Compliance Insights

Can we trust culture and conduct to guide decision making in the financial services industry?

By Carol Beaumier and Bernadine Reese

Why it matters: More than 15 years after the great financial crisis, the financial industry’s culture and conduct remain very much in the headlines. Has nothing changed?

Big picture: A lot has indeed changed, though bad actors still manage to prevail at times. Maintaining good culture and conduct relies on the collective efforts and responses of financial institutions, regulators, and customers.

Call to action: We itemise a list of steps for senior management and boards of directors to establish and sustain a strong culture and ethical conduct within their institutions.

One of the loudest outcries following the global financial crisis was that financial services companies needed to address and fix the gaps in their culture and conduct that helped fuel the crisis. Here we are 15 years later, and the financial industry’s culture and conduct remain very much in the headlines. Has nothing changed? Is it unrealistic to expect financial services companies to be the standard bearers of culture and conduct in a world where others are not necessarily guided by ethical values and yet thrive?

Relationship between culture and conduct

Conduct can be defined as the actions and behavior of individuals within an organisation, while culture represents the shared values, norms, attitudes, and expectations that guide these behaviors. The quality of conduct might therefore be seen as one of the outcomes of the firm’s culture. Culture influences conduct by setting the tone for the actions and behavior that are and are not acceptable. A strong ethical culture promotes good conduct by creating an environment where employees feel encouraged and empowered to act ethically and responsibly. This environment includes communication channels for voicing concerns without fear of retaliation, adequate training on ethical practices, clear policies on expected behavior, and consistent reinforcement and enforcement of these policies.

Individual behaviors are also strongly influenced by other factors including self-interest (“what’s in it for me”) as well as financial and non-financial incentives. Similarly, individual behaviors are disproportionately impacted by the actions of senior leaders. It’s no surprise then, that financial institutions and regulators are looking for other ways to improve conduct including using behavioral science, which examines how people make decisions, why misconduct occurs and how their behavior can be influenced. Some financial institutions are looking to incorporate behavioral science-led conduct and culture metrics into performance expectations and assessments.

Behavioral science purports that individuals may also be less inclined to question outcomes that favor them – the tendency of individuals to fit their information processing to conclusions that suit some end or goal. This may go a long way toward explaining why an individual may interpret a policy to suit his or her objectives (or, in the case of the quote above, decide the absence of an outright prohibition is justification for acting) and why management may be less willing to challenge unexpectedly strong results or profitability, even when there are hints of inappropriate sales practices or other conduct or behavioral concerns.

Unless you show me where the law explicitly says I can’t do it, I am going to do it anyway. Enough with this rush to righteousness.
Banker speaking with his colleagues, overheard on a train from New York City to Washington, DC., May 2024

Regulatory efforts to improve culture and conduct

The global financial crisis was seen by regulators and many others in government as fundamentally a “crisis in values.” Public sentiment[1]  echoed this concern that lapsed values and greed in financial markets were the underlying causes of the crisis. It was therefore not surprising that the aftermath of the financial crisis saw a huge global regulatory response – not only related to prudential regulatory concerns such as capital management, resolution planning and “too big to fail” initiatives, and ringfencing of retail banking operations, but also to addressing the perceived root cause of the crisis.

Accordingly, the financial services industry saw increased regulatory scrutiny on corporate governance, the role of senior management and conduct and culture. Regimes demanding personal accountability of senior management were introduced in the UK, Australia, Hong Kong and Singapore. Regulators increased their scrutiny of senior managers and required financial institutions annually to attest that they were fit and proper to meet the requirements of their respective roles. Many regulators, including those in the U.S., UK and EU, introduced changes to remuneration schemes to discourage excessive risk-taking and strengthen alignment with long-term outcomes; these changes included bonus caps, deferred bonuses and clawbacks in the event of wrongdoing. Other areas of significant regulatory focus included enhancing risk management frameworks, introducing or reenforcing whistleblower programs, and other initiatives aimed at strengthening the three lines of defense model.

But the headlines keep coming.

