JFSC "CONDUCT RISK" is this new or just something old in a new guise?

In the JFSC's Consultation Paper No. 9 2023 [Issued: 30 October 2023], you may have noticed that the JFSC has introduced a new regulatory term [for Jersey]:-.

• "CONDUCT RISK".

This term is not currently used in the Codes of Practice, nor have I seen any guidance or Dear CEO letter. However, you can bet you will be challenged to show how you manage “CONDUCT RISK” in your business risk assessment, systems, and controls.

So, what does “CONDUCT RISK" mean?

My starting point in looking for a definition is the JFSC Consultation, where at 3.2.1.1, it says:-.

• The assessment of the level of CONDUCT RISK posed by a business is important to understand:-

• The potential level of CUSTOMER DETRIMENT that may occur because of misconduct or mismanagement.
• To understand the level of INHERENT CONDUCT RISK within a company, the JFSC suggests that the following [X6] be included in the definition.
• 1. Breaches
• 2. Claims and redress
• 3. Complaints
• 4. Conflicts of interest
• 5. Vulnerable customers
• 6. Information security

[X6 all sourced from the JFSC 2023/24 data questions consultation - see the end of this blog for the full list].

The above is as close as we will get to a clear definition - so I will assume that the JFSC CONDUCT RISK term means:-.

• THE POTENTIAL LEVEL OF CUSTOMER LOSS THAT MAY OCCUR BECAUSE OF MISCONDUCT OR MISMANAGEMENT.

However, in the context of this definition, “customer loss” OR "customer detriment" is important to define.

"Customer detriment or loss must mean:-

• The detriment or loss consumers suffer because of financial institutions' actions or inactions.

This detriment or loss may occur:-

1. When unfair market practices mislead consumers into purchasing goods or services they would not have purchased.
2. When consumers pay more than they would have if they had been better informed.
3. When unfair contract terms are used, or
4. When consumers buy financial products and services that do not meet their expectations regarding delivery or performance.

Understanding the extent of consumer detriment caused by specific financial products and services offered in different market sectors can help firms [and compliance teams] strengthen financial consumer protection frameworks and address areas of greatest concern.

To help firms strengthen their financial consumer protection frameworks, the UK's Financial Conduct Authority (FCA), in 2015, outlined six consumer outcomes [Treating Customers Fairly (TCF)] that firms should aim to achieve to ensure customers are treated fairly [TCF]. These outcomes include:-

1. Outcome 1: Consumers can be confident that they are dealing with companies where fair treatment of customers is central to the corporate culture.
2. Outcome 2: Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly.
3. Outcome 3: Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.
4. Outcome 4: Where consumers receive advice, it is appropriate and takes account of their circumstances.
5. Outcome 5: Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect.
6. Outcome 6: Consumers do not face unreasonable barriers to switching products or providers after the sale or making a claim or complaint.

Keeping on the Financial Conduct Authority (FCA) theme, it is noticeable they also do not provide a specific definition of CONDUCT RISK. However, they do expect firms to:-

1. Develop their conduct risk definition and policy and
2. A tailored conduct risk framework to address the specific risks to which their business is exposed.

This will include:-

1. Understanding the drivers of conduct risk; and
2. Ensuring a consistent definition and understanding at all levels of the firm.

To support the above, the FCA introduced the 5 Conduct Questions[1] programme in 2015 to help firms address conduct risk. The X5 questions are:-

1. What proactive steps does the firm take to identify conduct risks in its business?
2. How does the firm encourage people in front, middle, back office, control, and support functions to feel responsible for managing conduct?
3. What support does the firm provide to help employees improve the conduct of their business or function?
4. How does the firm's board of directors and senior management oversee conduct in the organisation?
5. Has the organisation considered where its business activities might undermine its work to improve behaviour?

This brings me back to my first question:-

• Is conduct risk something new, or is it a risk we all deal with daily under a different name?

My thoughts are - it is the latter.

Just look at the current Jersey/JFSC Codes of Practice (CoP) [I use the TCSB codes although all JFSC CoP are similar] where firms must comply with the following principles [PRIN]:-

1. PRIN 1. A registered person must CONDUCT their business with integrity.
2. PRIN 2. A registered person shall HAVE THE HIGHEST REGARD FOR THE INTERESTS OF ITS CUSTOMERS. This includes but is not limited to:-

• 2.4 A registered person shall ensure that adequate procedures are in place either to AVOID CONFLICTS OF INTEREST or, where conflicts arise, to maintain adequate records of such conflicts and to manage them by disclosure, application of internal confidentiality rules, refusal to deal or otherwise as appropriate.

3. PRIN 3. A registered person shall organise and control its affairs effectively for the proper conduct of its business and shall be able to demonstrate the existence of appropriate risk management systems.

• This includes but is not limited to Internal systems and controls (3.2) / ' Integrity and competence (3.3) / COMPLAINTS (3.6) / Record keeping (3.7) ' Corporate Governance (3.1) / Internal Systems and Controls (3.2) / Integrity and Competence (3.3) / Continuing Professional Development (CPD) (3.4) / Compliance Function, Compliance Officer, Money Laundering Reporting Officer and Money Laundering Compliance Officer (3.5) / Complaints (3.6) / Record Keeping (3.7) / Payment of Fines (3.8)
• 3.6.1.1 Maintain adequate. RECORD OF COMPLAINTS AGAINST THE REGISTERED PERSON, including details of any agreed settlements.

4. PRIN 4. A registered person must be TRANSPARENT IN ITS BUSINESS ARRANGEMENTS.
5. PRIN 5. A registered person must maintain, and be able to demonstrate the existence of, adequate financial resources and adequate insurance.

• 5.2.4 PII COVER MUST BE WRITTEN ON A “CLAIMS-MADE” BASIS including costs and expenses and, so far as lawful.

6. PRIN 6. A registered person shall deal with the JFSC in an open and co-operative manner.
7. PRIN 7. A registered person shall NOT make any statement that is misleading, false, or deceptive.

Surely, the above meets the CONDUCT RISK test and definition.

So, whether you use the JFSC or Comsure’s more nuanced versions (as follows), ensure you have conduct risk covered in your business risk assessment.

JFSC DEFINITION

"Conduct risk is the potential level of customer detriment that may occur as a result of misconduct or mismanagement.

COMSURE DEFINITION

"Conduct risk is the potential harm that financial institutions or individuals may cause to:-

1. Their clients
2. Markets; or

• Society as a whole because of their actions or inactions.

This harm can result from a wide range of bad behaviour but will include:-

1. Mis-selling,
2. Market abuse,

• Crime such as fraud, money laundering, cybercrime

1. Culture; and
2. Governance

There is much to think about, and if you want to discuss any of the above, please call me at Comsure.

Mathew Beale - Chartered FCSI

Principal (Director) - Comsure Compliance Limited, Comsure Technology Limited, Comsure Mauritius (the "Comsure Group of Companies")

Jersey - No 1 Bond Street Chambers, St Helier, Jersey, Channel Islands, JE2 3NP

Mauritius - Basement Floor, Conidae House, Anse Courtois, Pailles

T (Jersey) +44 1534 733-588 /+44 7797 747-490

T (Mauritius) +230 214-6487 / +230 5717-6907

mathewbeale@comsuregroup.com

www.comsuregroup.com

NOTES:-

Full list of CONDUCT RISKS “EXCLUDES AND RETAINS” for 2023/24 data questions.

https://www.jerseyfsc.org/media/7291/feedback-paper-on-consultation-paper-no-9-2023.pdf

Breaches

1. CR1 No. of breaches recorded in the period categorised into the following breach types: 1) Internal policies and procedures (non-regulatory) 2) AML/CFT/CPF Handbook [no. of breaches per section of the handbook to be provided] 3) Regulatory Law Code of Practice [no. of breaches per section of the Codes] EXCLUDE
2. CR2 No. of breaches notified to the JFSC in the period EXCLUDE
3. CR3 No. of breaches open over 90 days as at the end of the reporting period RETAIN

Claims and compensation.

1. CR4 No. of PII notifications made in the period RETAIN
2. CR5 No. of PII claims paid in the period RETAIN
3. CR6 Value of PII claims paid in the period RETAIN
4. CR7 No. of open litigation claims where the reporting entity is the defendant, as at the end of the reporting period RETAIN
5. CR8 No. of litigation claims paid out, and the value, where the reporting entity is the defendant in the reporting period RETAIN
6. CR9 Are all your services covered by a financial compensation scheme? If No, what services are not covered? EXCLUDE

Complaints

1. CR10 No. of customer complaints received in the period RETAIN
2. CR11 No. or complaints referred to CIFO in the period EXCLUDE
3. CR12 No. of complaints open over three months EXCLUDE
4. CR13 What is the average time to resolve a complaint? a) < 1 week b) 1-2 weeks c) 2-3 weeks d) > 4 weeks RETAIN
5. CR14 Value of compensation paid in the period as a result of a CIFO determination EXCLUDE
6. CR15 No. and total value of ex-gratia payments paid in the period RETAIN
7. CR16 No. of complaints recorded in the period categorised into the following complaint types: › Poor administration, including customer service › Customer due diligence process › Fees/charges › Mis-selling/unsuitable advice › Withdrawal/refusal of services › Fraud › Non-payment of claim › Transaction Error = DELAY

Conflicts of Interest

1. CR17 No. of conflicts recorded in the following categories, as at the end of the reporting period:

i.      Friends and family RETAIN

ii.      Financial affairs

iii.      Business dealings

iv.      Employment

v.      Associates and affiliates

2. CR18 Number of connected parties provided with loans and the value outstanding as at the end of the reporting period Delay

Information security

1. CR19 How many information security incidents have there been in the reporting period that have resulted in the loss of customer information? RETAIN
2. CR20 How many breaches have been reported to the Jersey Office of the Information Commissioner in the reporting period? RETAIN
3. CR21 As at the end of the reporting period, how many months ago was the reporting entity’s last cyber test? RETAIN

Vulnerable customers

1. CR22 Do you categorise customers as vulnerable? If yes, what number of customers have been categorised as vulnerable? RETAIN

Notes

[1] https://www.fca.org.uk/firms/5-conduct-questions-programme