White Paper

Conduct regulation: a global dynamic

We’re now so used to ”conduct enforcement” that we tend to forget how recently it all began: the world’s first dedicated financial conduct regulator set out its (British) stall in only 2013. In barely three years, conduct risk has powered ahead to become the most fashionable field of specialization for regulatory experts. With conduct costs soaring past £250bn , much of this consisting of fines delivering huge windfall revenues to national exchequers, it is hardly surprising that the new mode of regulation is more than ever attracting the attention of revenue-seeking governments around the world.

Behavioral regulation promises politicians a rare prize: a tax-free way to reduce public deficits, plus ratings-boosting prosecutions against named senior financiers, who up until now seemed to have “gotten away with it.” For a national government in any country where financial markets are active, these twin attractions are hard to resist. Recently, government has further ramped up its claims to public virtue by announcing that income from fines against banks will now be redistributed to charitable causes.

For sheer scale, the impact of new enforcements wholly eclipses both the cash cost and the personal element of exposure of any offenses under previous regimes. Behind the big headline figures, a subtler narrative is also now emerging. We are witnessing the evolution of a new breed of enforcer: behaviorally savvy, they’re more interested in how people interact than simply in the quantum risk figures reported during commercial transactions.

Arguably the defining characteristic of the new type of regulators, however, is the breadth of the horizon that they survey – the arrival of a regulatory “hive mind” that transcends national borders. The new species of conduct enforcers are global citizens, willing to travel anywhere on the planet to inject their behaviorally informed insights into financial reform programs wherever a government is looking to renovate a discredited control regime.

The Bank of England arguably set the trend by importing a Canadian central banker to head its post-crash supervisory agenda from 2013. Since then, other British financial control agencies have cast their recruitment nets as wide as Australia, South Africa and Hong Kong, while U.S. agencies have actively begun recruiting, in other jurisdictions, senior supervisors with experience in the new art of ”behavioral risk.” The new collective consciousness of regulators takes other forms: in March 2016, the UK’s Financial Conduct Authority (FCA) signed a cooperation agreement with its Australian counterpart to provide “the fullest mutual assistance,” including potential staff exchanges.

The reach, agenda and enforcement powers of conduct regulators have continued to expand at a dizzying rate, seemingly regardless of the many other geopolitical upheavals of 2016. To understand what’s driving this expansion, as conduct control initiatives flourish around the world – and to get a taste of what we should expect in 2017 and beyond, not least as European and international rules realign around Brexit – it is useful to understand where the regulators themselves have sourced their agendas from, thus far, and where they will look for future inspiration as their “regulatory enterprise” continues to expand.

First, we should be clear about the genesis of the whole behavioral/conduct risk movement. Unexpectedly for some, the adoption of a conduct risk framework is not just a regulatory aftershock from the financial crisis of 2008 – although this event of course played a strong part in catalyzing the regime change. Rather, the new behavioral focus draws together several separate but long-standing trends in the commercial practices of financial markets, public governance, consumer campaigning and science. This paper will look back over key formative influences; sideways at where we stand now; and forward to predict, with some confidence based on a firm grasp of behavioral science, what practitioners should watch out for in the near future.

For many conventional risk specialists, the “science” word still jars, as it doesn’t refer to actuarial or audit studies. For people who have grown up regarding risk as a numerical phenomenon to be mapped by Gaussian copula, micromorts, cost/benefit analyses and efficient frontiers, the notion of risk as a function of human behavior – of brain-wiring and social habits – is deeply unsettling. An existential challenge, even. To a dedicated quant, behavioral risk looks suspiciously like a gate-crasher, disrupting a way of life that has, until now, been comfortably bounded by econometric data.

It’s true that some behavioral scientists seem to enjoy the immodest fun of poking conceptual holes in traditional risk management practices, using their new human insights rather like a pointy stick to goad old-school practitioners with. And why not? Right now, behavioral science buffs seem to be having most of the (scarce) fun available in the risk field, as they rush about overturning the assumptions that old-school economists and regulators took for granted. In a curious way, all this iconoclasm chimes with an ugly current public mood of open criticism of government – normal rules of political engagement seem to be suspended; anything goes. This is most recently evidenced by the Brexit vote; by virulent Twitter® (and even real-world) attacks on authority figures, political leaders and challengers alike; and by the rise of nonaligned protest movements fielding naïve but “authentic” challengers to orthodox leaders.