What can we say about how successful those actions have been? Indicators of sustainable change might manifest in fewer incidents of misconduct, lower levels of regulatory enforcement and fines, and improving public confidence in the financial markets. Yet, 15 years on we see a constant stream of egregious headlines, often accompanied by regulatory enforcement actions and fines. These headlines have included the 1MDB scandal; the LIBOR scandal; a massive unauthorised account scandal; numerous examples of serious breakdowns in anti-money laundering controls that allowed hundreds of millions of illicit funds to move through the banking system; many cases of unethical and unfair fees, including in the extreme charging of fees for no services; and examples of misleading ESG claims.

These scandals involved financial institutions in North America, Europe and the Asia-Pacific region. They, and many other examples, indicate that conduct and culture in the financial services industry is not “fixed” and remains a global issue. The slow process of regaining public trust following the financial crisis is affected by these scandals and by any signs of instability in the system, such as the regional bank failures in the U.S. in 2023.

Why do these incidents continue to occur? Was the post-crisis regulation insufficient to promote the desired conduct and behaviors that achieve good customer outcomes? Did COVID set back or otherwise influence culture and conduct? Are bankers just behaving the way they see others, even including some regulators,[2]  behave in what the Financial Times has termed the “age of chutzpah”?[3]  Are financial institutions being held to a higher standard?

That last question is the easiest to answer. Financial institutions are indeed held to a higher standard, but for good and longstanding reasons: they play a pivotal role in the stability of the global economy; they have myriad fiduciary duties (established by laws and regulations) related to their dealings with customers; and in many jurisdictions they operate with the support (e.g., deposit insurance schemes) of the national government, which some would argue both creates an obligation and provides a moral hazard.

Regulators are concerned enough with the current state of play that they are considering additional measures to improve conduct and culture. For example, the UK’s Financial Conduct Authority, with a specific remit to regulate conduct matters, has recently brought in new powers in the form of the Consumer Duty regime, to ensure that consumers achieve good outcomes from financial services – and other regulators including Canada’s Office of the Superintendent of Financial Institutions (OSFI) are looking at how to ensure that culture is effectively assessed. Some market observers would believe that OSFI is on the right track – that the reason earlier regulator actions to influence conduct and culture have not been as effective as hoped is because regulators have yet to develop a meaningful way during bank examinations to evaluate culture and conduct holistically.

Can anything really be done to eliminate the bad actors?

Cynics would say that there has been lots of talk about culture and conduct and little action. There are few examples of the removal of bank management under the various accountability regimes. Information on bonus clawbacks is not publicly available. Cynics would also ponder whether additional reforms would make any difference. Realists would say that misconduct in financial institutions has been happening for centuries, citing examples such as:

  • South Sea Bubble (1720): The South Sea Company, a British joint stock company founded in 1711 by an Act of Parliament, was granted a monopoly on trade with South America to help Britain increase its trade in the Americas. In 1720, the company took over the national debt with the intent to pay the interest on the debt through its stock sales. The company experienced significant inflation in its stock price due to rampant speculation before the South Sea Bubble, as it was called, burst, resulting in widespread financial loss and exposing corruption, fraud and insider trading. This led some to call this event the “world’s first Ponzi scheme.”[4]
  • Freedman's Savings Bank Scandal (1874): Freedman’s Savings Bank was established to help newly emancipated African Americans manage their financial affairs in post-Civil War America. The bank collapsed in 1874, a victim of mismanagement and fraud, including allegations of embezzlement by insiders, wiping out the savings of more than 61,000 depositors.[5]
  • Bank of Credit and Commerce International (1991): BCCI, a Luxembourg-registered bank which at its height operated in more than 70 countries, is the poster child for transnational corruption. It was involved in money laundering, bribery, support of terrorism, arms trafficking, and the sale of nuclear technologies, leading to its closure by regulators across multiple countries. By the time of its collapse, nearly $10 billion had disappeared, never to be found.[6]

So, the sobering reality is this: as long as we are dealing with humans and human nature, it is a safe bet that we will continue to see culture and conduct failures. That of course raises the question of what impact artificial intelligence might have on culture and conduct – a fascinating topic that warrants its own article.

