The unspoken patterns of behavior reinforce this alignment. Employees understand and internalize the expectations of the law and the meaning of regulatory rules or supervisory guidance, and do not need to be reminded by enforcement actions and large penalties that compliance is an important part of sustained success. Problems are escalated to business unit leaders and senior managers routinely, as employees feel empowered to raise their hands and believe that their efforts will result in meaningful responses. And, senior leaders advance through the organization because, in addition to strong financial performance, they model behaviors consistent with the firm’s values.
- The same paper describes the characteristics of an organization with weak culture and increased employee misconduct risk:
In these firms, formal policies do not reflect ‘the way things are really done.’ The stated values of senior leaders are not reflected in the behaviors and actions of the organization’s members, and misconduct results from norms and pressures that drive individuals to make decisions that are not aligned with values and associated business strategies set by the board and senior leaders. Employees do not speak freely when they have concerns about the way their group is doing business, and senior managers or the board of directors do not find out about illegal conduct until it is uncovered by the authorities. Employees are focused on short-term results—such as this year’s bonus—and have little loyalty to the firm or commitment to enhancing the firm’s long-run value. Rules may be followed to the letter, but not in spirit.
- The literature in this area often notes the unique problems facing the financial institutions sector. For example, over the past decade alone, large financial institutions have paid, in aggregate, fines that exceed $350 billion in connection with employee misconduct. Over the same period, Gallup has found that confidence in banks has dropped substantially. New York Fed President William C. Dudley has argued that improving culture could produce a number of benefits, including lower internal monitoring costs, mitigating the risk of reputational harm, greater credibility with regulators and prosecutors and therefore “fewer and lower fines,” better ability to attract clients and top talent, and the potential to rebuild trust in the financial sector.
- The former Comptroller of the Currency noted that “[m]any of the compliance, operational, and safety and soundness problems we’ve seen over the past decade could never have happened in organizations with healthy cultures.” Accordingly, the OCC’s “Director’s Book” includes establishing an appropriate corporate culture as a key board responsibility.
- The Group of Thirty—an international committee of former regulators and other thought leaders—notes that banks have largely already defined the values towards which they are striving. “Most banks have made bold assertions on cultural aspirations in terms of expected values and refreshed or strengthened codes of conduct.” However, “banks are still failing in implementation” and a fundamental shift in thinking is required.  Culture cannot be seen as “a separate work stream or add-on process to respond to short-term public, regulatory, or enforcement priorities.” Instead, banks should adopt the mindset that the cultural problem is “core to our business model and fixing it is key to the economic sustainability of the institution.”
- One of the problems that is repeatedly identified is the phenomenon of “rolling bad apples”—when employees are dismissed due to misconduct at one firm and then are employed by another firm, where they repeat their misconduct. This issue is exacerbated by high mobility and limited disclosures about former employees out of privacy and litigation risk-related concerns. 
- Another issue is the potential existence of problematic “micro-cultures,” which is a function of the sprawling and complex nature of major financial institutions. “[A] firm with 60,000 employees and a 99.9 percent record of compliance with behavior rules might still have up to 60 employees whose misbehavior could inflict severe harm . . . this risk became especially grave if many of these 60 employees were housed within a single business unit with its own micro-culture.” Formal policies often diverge from “the way things are really done,” and research demonstrates that individuals are prone to modeling the conduct of their peers, rather than the stated values of senior leaders.
- One of the speakers at a New York Fed conference on this issue was then-U.S. Attorney Preet Bharara, who identified “minimalism,” “formalism,” and “silence” as the three major cultural deficiencies at financial institutions. He defined a culture of “minimalism” as aspiring “to do the least amount possible to be in some kind of compliance with rules . . . get as close to the line as possible without going over it.” The problem with minimalism is that “people will invariably miscalculate and bad things will invariably follow” when they find themselves on the wrong side of the line. “Formalism” is the prioritization of rules over fundamental principles and values. A culture of “silence” refers to a hesitance to report suspected wrongdoing, born out of “a human tendency to look the other way . . . [t]he desire to avoid being branded a troublemaker, or worse, a traitor,” coupled with the fear of losing one’s job. Unaddressed, these tendencies can be reinforcing and can pose serious threats to an institution.
Considerations for Further Reforming Culture and Mitigating Employee Misconduct Risk
- Bolster Board Oversight and Establish a Board-Level Committee or Office. As Federal Reserve Board Chair Jerome Powell remarked last summer, “Across a range of responsibilities, we simply expect much more of boards of directors than ever before. There is no reason to expect that to change.” To facilitate their ability to establish a strong and ethical institutional culture, an international regulator has suggested that boards should consider establishing “a dedicated board-level committee . . . to advise and assist the board in discharging its responsibilities for the institution’s culture-related matters.” The structure this takes should depend on a financial institution’s governance framework and its individual needs. For example, in early 2017, Wells Fargo created a new Office of Ethics, Oversight, and Integrity, which is tasked with ensuring that the bank’s ethical standards are met and that issues are properly escalated. In January 2018, Citigroup established an “Ethics and Culture Committee.”