Among behavioral economists, the mood perhaps derives less from criticism of political systems, and is more an intellectual euphoria about their own successes. It’s rather reminiscent of the early, heady days of the first dot-com boom. More and more, you can now find behavioral economists gathering in online forums and in the social spaces of the world’s financial centers, energetically debating. Spurred on by one another’s successes, they share stories that affirm a rising self-confidence, aware of their new profession’s achievements and future potential.

As an observer, the big difference in just the past two years is that now everybody is reading up on the latest behavioral research, while aspiring risk managers increasingly take the “BE 101” class at business school and are suspicious of classical economic theory. To its many new disciples, behavioral economics (their beloved “BE,” if you’re one of them) is almost a new rock ’n’ roll. At any conference on risk, regulation or financial marketing, it is now quite usual to encounter a clutch of behavioral specialists from rival institutions, propping up the bar and swapping war stories about their personal experiences from the sharp end of the ”Econs versus Humans” debate . Rather like alternative comedy, the objects of their cynicism are predictable: the historic failures of command-and-control , of models-based systems thinking , of the rational actor paradigm, and various other now-obsolete 20th century-sacred cows.

Threatened with mass extinction by the arrival of behavioral analysis techniques, traditional specialists in risk and compliance might be forgiven for wishing this would all go away, longing for a return to the old comforts of credit default probability and value-at-risk. While the BE barroom chat may be bullish and future-facing, there’s a lingering counter-blast among certain senior risk practitioners who should, by now, know better. To quote some recently heard views :

- “Conduct risk training? Oh yes, we’ve sheep-dipped everyone already.”

- “If we really had to deal with willful blindness and information asymmetry, no bank would be in business.”

- “Debiasing

– what the ****’s that?”

To the relief of the now mainly better-behaved majority, such nostalgic views are now less common, or at least less commonly aired. There is no chance of a retreat to the old numerical certainties.

For the rest of this paper, after looking back over the origins of conduct risk in global studies of human behavior, the reader will be better placed to understand where the new regulation will go next. Most importantly, we can then see what work we need to do to install new practices to protect profit in our own institutions. Because, surprisingly for some, where good behavior replaces the old patterns of opportunistic selling, it’s also good for business.

Chapter One

The roots of the risk: commercial practices

To get where we are today required several preconditions – or simply, a coming together of various forces arising from past things that happened. From out of a gigantic sea of literature on the causes and consequences of the crash of 2008, and as we approach the decade anniversary, the most salient causal factors have now emerged into the light. For example, it is clear that the roots of market failure lay not just in the obvious, surface trading conditions prevailing during 2007-8; after all, we know that a liquidity failure was the proximate trigger to crisis. Rather, there is a deeper set of preconditions that existed and that now deserves a closer look.

Behavioral science has helped here by providing the fresh perspective needed to account for how these factors persisted, corroding public trust and undermining good governance. Reviewing the period of run-up to the crisis using their shiny new analysis tool, the behavioral lens, analysts of behavior now point to the damage caused by a nested set of weak assumptions about how people respond when someone changes the design of a risk control. For example, past changes were for the most part driven by a systems thinking approach, typically justifying decisions on grounds of cost-benefit analysis. This conventional risk tool proved catastrophically blind to its own effects on human behavior, or more plainly, “what actually happens.”

One specific theme emerged: through the previous quarter century, on the simplistic premise of economies of scale, providers systematically removed risk decisions from front line managers and passed them up to consolidated central offices. Further adding to the sense of disconnect that this created, they also separated debts from debtors, for example, by repackaging a household mortgage and reselling it on the wholesale debt market. Worse still, they then interpolated a layer of derivative contracts, as with the role of collateralized debt obligations (CDOs) in the subprime mortgage market crash. A notably disturbing feature of the psychological “dread landscape” of 2007-8 was the spectacle of domestic mortgage-holders discovering that their homes were not, in fact, owned by the bank that they’d originally contracted with, but might possibly be subject to foreclosure by an unknown third party.