Optimists would remind us that the bad actors are the exceptions. There are 44,000 banks and credit unions globally and thousands more broker-dealers, asset-managers, and other financial services companies. Only a small fraction of these institutions make the headlines – a good reminder that the benefits of new regulations should exceed their costs.[7]  Maybe we don’t need more regulation after all, just more enforcement of the current regulations and better ways to assess culture and conduct.

Calls to action

Maintaining good culture and conduct relies on the collective efforts and responses of financial institutions, regulators and customers.

The following, which apply broadly to all types of companies, are steps that boards of directors and senior management should take to establish and sustain a strong culture and ethical conduct within their institutions:

  • Voice and live the commitment: Leaders must set the tone for ethical behavior and model that behavior in their dealings with all stakeholders.
  • Issue and enforce clear policies and procedures: Policies and procedures should leave no doubt about what constitutes acceptable and unacceptable behavior and should address, inter alia, conflicts of interest, insider trading, bribery, corruption, legal and regulatory breaches and other potential ethical pitfalls. Policies underpinned by behavioral science research can be more effective in changing behavior and reinforcing expectations. Individuals involved in any misconduct should face appropriate consequences, regardless of their position within the organisation or how much money they make for the organisation.
  • Promote understanding through training and awareness programs: Regular training sessions and organisational awareness programs should address employees' responsibilities in upholding ethical standards, often most effectively communicating using case studies of issues and dilemmas an employee might face, and the consequences of non-compliance.
  • Maintain open communication channels: The institution should maintain a whistleblower program which guarantees confidentiality and protection from retaliation for those who report misconduct. Employees should feel comfortable reporting unethical behavior, whether through the whistleblower channel or to their managers, Human Resources, or other internal channels, without fear of retaliation. Where possible, without jeopardising confidentiality, successes should be celebrated with examples of people stepping up to do the right thing.
  • Perform regular audits and benchmarking of culture and conduct, with a focus on conduct outcomes: Tone at the top is ineffective unless it is embraced by personnel at all levels in the organisation. In addition to signaling to the organisation that culture and conduct are priorities, regular internal audits can help identify potential compliance issues before they become major problems. As importantly, the organisation should perform periodic benchmarking of employee sentiment toward culture and conduct to identify potential weak links and/or outside influences that may be affecting behavior. Tone at the top only matters when the mood in the middle and buzz at the bottom are aligned.
  • Focus on safeguarding the organisation’s culture: The board of directors or an appropriate board committee should dedicate time specifically to monitoring the organisation’s culture and ensuring that proper safeguards are in place to promote and sustain a positive culture.This should include monitoring the effects of the use of artificial intelligence on conduct.

The steps that regulators should take are surprisingly similar:

  • Model ethical behavior: Just as optimists would say that bad actor financial institutions are the exception not the rule, the same can be said for the regulators themselves. There are very few reported cases of culture and conduct failures at regulatory bodies. But there is no tolerance for the rule makers breaking the rules.
  • Issue and enforce clear standards: Don’t just talk about the importance of culture and conduct or issue regulations and guidance aimed at prompting the right behavior. “Walk the talk” by taking firm action to address wrongdoing. That means not just fining the financial institution, but holding those who committed and permitted the wrongdoing personally accountable when the situation warrants.
  • Train agency personnel on behavioral science: Just as we are beginning to see some financial institutions add behavioral scientists to their ranks, regulatory agencies also should ensure that their staff, through the addition of subject-matter experts or through training, understand why and when financial institution employees might engage in certain behaviors. This requires understanding how internal and external pressures and circumstances may influence behavior.
  • Proactively challenge the institution’s assessment of its conduct and culture: Problems in a financial institution are often blamed – reactively – on culture and conduct lapses. Individual institutions and the industry at large would likely benefit from a more proactive regulatory assessment of culture and conduct, one that effectively challenges the belief of the institution’s board of directors and management that all is well and that, in the event of a breakdown, shares its own assessment of what went wrong. “Lessons learned” from such postmortems would be welcome in many boardrooms and C-suites.
  • Take action against individuals and companies that do not meet regulatory requirements on conduct: Senior managers take note of public fines and regulatory censures, and this can prompt action to improve conduct and culture. Being seen to hold financial institutions to account can have a profound impact.

