2.1 Supervising culture

2.1.1Responses to the GFC

While prudential supervisors have no doubt formed views about the culture of financial institutions for many years, the idea that the culture of financial institutions was directly linked to financial soundness and stability only appears to have taken hold in the wake of the GFC.

As I have said, immediate responses focused on the potential for poor remuneration practices to undermine financial soundness and stability. But before long, attention turned to the failings of culture that had contributed to the crisis.

This focus on the culture of financial institutions was first (and most clearly) evident in the Netherlands. Mr Byres said that this:[1]

Reflect[ed] the fact that their financial system had essentially imploded [and] their large banks … all had to be rescued, effectively, by their governments … [The Dutch] were thinking very hard about how do we avoid getting into this situation again.

Mr Byres said that, in looking for ways to avoid repeating the effects of the financial crisis on Dutch banks, the central bank De Nederlandsche Bank (DNB) ‘went quite assertively into the area of culture and risk culture’, and created a team, including organisational psychologists, that would make assessments of culture within financial institutions.[2]

Since 2011, the DNB has overseen assessments of behaviour and culture in the institutions within its remit.[3] The DNB’s program is predicated on the idea that ‘[c]ulture and behaviour are essential elements for financial and prudential supervision, since the behaviour and culture of a financial organisation influence its financial and organisational performance’.[4] By 2015, the DNB had conducted 52 assessments of ‘banks, insurance companies, pension funds and trust offices’.[5] Most assessments focused on senior management.[6] According to the DNB, more than half of the boards assessed ‘showed serious problems with regard to their board culture’.[7]

Although the DNB appears to have acted first in this area, it was not alone. In November 2012, the FSB published a paper about the need for more intense and effective supervision of systemically important financial institutions.[8] Among other things, the paper recommended that supervisors, like APRA, explore ways to formally assess the risk culture of financial institutions.[9]

Following on from that recommendation, in April 2014, the FSB published its ‘Guidance on Supervisory Interaction with Financial Institutions on Risk Culture’ (the Guidance).[10] Consistent with the FSB’s focus on financial soundness and stability in the period following the GFC, the Guidance focused specifically on the ‘risk culture’ of financial institutions, rather than their organisational culture more generally. The Guidance said that:[11]

Weaknesses in risk culture are often considered a root cause of the global financial crisis, headline risk and compliance events. A financial institution’s risk culture plays an important role in influencing the actions and decisions taken by individuals within the institution and in shaping the institution’s attitude toward its stakeholders, including its supervisors.

A sound risk culture consistently supports appropriate risk awareness, behaviours and judgements about risk-taking within a strong risk governance framework. A sound risk culture bolsters effective risk management, promotes sound risk-taking, and ensures that emerging risks or risk-taking activities beyond the institution’s risk appetite are recognised, assessed, escalated and addressed in a timely manner.

Like other documents released before the launch of the FSB’s work plan in relation to misconduct in 2015, the Guidance did not identify particular risks with which it was concerned. Instead, it was directed to ‘risk culture’ and ‘risk management’ generally. Having been framed as part of the FSB’s response to the GFC, it is likely that those to whom the Guidance was addressed would have understood it as referring principally to financial risks – that is, those risks with the most obvious and immediate potential to affect the financial soundness of the firm.

APRA’s work on culture – in particular, risk culture – began at around this time.[12]

In 2014, APRA released a draft of CPS 220, a new prudential standard in relation to risk management.[13] That draft prudential standard would have introduced a requirement for the board of an APRA-regulated institution to ‘ensure that a sound risk management culture is established and maintained throughout the institution’.[14] Mr Byres said that this proposed requirement met with considerable opposition, particularly from company directors.[15] There was a general concern among directors about the extent to which non-executive directors could ‘ensure’ anything (without descending into management), and a more specific concern about the extent to which directors could influence the risk culture of an institution.[16]

In response to those concerns, APRA changed the draft.[17] The prudential standard that was ultimately issued in January 2015 required the board of an APRA-regulated institution,[18] among other things, to ensure that it:[19]

  • forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite;
  • identifies any desirable changes to the risk culture; and
  • ensures the institution takes steps to address those changes.