Meanwhile on the risk reporting front, providers had become accustomed to signing off on their own compliance efforts. Self-certification fueled a general complacency. Risk decisions were supported by references to money-denominated indicators of performance, whose relevance as proxies was not questioned. Service providers also became used to ticking boxes in pro forma statements of compliance. The structure of these forms was itself flawed, coercing a simplistic “yes” response when the true position was inevitably far more nuanced than this response could allow. For a determined few, though possibly by summer 2008 a sizable minority, complex games of risk reporting had become routine.

Even where risks taken were purely commercial, and not the regulator’s to call, other forms of misbehavior had become easy, lazy habits. Many financial products were – and still are – built on a premise of available funding rather than customer need. Meanwhile, poor decisions on risk appetite could be made to vanish by diffusing personal responsibility and by aggregating the separate risk reports from various line businesses.

Chapter Two

The roots of the risk: behavioral science and regulatory design

While providers busied themselves with these creative activities, over in the public policy and regulatory space there were early stirrings of change. These had begun pre-2008, if not at first vigorously enough to unseat the ”rational misbehavior” of many incumbents. Until the crash, the consensus on how to create regulation, and whether behavioral insights mattered at all, worked broadly as follows:

Regulators, and indeed governments and their advisors in most countries, maintained a faith in systems thinking. This is based on Newton’s logic that when you apply a force for change, the object you’re leaning on will move proportionately and predictably.

Whether that object is a car that needs to be jacked up, or a trading floor full of badly behaved salesmen who need restraining, the logic was apparently the same. Subscribers to the Newton view included most of the world’s civil servants and legislative drafters, most commercially employed economists and financial services “risk architects.” This large constituency held the common belief that people are resource maximizers, or simply rational actors, meaning in plain terms that we will always look for the way of doing something that will produce the best (most lucrative, most materially comfortable) result for ourselves. To prop up this argument, everyone used econometrics (numbers giving a historic account of how a financial contract had performed). 

In the compliance space meanwhile, risk reports tended to opt for simple binary accounts of reality: a choice of a “yes” or “no” box in response to each question. This framework deterred anyone who might have wanted to take a qualitative, let alone perception-based, view of risk.

At this point some readers will no doubt be saying, “Yes, but surely behavioral economics had been around since the 1970s, and was familiar to many people by the 2000s. It’s hardly as if nobody knew about it.” Actually, the problem was that many providers did know, but were keeping this valuable knowledge quiet. Credit card providers realized that Bayesian inference (c. 1760) was rather useful for marketing purposes, and the Black-Scholes formula (1973) was already helping derivatives traders find an expected price point. But these were not exactly mainstream popularizations of behavioral insight; that would require a new force for change.

Chapter Three

A tipping point

The major force for change duly arrived in the form of two events during the summer of 2008.

One was a global financial markets crash. Commercial responses to the event were, at least with hindsight, fair enough: de-gearing, divesting, ring-fencing. Early challenger institutions looked for advantage among the chaos. The public purse rescued some institutions. Others failed outright or were bought for a song. (This left many ordinary citizens, and many politicians, perceiving that the markets had “gotten away with it.” And for many providers who continue to devise and market products on a supply-driven basis, at a practical level this appears to remain true.) The other big event of 2008, at least for our purposes here, was the publication of a hugely influential and popular book of behavioral insights called Nudge. On cue, behavioral regulation stirred itself into life. Less than five years after that, the new regulation started to bite providers in all kinds of sensitive places they hadn’t previously noticed. What had just happened?

Chapter Four

Today's view: behavioral science and regulatory design

The short answer is that, while the markets were busy having their crisis, a small but energetic group of behavioral scientists had found that mainstream media were beginning to see the popular relevance of what they had to say. After all, they were offering an alternative explanation of “what just happened” with the financial crash, using plain language about how people behave. The explanations looked simple and felt familiar – common-sense, even, after generations of expert obscurity. This appealed no end to the general public. So also, of course, it appealed to the political classes who knew a popular bandwagon when they saw one, and who had anyway been casting around for any plausible new form of risk control to replace the models that the markets had just expensively shattered.