- Tone from the Top and Echo from the Bottom. The clearest and most common prescription is that senior management and the board lead by example. “People learn what to do and how to do it by observing their colleagues and especially their leaders—emulating successful behaviors and avoiding unsuccessful ones.” Dissemination and reinforcement of desired conduct and values is key, because without an “echo from the bottom” in the form of broad-based staff engagement, the “tone from the top” is of limited utility. Techniques for disseminating this message include video messages from the CEO, “town hall” meetings, screensavers, and poster campaigns. Additionally, the OCC expects boards to oversee management’s development and periodic review of a written code of ethics or conduct, which is intended to foster a culture of integrity and accountability.
- Training. Effective training is necessary to communicate and reinforce expectations. The Group of Thirty suggests that banks consider enlisting senior management to conduct trainings addressing compliance culture; if such trainings are conducted by compliance staff or external firms, it may send the message that culture is not a central priority of the institution. Moreover, banks should work to embed an emphasis on compliance within all trainings, regardless of their primary topic.
- Risk Assessment. Financial institutions should conduct and update risk assessments to identify businesses or units with a higher risk of employee misconduct and potentially negative “micro-cultures.” Some firms have “held sessions led by senior business line staff where conduct risks and ‘grey’ areas or ‘dilemmas’ were discussed,” to uncover misconduct risks. Firms should remain mindful of the fact that risks can flow not only from front office activities, but also across operational and control functions.
- Balanced Scorecard and Balanced Incentives. The literature suggests that banks make hiring and promotion decisions with a “balanced scorecard” that includes nonfinancial performance criteria. This not only has the potential to address the problem of “rolling bad apples,” but it also sends a strong signal to staff that the firm values adherence to its expectations around conduct and ethics. Balanced compensation incentives are also an important factor. As New York Fed President Dudley has remarked: “Incentives—compensation and promotion, in particular—are powerful tools for communicating the conduct and culture you desire for your firm . . . . If you want a culture that will support your long-term business strategy, you need to align incentives with the behaviors that will sustain your business over the long haul.”
- Escalation. Relatedly, incentive systems should reward employees who report suspected wrongdoing. “Employees who speak up should be recognized. The courage it takes to speak up, despite the perceived costs, should be counted as a very positive factor in evaluations.” Banks need to assure employees that escalation of concerns will be handled fairly, taken seriously, and treated confidentially. Policies and procedures that encourage escalation and protect whistleblowers should be continually refreshed and monitored for effectiveness.
- Ongoing Monitoring and Assessment. Banks should institute effective mechanisms to assess conduct throughout their organizations and provide feedback to help management determine whether changes or enhancements are necessary. Ineffective internal monitoring is a major contributor to and enabler of persistent misconduct. Some firms have implemented programs for monitoring employees’ communications and making better use of data. Advances in regulatory technology (“RegTech”) promise to make such surveillance easier and more thorough, such as by harnessing big data analytics to flag possible violations or highlight vulnerabilities. Meanwhile, firms have sought to measure improvements in culture; unfortunately, effective assessments remain largely elusive. A measure called the Program Effectiveness Index, or “PEI,” has been developed, but questions persist about its reliability.
- Three Lines of Defense. An important question is how attention to bank culture, ethics, and employee misconduct risk fits into the three lines of defense model. The literature makes clear that the first-line responsibility for ensuring that behavior aligns with a firm’s values should rest with business leaders. With respect to the second-line function, there is debate as to what unit should take primary ownership. Compliance is often proposed, but the traditional rule-based focus of compliance does not always easily accommodate a focus on culture and ethics. Other options include Legal, Risk, and Human Capital, although each has its advantages and disadvantages. Across all of these options, “[r]enumeration levels in these functions need to be sufficient to attract high-quality individuals who can command the respect of the business.” Finally, the third-line of defense, typically internal audit, should have “a clear mandate to examine adherence to standards” and “operational independence.”
In addition to the above considerations, we have previously described some “lessons learned” from the Wells Fargo sales practices enforcement actions and internal investigation, including the importance of strengthening and centralizing control functions, instituting stronger practices for monitoring and following up on red flags, and improving the tracking of corrective action. We have also previously discussed the lessons from the Federal Reserve’s recent order against Wells Fargo and its public release of “letters of reprimand” to the former Chair and Lead Independent Director of the Wells Board. These letters underscore the rising expectations on boards to ensure that their firm’s business strategies are consistent with their risk management capabilities. They also highlight the importance of the board insisting on detailed and timely reporting from management when problems are identified, initiating more serious inquiries when needed, and taking appropriate action to hold executives accountable.
Associate Grace H. Tiedemann contributed to this Client Memorandum.