Risk culture is a narrower concept than organisational culture. An entity’s risk culture is one aspect of its culture. Risk culture depends on the organisational norms and behaviours that determine how risks are identified, understood, discussed and acted on.[20] Although the relevant risks are described in CPS 220 as the material risks facing the institution being ‘those that could have a material impact, both financial and non-financial, on the institution or on the interests of depositors [or] policyholders’[21] it appears that the emphasis at the time CPS 220 was issued was on financial risks.[22]

Another important development in Australia at this time was the establishment of a Governance, Culture and Remuneration (GCR) team within APRA.[23] Mr Byres explained that the creation of this team reflected a number of considerations:[24]

  • that risk culture was a nebulous concept, and that APRA needed to develop a more systematic approach to examining and assessing how boards were approaching their new obligations;
  • that APRA’s supervisors were not well equipped to tackle a new area of interest without additional specialist support;
  • that supervising risk culture was, internationally, at an embryonic stage, and that stronger connections with peer agencies were needed to draw on international experience; and
  • that APRA lacked a central core of expertise in remuneration (and, to a lesser extent, governance), and that the three issues were inextricably linked.

2.1.2Linking culture and conduct

In the first half of 2015, international bodies began to draw more explicit links not only between risk culture and financial soundness, but also between organisational culture and misconduct.

As I have said, the FSB launched its work plan on measures to address the risk of misconduct in May 2015. Part of that work plan concerned the relationship between organisational culture and the risk of misconduct, and the work that supervisors could do to form a view about the culture of financial institutions.[25]

In July 2015, the Group of Thirty (G30) published ‘Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform’.[26] The report said that, because ‘[b]anking is, in 2015, at a low point in terms of customer trust, reputation, and economic returns’:[27]

[t]here must be a sustained focus on conduct and culture by banks and the banking industry, boards, and management. Firms and their leaderships need to make major improvements in the culture within the banking industry and within individual firms.

The report insisted that prudential supervisors should have an important monitoring function, saying that ‘conduct-related prevention, using a range of informal and formal supervisory tools, backed up by robust enforcement, can produce a better outcome for society.[28] The report also emphasised that:[29]

Supervisors should look on cultural questions as root cause analysis and intervene when they see demonstrably serious problems as opposed to making culture a generalized additional supervisory add-on.

Despite the emphasis on the relationship between conduct and culture in the G30’s paper, until very recently, there has only been limited overt attention given in Australia, by entities or by regulators, to issues about conduct and culture. Particular events of misconduct have been dealt with when they came to light, but regulators gave little or no public attention to what general responses should be made either to events that were then coming to light in Australia or to what had happened in other jurisdictions.

That proposition is perhaps best illustrated by considering the work of APRA’s GCR team following its establishment in 2015.

One of the first major pieces of work that team completed was a review of how APRA-regulated institutions were complying with the requirement for the board to form a view of the institution’s risk culture.[30] That review resulted in an information paper entitled ‘Risk Culture’, which APRA published in October 2016.[31]

For the most part, the information paper focused on risk culture as it related to the management of financial risk. The examples APRA gave in the information paper of poor risk culture were the failure of HIH Insurance in 2001; increased risktaking in the life insurance industry, particularly with respect to group life insurance; and what it called the sacrificing of sound market practices for the origination of residential mortgage loans in favour of preserving market share and growth.[32]

Towards the end of the information paper, APRA indicated that it intended to ‘refine and sharpen its approach to assessing risk culture’ through a program of pilot risk culture reviews.[33] Mr Byres explained that ‘what we were flagging [there] was that instead of [risk culture] being a part-time or adjunct or add-on to some other primary activity, that we would actually try and do some reviews where the primary purpose was to assess culture or risk culture’.[34]

The first of those reviews commenced in July 2017, and was completed in November 2017.[35] APRA made an independent assessment of the relevant entity’s culture, through work including surveys, interviews, document reviews, focus groups and observations.[36] A second review had been planned to commence in October 2017, but was overtaken by the announcement of APRA’s Prudential Inquiry into CBA.[37]

APRA’s Prudential Inquiry into CBA marked a watershed in APRA’s approach to issues of governance, culture and remuneration.