Although it’s tempting to peg this tipping point in public awareness to a famous academic challenge issued by Prof. Colin Camerer in 2003, the reality is that, for many people (including a world leader or two), reading that little book, Nudge, was their moment of conversion. More than any previous piece of behavioral research, Nudge opened ordinary people’s eyes to a new vision of how humans conceive the elements of decision making. Suddenly the mistakes of global institutions were not only explicable with complex algebra; we could all see and readily grasp how a predatory board behaves remarkably like an antisocial gang of teenagers in a school yard. By rediscovering the human factor, and reassuring us all that it is helpful to talk about it, behavioral science perhaps changed risk management more than its early exponents could ever have expected. Although central government policy initiatives in the behavioral space scored some popular successes, its impact has come to be felt most strongly in financial services regulation, where, with vigorous political support, the first of the new regulators, launched in the UK in 2013, announced a behavior-led agenda.

For any government stuck on the back foot after a financial crisis, and for a new regulatory agency looking to score a few quick wins, the behavioral approach solves several problems. Not least, you can prosecute individuals who simply look as if they’re behaving badly. This plays nicely to the (sizable) block of voters who think that “all financial practitioners are crooks anyway.” Then again, you can enforce standards of conduct based on what you’ve observed of how practitioners behave in real life, rather than waiting 12 months for them to produce risk reports based on questionable proxy indicators.

There’s more. Appealingly, you can enter into strategic alliances with all kinds of other regulatory agencies (after all, doesn’t every regulator want its regulatees to behave better?). Best of all, finally, a behavioral regulator presents itself as valuing the interests of the customer above all other concerns: how the customer experiences a transaction becomes the paramount measure of “acceptable and expected conduct.” And so, at a stroke, the industry is required to reverse its view of compliance priorities to look inside-out, or more accurately, outside-in, after decades of introspection and self-certified assurances.

Given this sea change in the premise of regulation, what should practitioners do now?

Chapter Five

Looking ahead: conduct is going global

The most telling characteristic of conduct regulation, as the new behavioral regime has come to be known, is how much money it has raised, through fines, for its government sponsors. It is the cash yield, far more than the philosophical merits of behavioral science, that has endeared this new approach to governments wherever financial services operate – and increasingly in other regulated sectors too. There has been a recent surge of behaviorally informed activity among regulators in jurisdictions far beyond the UK. 

Behavioral researchers are, of course, strongly drawn to study these developments. As various countries announce their own new initiatives in behavioral regulation, researchers in the new field of ”conduct enforcement analysis” have begun to identify transnational patterns of behavior among the enforcers themselves. This is not simply an academic model: regulators themselves increasingly describe their own strategic alliances using terms such as “multilateral enforcement” and “cooperative memorandums of understanding.” These refer equally to home territory affiliations and to cross-border treaties.

These patterns hold out the prospect, eventually, of researchers compiling a unified global view of conduct risk, the so-called global taxonomy. Here’s one way that this could work: in the UK, for example, the FCA and the Prudential Regulation Authority (PRA) already identify ”sets” of conduct offenses, deriving either from preexisting laws (such as anticompetitive practices, or misappropriation) or newly defined offenses (such as various forms of customer detriment). Analysts may then group UK and analogous offenses in other jurisdictions together under a set of conceptual headings: market abuse, oversight failure, customer care failure or careless record keeping, and so on.

The most significant feature of the taxonomy is not these groupings, however. Rather, the most compelling point of the taxonomy is its potential ability to take real data from conduct prosecutions, model it into algorithms and then extrapolate this knowledge to predict where enforcement hotspots will arise. Imagine, as a chief risk officer or corporate treasurer, being able to foresee which products and territories will next be at risk of enforcement actions. The potential savings on compliance resources are huge.

We already have early indications of how this might play out. Global taxonomy analysis has highlighted, for example, how Australia’s lead conduct regulator (ASIC) is developing two notable characteristics: a self-proclaimed drive to extend a behavior-based intervention agenda and a tendency to lock up twice as many misconduct defendants as any other jurisdiction. The same research work in progress shows, in broad-brush terms, that the “first mover” initiative in behavioral regulation has been drifting steadily away from the UK and now resides with Australia’s ASIC, closely followed by domestic regulators in Singapore and Hong Kong, and that conduct initiatives in the U.S. and South Africa may soon, in turn, seize the lead.

All of this offers clear lessons, warnings and even specific risk predictions for practitioners, especially in multinational businesses where product lines face differential exposures from market to market. Some of these are highlighted in the final section of this paper – and will no doubt be returned to, as this field of research expands.