Customers can have the most significant impact – by walking away. This shouldn’t necessarily happen when an institution experiences a culture or conduct lapse because it’s unrealistic to believe any institution can prevent all breakdowns. But when the institution’s response does not demonstrate adequate commitment to redress the issue at hand and address the circumstances that allowed the lapse to occur, it may be time to send a message.


Can we trust culture and conduct to guide decision making in the financial services industry? There are days that we wonder. We are going with the optimists, though, and saying “Yes, for the vast majority of financial institutions” but only if the directors and senior managers of these institutions, their regulators, and we as customers remember the lessons learned from past conduct breakdowns and share the responsibility for continually reinforcing the values and behaviors that are important.

I believe that the financial crisis of 2008/9 exposed more a lack of ethics and morality – especially by the financial sector – rather than a problem of regulation or criminality. There were, of course, regulatory lessons to be learned, but at heart, there was a collective loss of our moral compass.
- Paul Pohlman, former CEO of Unilever

Carol Beaumier is a senior managing director in Protiviti’s Risk and Compliance practice. Based in Washington, D.C., she has more than 30 years of experience in a wide range of regulatory issues across multiple industries. Before joining Protiviti, Beaumier was a partner in Arthur Andersen’s Regulatory Risk Services practice and a managing director and founding partner of The Secura Group, where she headed the Risk Management practice. Before consulting, Beaumier spent 11 years with the U.S. Office of the Comptroller of the Currency (OCC), where she was an examiner with a focus on multinational and international banks. She also served as executive assistant to the comptroller, as a member of the OCC’s senior management team and as liaison for the comptroller inside and outside of the agency. Beaumier is a frequent author and speaker on regulatory and other risk issues. 

Bernadine Reese is a managing director in Protiviti’s Risk and Compliance practice. Based in London, Reese joined Protiviti in 2007 from KPMG’s Regulatory Services practice. Reese has more than 30 years’ experience working with a variety of financial services clients to enhance their business performance by successfully implementing risk, compliance and governance change and optimising their risk and compliance arrangements. She is a Certified Climate Risk Professional.

There's a better way to manage the burden of regulatory compliance. Imagine if functions were aligned to business objectives, processes were optimised, and procedures were automated and enabled by data and technology. Regulatory requirements would be met with efficiency. Controls become predictive instead of reactive. Employees derive more value from their roles. The business can take comfort that their reputation is protected, allowing for greater focus on growth and innovation.

Protiviti helps organisations integrate compliance into agile risk management teams, leverage analytics for forward-looking, predictive controls, apply regulatory compliance expertise and utilise automated workflow tools for more efficient remediation of compliance enforcement actions or issues, translate customer and compliance needs into design requirements for new products or services, and establish routines for monitoring regulatory compliance performance.

See our latest Compliance Insights Newsletter

Learn More

1.  “‘We are seeing a crisis in values’ – an exclusive extract from Mark Carney’s book,” Financial Times, March 13, 2021:

2. Cleary Gottlieb Steen & Hamilton LLP, “Report for the Special Review Committee of the Board of Directors of the Federal Deposit Insurance Corporation,” April 2024:

3. Roula Khalaf, “Shameless comebacks show we are in the age of chutzpah,” Financial Times, May 5, 2024:

4. Terry Stewart, “The South Sea Bubble,” History Magazine:

5. “The Freedman’s Savings Bank: Good Intentions Were Not Enough; A Noble Experiment Goes Awry,” Office of the Comptroller of the Currency:

6. Casey Michel, “The Dictator-Run Bank That Tells the Story of America’s Foreign Corruption,” Foreign Policy, July 7, 2020:

7. Mark Ryan, “By The Numbers – Mega Banks Vs. Community Banks,” Extractable, July 1, 2018: