What is Conduct Risk?

Conduct risk is the risk that the behaviour of a firm, and of the individuals acting on its behalf, causes harm to customers, investors, or other stakeholders, or undermines the integrity, stability or effective competition of financial markets. This is a structural, cultural and governance risk that supervisors expect boards to manage, and involves unlawful or improper conduct.

Historically, the regulatory concerns that are today unified under the term conduct risk were not recognised as a single, coherent category. Instead, they were managed through a patchwork of legal and supervisory instruments, each aimed at a specific type of behaviour, product, or customer relationship.

Many of the behaviours that would now be described as conduct risk were governed by product specific legislation. Regulators did not treat these matters as components of a conduct risk. They were managed as isolated problems within their respective domains.

General consumer protection law was another broad layer of rules. Misleading advertising, unfair commercial practices, abusive terms in consumer contracts, and lack of transparency were addressed by horizontal consumer protection statutes, applicable across all industries. These laws provided remedies for misleading claims, hidden fees, unsuitable products, or aggressive selling.

All these frameworks were not designed to manage risk in a prudential or enterprise wide sense. They offered individual customers a basis for redress, and regulators used them to sanction unfair commercial behaviour.

The result was a fragmented regulatory landscape. The same firm could be investigated by different regulators for similar underlying failures, such as poor sales practices, simply because each failure fell within a different legal silo. None of these regimes encouraged the firm to see the underlying common element, the weaknesses in governance, product oversight, incentive structures, and corporate culture.

The financial crisis of 2007–2008 exposed the insufficiency of this model. It revealed structural governance failures. For example, the widespread selling of complex and unsuitable mortgage products, including subprime loans and securitised products, that neither customers nor many frontline bank employees understood. Or the excessive risk taking incentivised by remuneration structures that rewarded short term volume over long term sustainability. Even worse, investment banks selling structured products, while simultaneously taking positions against those same products.

These failures showed that the problem was not individual rule breaches but the fundamental way firms behaved. Customer harm, market manipulation, benchmark fixing, irresponsible lending, and the creation of products with poor or toxic outcomes were byproducts of systemic cultural and governance failure.

Regulators concluded that the old approach could not address the risks exposed by the crisis. Misconduct had become a prudential issue. It could destabilise firms, undermine confidence in markets, generate enormous redress and litigation costs, and erode the integrity of the financial system. The crisis demonstrated that the behaviours which harm consumers are often the same behaviours that threaten financial stability.

This recognition led to the emergence of conduct risk as a unified regulatory concept, requiring firms to manage behavioural risks holistically, with board level accountability, cultural oversight, product governance, and continuous monitoring of customer outcomes. In simple words, the crisis showed that fragmented rule based supervision could not prevent systemic misconduct.

The UK Financial Conduct Authority (FCA) has been especially influential, basing its approach in the fair treatment of customers under Principle 6 of its Principles for Businesses (the requirement that a firm must pay due regard to the interests of its customers and treat them fairly), and in broader expectations around business culture and outcomes for consumers.

According to the UK Financial Conduct Authority (FCA), there are six consumer outcomes that firms should strive to achieve to ensure fair treatment of customers:

Outcome 1: Consumers can be confident they are dealing with firms where the fair treatment of customers is central to the corporate culture.

Outcome 2: Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly.

Outcome 3: Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.

Outcome 4: Where consumers receive advice, the advice is suitable and takes account of their circumstances.

Outcome 5: Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect.

Outcome 6: Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.

Over time, this was reframed and expanded into the language of conduct risk, often summarised as the risk that a firm’s behaviours result in poor outcomes for consumers.

Although there is no single universal legal definition, there is a remarkable convergence in supervisory usage. Firms, regulators and professional bodies tend to describe conduct risk as any action or omission of a firm or its staff that leads to customer or investor detriment, or has an adverse effect on market integrity, stability or competition.

The tech sector and non financial corporations increasingly adopt similar language, speaking of conduct risk as the potential for a company’s actions to harm customers, stakeholders or the wider market.

The emphasis on behaviour and outcomes is deliberate. Conduct risk is not the risk of breaking specific rules, but the risk that organisational choices (like incentive structures, sales processes, complaints handling, use of data and technology) produce unfair or unsuitable outcomes, or distort the proper functioning of markets.