Mr Byres said that, from 2016, the APRA supervision team responsible for CBA had identified ‘a raft of issues that [the team was] pursuing’ with CBA.[38] He acknowledged that APRA’s ordinary supervisory activity had not been fully effective at addressing these issues, or bringing about cultural change at CBA.[39]

On 3 August 2017, AUSTRAC instituted proceedings against CBA alleging failures to comply with AML/CTF laws.[40] On 28 August 2017, APRA appointed a panel to conduct an inquiry into CBA. The panel’s terms of reference were ‘to examine the frameworks and practices in relation to governance, culture and accountability within the CBA group’ so as to identify, assess and consider certain identified matters and recommend (in effect) what initiatives or remedial actions (over and above those then being undertaken by CBA) needed to be undertaken.[41]

For the first time, APRA took public steps to examine a regulated institution’s ‘frameworks and practices in relation to governance, culture and accountability’.[42] And one of the particular matters the panel was required to examine was whether CBA’s remuneration frameworks, or their implementation, were conflicting with ‘sound risk management and compliance outcomes’.[43]

The panel made its report in April 2018. In that report, the panel made 35 recommendations, in relation to: the board and senior leadership; risk management and compliance; issue identification and escalation; financial objectives and prioritisation; accountability; remuneration; culture and leadership; and remediation initiatives.[44] CBA has agreed to implement all of the recommendations.[45]

But the value of the Inquiry goes beyond its application to CBA. The report provides a very valuable, publicly available account of the ways in which failings of culture, governance and remuneration can act as drivers of misconduct. And it explains how those problems can be addressed.

Recognising the broader value of the Inquiry, APRA required each of the major banks (and many other large APRAregulated institutions) to complete a self-assessment of the entity against the matters identified in the Prudential Inquiry report. Some made that assessment without external assistance; others engaged one or more consultants. The final versions of those self-assessments were provided to APRA at the end of November 2018.

2.1.3The way forward

Despite recognising the value of analysing organisational culture as the Prudential Inquiry and the first of the pilot risk culture reviews did,[46] the evidence indicated that APRA was not planning to undertake further work of that kind. Instead, it was planning to refocus its risk culture review program. Rather than making independent assessments of the culture of financial services entities, APRA would seek to assess the way that the boards of financial institutions form a view of the risk culture of those institutions.[47]

On its face, this refocusing of the risk culture review program represents a retreat to the approach adopted by APRA in connection with its information paper on risk culture. If that is right, I consider that the direction in which APRA is headed is not desirable.

As both the FSB and the G30 have made clear, there is an important role for supervisors in assessing the culture of financial services entities. I agree with the view of the G30 that ‘[s]upervisors should look on cultural questions as root cause analysis and intervene when they see demonstrably serious problems as opposed to making culture a generalized supervisory add-on’.[48] I also agree with the view of the G30 that:[49]

It is essential that there be enough supervision resources, and with the right skill sets/seniority and expert support if needed, to engage constructively with banks on these issues. The main objective should be early problem identification and bank-led corrective action. Conduct and values should be part of mainstream supervisory processes as opposed to a separate add-on.

In April 2018, the FSB released ‘Strengthening Governance Frameworks to Mitigate Misconduct Risks: A Toolkit for Firms and Supervisors’. Among other things, the Toolkit states that supervisors should:[50]

  • build a supervisory programme focused on culture to mitigate the risk of misconduct;
  • use a risk-based approach to prioritise for review the firms or groups of firms that display significant cultural drivers of misconduct;
  • use a broad range of information and techniques to assess the cultural drivers of misconduct; and
  • engage firms’ leadership with respect to observations on culture and misconduct.

In its November 2018 Recommendations for National Supervisors, FSB made recommendations ‘intended to support supervisors in their dialogue with firms, and to foster the development of better practice’.[51]

Each of the steps and recommendations proposed by FSB should inform APRA’s supervision of the culture of APRA-regulated institutions.

I recognise that increasing the intensity of supervision in this area will require additional resources. As I noted earlier, Mr Byres explained that APRA’s supervisory resources were limited, and that it was necessary for APRA to prioritise particular activities.[52] But, the work of the FSB, G30 and international practice more generally shows that this work is essential to the proper prudential supervision of banks and, in my view, other large APRAregulated institutions. Because it is an essential part of prudential supervision, APRA must have the resources to do it.


[1]Transcript, Wayne Byres, 30 November 2018, 7429.

[2]Transcript, Wayne Byres, 30 November 2018, 7429.

[3]See DNB, Supervision of Behaviour and Culture: Foundations, Practice and Future Developments, 2015, 13, 305–6. See also DNB, The Seven Elements of an Ethical Culture: Strategy and Approach to Behaviour and Culture at Financial Institutions 20102014, November 2009, 4, 89.

[4]See DNB, Supervision of Behaviour and Culture: Foundations, Practice and Future Developments, 2015, 37.

[5]See DNB, Supervision of Behaviour and Culture: Foundations, Practice and Future Developments, 2015, 16–17.

[6]See DNB, Supervision of Behaviour and Culture: Foundations, Practice and Future Developments, 2015, 19.

[7]See DNB, Supervision of Behaviour and Culture: Foundations, Practice and Future Developments, 2015, 19.

[8]FSB, Increasing the Intensity and Effectiveness of SIFI Supervision: Progress Report to the G20 Ministers and Governors, 1 November 2012.

[9]FSB, Increasing the Intensity and Effectiveness of SIFI Supervision: Progress Report to the G20 Ministers and Governors, 1 November 2012, 3.

[10]FSB, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, 7 April 2014.

[11]FSB, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, 7 April 2014, 1.

[12]Transcript, Wayne Byres, 29 November 2018, 7393.

[13]Transcript, Wayne Byres, 30 November 2018, 7430.

[14]Transcript, Wayne Byres, 30 November 2018, 7430.

[15]Transcript, Wayne Byres, 30 November 2018, 7430.

[16]Transcript, Wayne Byres, 30 November 2018, 7430–1.

[17]Transcript, Wayne Byres, 30 November 2018, 7431.

[18]Defined for the purposes of this prudential standard as not including an RSE licensee. APRA’s Prudential Standard SPS 220 applies to RSE licensees.

[19]APRA, Prudential Standard CPS 220, April 2018, cl 9(b) (emphasis added).

[20]APRA, Information Paper, Risk Culture, October 2016, 7–8.

[21]APRA, Prudential Standard CPS 220, April 2018, 5–6 [20].

[22]See APRA, Prudential Standard CPS 220, April 2018, 7 [26].

[23]Transcript, Wayne Byres, 29 November 2018, 7398.

[24]Exhibit 7.145, Witness statement of Wayne Byres, 27 November 2018, 94 [375].

[25]See FSB, Reducing Misconduct Risks in the Financial Sector: Progress Report to G20 Leaders, 4 July 2017, 2–3.

[26]G30, the Consultative Group on International Economic and Monetary Affairs Inc, is an international body of leading financiers and academics that aims to deepen understanding of international economic and financial issues, and to explore the international repercussions of decisions taken in the public and private sectors. See <www.group30.org>.

[27]G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 11.

[28]G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 15.

[29]G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 64.

[30]Transcript, Wayne Byres, 30 November 2018, 7435.

[31]Transcript, Wayne Byres, 30 November 2018, 7435.

[32]APRA, Information Paper, Risk Culture, October 2016, 4.

[33]APRA, Information Paper, Risk Culture, October 2016, 24.

[34]Transcript, Wayne Byres, 30 November 2018, 7436.

[35]Transcript, Wayne Byres, 30 November 2018, 7436.

[36]Transcript, Wayne Byres, 30 November 2018, 7436.

[37]Transcript, Wayne Byres, 30 November 2018, 7436–7.

[38]Transcript, Wayne Byres, 29 November 2018, 7420.

[39]Transcript, Wayne Byres, 30 November 2018, 7438; Exhibit 7.150, Undated, Reflections Following Prudential Inquiry by James Douglas, 4.

[40]Chief Executive Officer of AUSTRAC v CBA, FCA, NSD1305 of 2017, Statement of Agreed Facts and Admissions <www.austrac.gov.au/sites/default/files/statement-agreed-facts-admissions-3june2018.pdf>.

[41]CBA Prudential Inquiry, Final Report, 105.

[42]CBA Prudential Inquiry, Final Report, 105.

[43]CBA Prudential Inquiry, Final Report, 105.

[44]CBA Prudential Inquiry, Final Report, 102–4.

[45]See Enforceable Undertaking, APRA and CBA, 30 April 2018 <www.apra.gov.au/sites/default/files/20180430-CBA-EU-Executed.pdf>.

[46] Transcript, Wayne Byres, 30 November 2018, 7438.

[47] Transcript, Wayne Byres, 30 November 2018, 7437.

[48] G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 64.

[49] G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 64.

[50] FSB, Toolkit, 5.

[51] FSB, Recommendations for National Supervisors: Reporting on the Use of Compensation Tools to Address Potential Misconduct Risk, 23 November 2018, 4

[52] See Transcript, Wayne Byres, 29 November 2018, 7411.