Chapter Six

Next predicted developments in the new enforcement regime

Various conduct risk research initiatives that this author participates in, or has been shown privately, suggest that within the next year (2017) we are likely to see the following events:

• A conduct enforcement shock for a nonfinancial brand. A significant number of businesses run finance operations as adjuncts to their main, typically consumer-goods, operations. If you’ve ever bought a car with dealer-arranged financing, opened a store credit account or banked with your local supermarket, these are the providers potentially exposed. Are they even aware that they’re moving in the conduct risk space? We won’t have long to wait, it would seem, before one such brand is exposed to the new mode of behavioral enforcement.

• As a reflex response to new forms of market shock – such as Brexit and other geopolitical uncertainties – regulators will take the opportunity to consolidate and further extend their powers of enforcement. As ever, agencies will claim that this improves protection for endangered customers. Yet, coming on top of already announced extended powers to regulate consumer credit, insurers, intermediaries and mortgage providers, we may reach a tipping point where financial providers ramp up organized resistance to any further regulatory burdens.

• As ASIC and the FCA have shown, and regardless of European realignment, we should expect an increase in the number of cross-sector and international regulatory initiatives and alliances. The UK’s (intranational) alliance between the FCA and the Competition and Markets Authority (CMA) is a sign of things to come.

• As a global taxonomy of conduct enforcement emerges, it will reveal the common strands and prosecutorial tools of analogous control agencies around the world. Using the findings reflexively, regulators will compare notes with one another internationally and will increasingly look to exchange staff with each another. Following on from this, and through their liaison via super-regulatory bodies such as IOSCO19, we shouldn’t be surprised to see that the world’s regulators will begin to agree on certain universal types, patterns and definitions of human misbehavior. The resulting rules may be applied domestically or transnationally, depending on the regulator and the offense, but it’s clear that more commonly recognized global principles of prosecution may be expected.

• Despite regulators’ reassurances, we may expect one notable effect of enhanced personal accountability to be the sight of senior and middle managers’ “heads on spikes” (metaphorically, of course). Two foreseeable consequences of this – already emerging in current research findings20 – are that the quality of individuals applying for senior management roles is deteriorating and that some individuals concerned about personal exposure under SMR21 have scaled back their own claimed role remit (the so-called ”juniorization” of roles). Such responses have, of course, been observed as standard, if unintended, side effects of regulatory “clampdowns” throughout human history.

• Finally, and toughest to contemplate, because it remains the most conceptually flawed of the new regulatory initiatives, is the debiasing initiative. Reasonably enough, regulators are concerned that too many consumers buy financial products as a result of poorly executed decisions, where, for example, there was incomplete information, stress or ”tunnel vision” in wishing to complete the sale quickly. In theory, the answer is for providers to identify the customer’s biases that interfere with clear decision making and help the customer overcome these. In practice, this demand is unreasonable: it is so conceptually challenging, and currently misperceived even by regulators who advocate it, that its problems require more space than is available here to explain. A future paper may address these serious misgivings.

Chapter Seven

Summary conclusion

The way to grasp and thrive in the new regime is twofold:

Firstly, if you haven’t already, get to know a bit about behavioral science. There are plenty of primers, and indeed Thomson Reuters white papers, to make this less daunting.

Next, move to increase your capacity for situational awareness of behavioral risk in your organization: your ability to do “risk-aware working.” This does not mean more risk registers and compliance reports. Rather, the opposite: look to set up management workshops, to set in motion some simple methods encouraging people to exercise their intuition and to discuss problems initially in human terms. No need to over-elaborate, box-tick or risk-model this approach – anyone can learn this technique for improving early warnings of misbehavior.

Finally, and optimistically, thank goodness: if markets are indeed at last emerging from the 2010s recession (a big if – and indeed, that’s another story too), regulators are at least now willing to express a more positive-sounding wish that in the future they’ll be more focused on encouraging good behavior – at least, once we have defined how to rate and apply this. Maybe this will mean de-emphasizing punishment for ”bad behavior”; let’s wait and see. For the time being, though, things being as they are on the political landscape, it would be wise to brace for a further year of painful transition. The prospect of a utopian regime of regulators’ ”rewards for good behavior” is appealing, but don’t expect it to become real just yet.

Chapter Eight


1. CCP Research Foundation, Conduct Costs Reports at ccpresearchfoundation.com.

2. Under the previous regulatory regime (the Financial Services Authority or FSA), the fine that any UK provider paid used to go to reduce the costs of funding the regulator itself – that is, fines benefited the financial services industry itself, albeit indirectly. This changed in 2012, following critical comment at the time: “[Chancellor] George Osborne doesn’t think it’s fair that fines should go back to offenders’ colleagues. After all, fines imposed by a court for criminal offences go back to the Treasury … given the FSA’s managed to pick up just under £378m in fines in 10 years, it’s no wonder Mr. Osborne would like some of that to go to the state.” Channel 4 News FactCheck, June 28, 2012.

3. See Treasury to give banking fines to charities at thirdsector.co.uk, March 16, 2016.

4. See ASIC-FCA Cooperation Agreement at the-fca.org.uk.

5. Prof. Colin Camerer (2003), The behavioral challenge to economics: Understanding normal people, proceedings of the Federal Reserve conference, Caltech, Pasadena.

6. See Eric Schlosser’s Command and Control (2014) – a terrifying exposé of how close various government agencies have come to setting off nuclear weapons … by mistake.

7. See Prof. John Seddon, Systems Thinking series (2008-2014).

8. See Gary S. Becker (1976), The Economic Approach to Human Behavior; Slovic, Fischhoff and Lichtenstein (1981), Facts and Fears: Societal Perception of Risk.

9. Author’s own research among senior risk managers, London financial service providers, 2015-16.

10. Sir Isaac Newton’s Third Law of Motion states that “for every action, there is an equal and opposite reaction.” This remained a guiding principle of physical science for two centuries, until Einstein showed us that the physical world is more relative, and less absolutely predictable.

11. Or the 1730s, if you’re a follower of Daniel Bernoulli; or perhaps the 1930s, if you trace its origins back to Von Neumann and Morgenstern’s prototype of Game Theory. But let’s not split hairs.

12. Richard H. Thaler R. and Cass R. Sunstein (2008): Nudge: Improving Decisions About Health, Wealth, and Happiness.

13. Prof. Colin Camerer, as above.

14. Including, notoriously, cleaner urinals at Schiphol airport; an increase in the number of organ donors and pension savers in the U.S.; and a rise in the take-up of loft insulation schemes in the UK.

15. See Setting the reform agenda in a changing regulatory landscape, speech by ASIC Commissioner, Cathie Armour, August 20, 2015.

16. As with the UK’s conduct, prudential and competition regulators (FCA, PRA and CMA, respectively).

17. As with a collaborative prosecution in August 2015 which involved Australia’s ASIC, the UK’s FCA and Denmark’s Financial Supervisory Authority (FSA).

18. Author’s own research in progress, summer 2016.

19. The International Organization of Securities Commissions – a global forum for financial regulators, both conduct-based and conventional.

20. Author’s own projects: Thomson Reuters and Cambridge University. Flash findings (mid 2016); full results in press.

21. The Senior Managers Regime, under which UK regulators (from spring of 2016) hold individual senior managers individually responsible for control of prescribed corporate risks, under threat of personal prosecution.

22. This author recommends Rolf Dobelli (2013), The Art of Thinking Clearly as a starting point.

23. See Roger Miles (2016) (in press) Conduct Risk Management: Using a behavioural approach to protect your board and financial services business (Kogan Page).

24. See speech by FCA Chairman, John Griffith-Jones, October 21, 2015: fca.org.uk/news/chairman-speech-to-trust-in-banking-conference. 

About the author

Dr. Roger Miles counsels organizations and business leaders on strategic risk and uncertainty. They use his simple interventions to transform collective self-awareness and to displace value-threatening behaviors. With published research and commercial interests in organizational psychologies of risk, he develops trading products and new approaches to protecting value in brands; and leads behavioral risk learning on various postgraduate courses.

Thomson Reuters Risk Management Solutions

For the trusted answers that help you anticipate, mitigate and act on risk with confidence. Manage enterprise risk, corporate governance, customer and third party risk, regulatory compliance and financial risk effectively, and accelerate business performance.