Basel iii and conduct risk

In the Basel III architecture we can find a sophisticated and explicit recognition that the behaviour of financial institutions, the way they design products, treat customers, manage conflicts of interest and incentivise their staff, constitutes a significant source of operational risk. Conduct risk is not a standalone risk category in Basel III, but a major driver of operational risk, with direct implications for capital requirements, governance standards, supervisory expectations, and risk management.

In Basel III, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems or from external events. The Basel Committee has consistently clarified that operational risk includes legal risk, and that misconduct events, mis selling practices, breaches of fiduciary obligations, market manipulation, product governance failures and other behavioural issues fall squarely within this definition.

The Committee’s guidance makes clear that the behaviour of employees, the effectiveness of internal controls, and the firm’s capacity to ensure compliant interactions with clients form an integral part of operational risk. Conduct failures are treated as operational risk failures.

According to the Basel III corporate governance framework, the board of directors bears ultimate responsibility for ensuring sound risk culture, robust internal controls and effective oversight of operational risk. Conduct risk is repeatedly cited as a key governance concern, and supervisors must assess whether incentive schemes, business models, product governance structures and tone from the top messaging reinforce or undermine expectations of fair dealing, transparency and customer protection.

Conduct risk is embedded in Basel III’s expectations for internal controls. The Basel Committee stressed that effective operational risk management requires clear segregation of duties, independent risk management functions, and strong compliance oversight. It requires the identification and assessment of behavioural risks, including conflicts of interest, remuneration policies that may incentivise misconduct, weaknesses in sales oversight, or failures in monitoring interactions with customers.

These elements form part of the operational risk management framework that banks must maintain, and supervisors expect that the framework explicitly addresses conduct related threats. Basel iii highlight that operational risk cannot be managed in isolation. Firms must ensure that conduct risk is considered in product approval processes, change management, outsourcing arrangements, and distribution networks. The implicit logic is that conduct risks frequently arise at points where governance and controls must consider strategic decisions, so conduct risk must be embedded in enterprise wide risk management.

The Basel Committee expressly includes legal risk within operational risk, recognising that litigation, enforcement actions, customer disputes and regulatory sanctions are often results of misconduct. When banks face class actions for misselling, regulatory fines for benchmark manipulation, or remediation obligations for treating customers unfairly, the resulting losses are treated as operational risk losses for capital purposes.

The Basel III framework forces institutions to recognise that conduct failures carry not merely reputational implications but also direct capital consequences. This has reinforced the importance of robust legal and compliance functions, product governance committees, and mechanisms for ensuring that regulatory expectations concerning customer outcomes and market integrity are fully integrated into the firm’s operations.

The prudential treatment of conduct risk under Basel III contributed to a shift in supervisory practices. Supervisors increasingly use Pillar 2 processes to assess the adequacy of banks’ management of conduct risk. If a supervisor judges that a bank’s conduct risk framework is insufficient, if historical losses reveal patterns of behaviour inconsistent with prudent governance, or if customer remediation programmes indicate systemic shortcomings, the supervisor may impose additional Pillar 2 capital requirements.

The Basel III framework was designed as a prudential standard for internationally active banks, but its influence has extended far beyond the banking sector. Its architectural principles have reshaped regulatory thinking across the entire financial system, and have gradually penetrated sectors outside banking.

This diffusion reflects the fact that Basel III emerged during a period in which regulators globally questioned the adequacy of pre crisis risk management practices, corporate governance models, and regulatory silos. As a result, Basel III has become a blueprint for the broader regulatory ecosystem, with significant implications for insurance, investment management, market infrastructures, fintech, payments, crypto-asset service providers, and non financial corporates that are systemically important.

---

Conduct risk after Artificial Intelligence

Conduct risk after AI is still the risk that a firm’s behaviour harms customers, investors or markets. What has changed is the way behaviour is mediated, scaled and shaped by algorithmic systems.

Artificial intelligence amplifies conduct risk, and gives it new legal and supervisory dimensions. AI is not a separate universe with its own self-contained rules. It is a new channel of familiar duties (fairness, transparency, suitability, non discrimination, data protection, market integrity) that now operate through AI systems.

The traditional legal foundations of conduct risk remain fully applicable. A recommendation, a risk disclosure or a suitability assessment produced by an AI system is legally treated as the firm’s own conduct, not as an autonomous act of a machine. Where AI systems make or support decisions that have legal effects for individuals, the firms that own and use the AI systems have obligations for transparency, explainability, and fairness under data protection and non-discrimination law, irrespective of whether a human or an algorithm is in the loop.

The BIS Financial Stability Institute has highlighted that wider AI use in finance affects microprudential risks such as credit, operational, reputational, conduct and consumer protection risk, particularly through opacity, bias and data misuse.

Algorithmic decisions that allocate credit, price insurance, segment customers or personalise offers are now explicitly framed as high risk uses of AI that must be designed and monitored so as to avoid unfair outcomes, discrimination and opaque exclusion.

The UK Financial Conduct Authority, for instance, has made it clear that its outcomes based conduct rules, including requirements to treat customers fairly and avoid causing foreseeable harm, apply fully to the use of AI. Firms must demonstrate that AI enabled products and processes comply with existing conduct, consumer protection and market integrity obligations. The regulator has not created an entirely new AI conduct regime, preferring to interpret AI through the lens of established principles and to enforce those principles against firms that use AI in harmful ways.

AI is now widespread, and the drivers of conduct risk evolve in several areas. First, there is the risk of algorithmic bias and discrimination. When lending, pricing or marketing decisions are delegated to models trained on historical data, there is a structural risk that the models will reproduce or even amplify past patterns of unequal treatment. This can give rise to breaches of equal treatment and anti discrimination law, unfair commercial practices, and violations of sector specific duties to act in the client’s best interests.

Under the EU AI Act and associated guidance, financial institutions using AI in credit or insurance must show that their training data and model design do not disadvantage specific groups, and that they have governance mechanisms to detect and correct discriminatory outcomes.

Similar expectations are emerging globally, as supervisors and courts begin to scrutinise algorithmic decision making through the lens of discrimination and unfairness.

Opacity and explainability have a central role in conduct risk. Many AI models, particularly deep learning systems, are difficult to interpret. But conduct regimes require that firms provide information that is fair, clear and not misleading, and that customers receive adequate explanations of decisions that significantly affect them, especially where automated processing is involved.

If a customer is denied credit, offered a particular complex product, or charged a specific premium on the basis of an AI model, the firm must be able to explain the main factors that led to that outcome, both to the customer and, if necessary, to regulators or courts.

AI introduces new channels for misrepresentation, misinformation and poor communication. If firms use generative models to draft customer communications, disclosures, marketing materials, or advice, they remain fully responsible for the accuracy and completeness of those outputs. Generative models are prone to hallucination and may produce inaccurate or inappropriate statements.

These statements may relate to product features, risk explanations, or guarantees, and they can trigger breaches of information duties, misselling claims, and market abuse issues. Regulators expect firms to implement robust controls, including human review, when deploying generative AI in any customer facing context. The legal position is straightforward. Automation does not dilute responsibility, but raises the standard of care, because firms are choosing to use tools that they know can behave unpredictably.

AI reshapes the way conflicts of interest lead to conduct risk. Algorithmic systems can be optimised simultaneously for multiple objectives, such as maximising profit, minimising risk and improving customer satisfaction. If the optimisation targets are poorly designed, or if they give excessive weight to revenue or cross selling, AI can systematically steer customers toward higher margin products that are not necessarily in their best interests, even in the absence of any explicit human intention to missell.

---

Learning from the Annual Reports

Conduct Risk, from the Annual Report, Scotiabank

Audit and Conduct Review Committee of the Board

It assists the Board by providing oversight on the effectiveness of the Bank’s system of internal controls. The Committee oversees the integrity of the Bank’s consolidated financial statements and related quarterly results. This includes oversight of climate-change related disclosure as part of the Bank’s financial reporting of ESG matters as well as the external auditor’s qualifications, independence and performance.

This Committee assists the Board in fulfilling its oversight responsibilities for setting standards of conduct and ethical behaviour, and the oversight of conduct review, risk culture and conduct risk management. The Committee also oversees the Bank’s compliance with legal and regulatory requirements, and oversees the Global Finance, Global Compliance and Audit Department functions at the Bank.

The Committee also oversees the independence of each of these control functions, including the effectiveness of the heads of these functions, as well as the functions themselves.

Human Capital and Compensation Committee of the Board

In conjunction with the Risk Committee of the Board, satisfies itself that adequate procedures are in place to identify, assess and manage the risks (including conduct risk) associated with the Bank’s material compensation programs and that such procedures are consistent with the Bank’s risk management programs. The Committee has further responsibilities relating to leadership, succession planning and total rewards.

Risk Culture

Effective risk management requires a strong, robust, and pervasive risk culture where every Bank employee is a risk manager and is responsible for managing risks.

The Bank’s risk culture is influenced by numerous factors including the interdependent relationship amongst the Bank’s risk governance structure, risk appetite, strategy, organizational culture, and risk management tools.

A strong risk culture is a key driver of conduct. It promotes behaviours that align to the Bank’s values and enables employees to identify risk taking activities that are beyond the established risk appetite.

The Bank’s Risk Culture program is based on four indicators of a strong risk culture:

1. Tone from the Top – Leading by example including clear and consistent communication on risk behaviour expectations, the importance of Scotiabank’s values, and fostering an environment where everyone has ownership and responsibility for “doing the right thing”.

2. Accountability – All employees are accountable for risk management. There is an environment of open communication where employees feel safe to speak-up and raise concerns without fear of retaliation and consequences for not adhering to the desired behaviours.

3. Risk Management – Risk taking activities are consistent with the Bank’s strategies and risk appetite. Risk appetite considerations are embedded in key decision making processes.

4. People Management – Performance and compensation structures encourage desired behaviours and reinforce the Bank’s values and risk culture. Employees are rewarded for ‘how’ results are achieved in addition to ‘what’ is achieved.

Compliance Risk

Compliance Risk is the risk of an activity not being conducted in conformity with applicable laws, rules, regulations and prescribed practices (“regulatory requirements”), as well as compliance related internal policies and procedures, and ethical standards expected by regulators, customers, investors, employees and other stakeholders. Compliance Risk includes Regulatory Compliance Risk, Conduct Risk, and Privacy Risk.

The Bank conducts business in many jurisdictions around the world and provides a wide variety of financial products and services through its various lines of business and operations. It is subject to, and must comply with, many and changing Regulations by governmental agencies, supervisory authorities and self-regulatory organizations in all the jurisdictions in which the Bank operates. The regulatory bar is constantly rising with Regulations being more vigorously enforced and new Regulations being enacted. The bar of public expectations is also constantly rising. Regulators and customers expect the Bank and its employees will operate its business in compliance with applicable laws and will refrain from unethical practices.

Compliance risk is managed on an enterprise-wide basis throughout the Bank via the operation of the Scotiabank Compliance Program (“the Program”) which is led by the Bank’s Chief Compliance Officer (CCO) who is responsible for overseeing Compliance Risk Management within the Bank. The CCO is responsible for assessing the adequacy of, adherence to and effectiveness of the Program, as well as for the development and application of written compliance policies and procedures that are kept up to date and approved by senior management, assessing and documenting compliance risks, developing and maintaining a written compliance training program, which in each case is performed either directly or indirectly by other departments within the Bank in coordination with Global Compliance. This program and these ancillary activities are subject to the Audit Department’s periodic review to assess the effectiveness of the Program.

The Board-approved Compliance Risk Summary Framework describes the general policies and principles applicable to compliance risk management within Scotiabank and encompasses the Bank’s Regulatory Compliance Management Framework (RCMF) as contemplated by OSFI Guideline E-13. The Compliance Risk Summary Framework is an integral part of the enterprise-wide framework, policies and procedures that collectively articulate the Bank’s governance and control structure. Other more specifically focused compliance risk management policies and procedures may be developed within the Compliance Risk Summary Framework where necessary or appropriate.

Conduct Risk, from the Annual Report, Citigroup Inc.

U.S. and non-U.S. regulators have been increasingly focused on “conduct risk,” a term used to describe the risks associated with behavior by employees and agents, including third parties, that could harm clients, customers, employees or the integrity of the markets, such as improperly creating, selling, marketing or managing products and services or improper incentive compensation programs with respect thereto, failures to safeguard a party’s personal information, or failures to identify and manage conflicts of interest.

In addition to the greater focus on conduct risk, the general heightened scrutiny and expectations from regulators could lead to investigations and other inquiries, as well as remediation requirements, more regulatory or other enforcement proceedings, civil litigation and higher compliance and other risks and costs.

Further, while Citi takes numerous steps to prevent and detect conduct by employees and agents that could potentially harm clients, customers, employees or the integrity of the markets, such behavior may not always be deterred or prevented. Banking regulators have also focused on the overall culture of financial services firms, including Citi.

In addition to regulatory restrictions or structural changes that could result from perceived deficiencies in Citi’s culture, such focus could also lead to additional regulatory proceedings. Furthermore, the severity of the remedies sought in legal and regulatory proceedings to which Citi is subject has remained elevated.

U.S. and certain non-U.S. governmental entities have increasingly brought criminal actions against, or have sought criminal convictions from, financial institutions and individual employees, and criminal prosecutors in the U.S. have increasingly sought and obtained criminal guilty pleas or deferred prosecution agreements against corporate entities and individuals and other criminal sanctions for those institutions and individuals.

These types of actions by U.S. and international governmental entities may, in the future, have significant collateral consequences for a financial institution, including loss of customers and business, and the inability to offer certain products or services and/or operate certain businesses.

Citi may be required to accept or be subject to similar types of criminal remedies, consent orders, sanctions, substantial fines and penalties, remediation and other financial costs or other requirements in the future, including for matters or practices not yet known to Citi, any of which could materially and negatively affect Citi’s businesses, business practices, financial condition or results of operations, require material changes in Citi’s operations or cause Citi reputational harm.

For Citi, effective risk management is of primary importance to its overall operations. Accordingly, Citi’s risk management process has been designed to monitor, evaluate and manage the principal risks it assumes in conducting its activities. Specifically, the activities that Citi engages in, and the risks those activities generate, must be consistent with Citi’s Mission and Value Proposition and the key principles that guide it, as well as Citi’s risk appetite.

Risk management must be built on a foundation of ethical culture. Under Citi’s Mission and Value Proposition, which was developed by its senior leadership and distributed throughout the Company, Citi strives to serve its clients as a trusted partner by responsibly providing financial services that enable growth and economic progress while earning and maintaining the public’s trust by constantly adhering to the highest ethical standards. As such, Citi asks all colleagues to ensure that their decisions pass three tests: they are in Citi’s clients’ interests, create economic value and are always systemically responsible.

In addition, Citi evaluates colleagues’ performance against behavioral expectations set out in Citi’s Leadership Principles, which were designed in part to effectuate Citi’s Mission and Value Proposition. Other culture-related efforts in connection with conduct risk, ethics and leadership, escalation and treating customers fairly help Citi to execute its Mission and Value Proposition.

Citi has established an Enterprise Risk Management (ERM) Framework to ensure that all of Citi’s risks are managed appropriately and consistently across Citi and at an aggregate, enterprise-wide level. The ERM Framework details the principles used to support effective enterprise-wide risk management across the end-to-end risk management lifecycle. The ERM Framework also provides clarity on the expected activities in relation to risk management of the Citigroup Board of Directors (the Board), Citi’s Executive Management Team and employees across the lines of defense.

The underlying pillars of the framework encompass:

• Culture—the core principles and behaviors that underpin a strong culture of risk awareness, in line with Citi’s Mission and Value Proposition, and Leadership Principles;

• Governance—the committee structure and reporting arrangements that support the appropriate oversight of risk management activities at the Board and Executive Management Team levels;

• Risk Management—the end-to-end risk management cycle including the identification, measurement, monitoring, controlling and reporting of all risks including emerging, growing, idiosyncratic or otherwise material risks, and aggregated to an enterprise-wide level; and

• Enterprise Programs—the key risk management programs performed across the risk management lifecycle for all risk categories; these programs also outline the specific roles played by each of the lines of defense in these processes.

Each of these pillars is underpinned by Supporting Capabilities, which are the infrastructure, people, technology and data, and modelling and analytical capabilities that are in place to enable the execution of the ERM Framework.

---

You may visit:

Frontier Risk

Emerging Risk

Hybrid Risk

Cognitive Risk

Artificial Superintelligence Risk

AI-Human Hybridization Risk

Political Risk

Strategic Risk

Systemic Risk

Climate Risk

Conduct Risk

Reputation Risk

Liquidity Risk

Cyber Risk

Credit Risk

Market Risk

Operational Risk

---