The 20-second summary

Legal risk is a big issue. Over the last five years, conduct related issues have cost Financial Services around $300bn – according to recent figures published by the Conduct Cost Project. And our own analysis of litigation costs in the US clearly shows that the cost of disputes – for just the top five US banks – added up to $30bn for 2014.

Banks cannot bear these costs indefinitely. In 2014 Citigroup’s shares tumbled on news that they would incur a one-off $2.7bn cost to settle legal expenses (profits were eventually cut to 6% of analysts’ expectations). Two weeks ago Lloyds Banking Group was fined £117m for mis-handling PPI claims.

Overall, fines given out by UK regulators increased 2,000% (from £66m to £1.5bn) between 2011 and 2014. And the additional cost of dealing with investigations will at least double that amount.

But what can banks do to reduce these losses? The financial services industry is of course reviewing its working practices in relation to the new Conduct regime. But there is no evidence that these efforts have resulted in decreased costs across the industry.

The financial services industry urgently needs to find a new approach to cut-out the increasing costs of litigation and mis-conduct. This will require new models for risk teams, and new ways of thinking for legal teams.

This article will:

  • explore in more detail the link between legal risk, and conduct and litigation expenses,
  • highlight in particular European regulators’ attitude towards legal risk, and
  • discuss the need for new risk models that reward businesses that run themselves well.

And it will outline three steps you can take to quickly pinpoint where your business is most exposed to legal risk – and prioritise where to act to reduce direct financial loss, and keep your business off next week’s front-pages.

Legal risk exposure can result in both litigation and conduct related loss

The link between litigation and legal risk is well-understood and well-established. Legal disputes generally result when a legal risk has been mis-managed somewhere within the organisation. There are exceptions, of course, but as a rule, if you were to manage your legal risk perfectly – get the perfect balance between legal risk and commercial value – your risk of formal litigation would be close to zero.

But the link between behavioural conduct and legal risk is a more recent development. Conduct was brought into keen focus in the UK when the Financial Conduct Authority was created in 2013. They have adopted thinking from behavioural economists, to frame a new rule-set for banks in their product development, sales and purchasing processes.

In 2014 the European Banking Authority (EBA) included ethical conduct within scope of legal risks, in their their definition of legal risk. And introduced a step-change in the roles and responsibilities of the in-house legal team.

The role of law in promoting and enforcing moral behaviour in society has clear parallels with the roles of law and regulation in managing conduct within industry. Lawyers have a key role in both cases, to interpret the way that human behaviour interacts with the letter and spirit of the law – and estimate the likely impact of that interaction.

Litigation costs and the cost of conduct are game-changers for legal risk

The cost of getting legal risk wrong has never been greater. To give an example, each quarter US bank holding-companies have to complete a quarterly financial summary, Form Y-9C, and file it with the Federal Reserve. One section of the 60-page form covers “Legal Fees & Expenses”. Earlier this year we reviewed nearly five years’ worth of Y-9C forms, and we have charted some of the results below.

Click here to view image.

US banks litigation expenses increased to USD30bn in 2014

The five banks we analysed all had rising legal bills, with a noticeable spike in the last 12 months. And litigation expenses alone went from around $9 billion in 2010, to just under £30 billion at the end of 2014.

And a new research group, The Conduct Cost Project Research Foundation, reported recently that the total cost of conduct to the Financial Services sector was $300bn over the last 5 years.

Financial analysts often strip out litigation expenses from their longer-term valuation models, because those expenses are typically one-off events. But if these costs arrive fairly regularly – as seems to be the case with major banks – analysts may well decide to factor them in, which will raise questions about invest-ability of the banks.

And so the challenge for banks now is to change the way they operate and reduce significantly their exposure to these types of expense. These risks result from a failure to adequately interpret and comply with the letter or the spirit of the law. This could be inadvertent (due to a failure to correctly understand/interpret the law, or ambiguity in the law itself) or deliberate (due to reckless indifference) – but banks need to up their game in the way they identify, analyse and interpret legal risk.

UK regulators are clear that in-house lawyers are the second-line-of-defence for legal risk

UK regulators agree with this line of thought. In 2012 the FSA held a meeting with General Counsels from the 20 largest Financial Institutions in the UK. In that meeting they highlighted to the attendees their role as a second-line-of-defence for legal risk and warned of the dangers of “group think”. In the same year the German regulator BaFin also expressed a greater interest in the approach their banks were taking to legal risk.

And in 2015 in the UK, the Prudential Regulatory Authority (PRA) started talking with in-house legal teams to see what approach they are taking to legal risk – and in some cases actually auditing the approach and testing with business teams whether the lawyers are actively participating in risk based business decisions.

Businesses are clearly under pressure to redefine the role of their legal teams within the 3-lines of defence model, and step-up their efforts to identify where in the myriad of processes, controls and operating procedures they are likely to cross-the-line between what is legally or morally right, and what is legally or morally wrong.

Click here to view image.

But are in-house legal teams equipped to take on this responsibility? And do they have the skills and the resources they need?

How work is done is equally as important as whether it is being done

It isn’t enough to tick a box and say that work is being done by competent staff, or outsourced to competent companies. How work is carried-out is equally important as whether it is being done at all.

I’m sure that had Lloyd’s legal team reviewed the way they handled PPI claims, they would have highlighted the areas that crossed an ethical line that is not always clear to those working at the front-line – and recommended that claims handlers take a different approach.

Similarly, if litigation teams regularly and diligently tracked the root-cause of disputes back to operating practices within the business, they could advise on how and where standard operating practices lead to costly dispute. And reduce ongoing exposure significantly.

But this type of work falls outside the standard role of risk, compliance and the traditional legal department. And in our legal risk benchmarking report last year, we found that the majority of businesses lack confidence in their ability to manage legal risk.

In-house counsels lack confidence in their ability to manage legal risk

In 2014 we published the results of our first Legal Risk benchmarking survey. One of the findings was a lack of confidence, amongst In-house lawyers, in their ability to manage legal risks. 80% of respondents to our benchmarking survey expected to suffer material loss in the next operating year.

Bearing this in mind, it is clear that in-house legal teams will need support from risk management teams within the organisation, and from external experts and agencies, to prepare them for their new second-line responsibilities. What is less clear is whether existing risk models will reward businesses when they do improve their legal risk profile. The external environment is so perilous at the moment, and extreme scenarios so punishing, that new models may need to be created to free-up capital for the banks to invest in risk reduction programmes.

Operational risk models need to change, to reward well-run businesses with a capital haircut

In 2014 the EBA in their AMA standards re-defined the scope of legal risk and its position in the lexicon of business risk. They propose two significant changes:

  1. Legal risk loss will be included in operating capital calculations: legal risk has been part of operational risk since 2003, but the EBA stance highlights, for example, that legal enforceability of security over assets will need to be taken into account for capital purposes
  2. Ethical conduct is in scope of legal risk: this seems obvious, as law and regulation is put in place to moderate behaviour and impose moral values on business. But many in-house legal teams have been reluctant participants in conduct risk programmes and need to now change their approach

Extreme scenario analysis is one of the more effective ways to identify forward looking risks. When you contemplate the worst possible scenario, and then retreat to what is plausible, you force yourself to think analytically about the risk. But extreme plausible legal risk losses can add up to 100’s of millions of dollars – and bubble up seemingly out of nowhere.

Until risk models moderate extreme scenario analysis with the results of day-to-day expected loss, businesses will be incentivised to use other risk estimation methods that reduce the potential exposure – or give up on advanced modelling all together. New models are being developed, but until they are ready, businesses should still quantify key areas of legal risk, but then relate the estimates back to the current operational risk models.

Follow three sequential steps to minimise heuristics (or “group think”) in your legal risk analysis

The priority for businesses now is to analyse and predict where the next legal risk incident is likely to occur – and work out where to allocate resource to maximise the reduction in risk exposure. Financial institutions have a sophisticated network of policies and procedures designed to manage operational, market and credit risk. But legal risk has fallen between the cracks for many years and the legacy operating practices that persist within businesses can result in significant legal risk incidents bubbling-up at any time.

There are three straightforward steps you can take, to be certain you identify the biggest legal risks for your business:

  1. Design a legal risk framework that will help you identify and analyse where your business’ operating practices could result in legal risk
  2. Carry out high-level legal-risk scenario workshops, to identify specific risks and develop an initial prioritisation matrix
  3. Verify the initial findings with a control and loss-data analysis, to be certain that you the scenarios you imagined are realistic to your organisation

These three steps will give you the structure you need to quickly pinpoint where your business is most exposed to legal risk – and prioritise where to act to reduce direct financial loss, and keep your business off next week’s front-pages.