Risk-Based Supervision of Retail Conduct
Wednesday, Oct 19, 2022

Risk-Based Supervision of Retail Conduct

This Toronto Centre Note and accompanying podcast focus on the use of a risk-based approach to retail conduct supervision. It also addresses the challenges of supervising for good consumer outcomes. Read their biographies. Read the transcript. Read the TCN.

Listen to the Podcast:

Read the TCN:


Misconduct events in the retail financial sector have received a great deal of headline attention and have become an area of increased focus for many supervisory authorities. The growing importance of retail conduct supervision was discussed in earlier Toronto Centre Notes that described the significant financial impact of retail misconduct on consumers, and the potential for misconduct to erode both consumer confidence and financial stability.[2]  


Supervisory authorities have increasingly turned their attention to assessing conduct risk more directly as part of their day-to-day work and have deployed a range of measures including legislative requirements, prescriptive guidance, and national policy (which may also set out expectations around financial literacy and inclusion).  Retail conduct supervision is no longer seen as simply an add-on to more traditional supervision but is now an integral part of the work undertaken by supervisory authorities.  


However, international standards contain relatively little guidance on how to undertake retail conduct supervision, so multiple approaches have emerged across - and sometimes even within – jurisdictions.  Historically, the focus of many conduct supervisors has been primarily on the application of rules and post-event remediation and enforcement, but under a risk-based approach to supervision conduct supervisors are able to identify vulnerabilities to conduct risk and to assess how financial institutions govern and control these risks. 


The core concepts of risk-based supervision (RBS) are highly applicable for retail conduct supervisors and should be a starting point for conduct supervisors of all sectors, including banking, securities, insurance and pensions.[3]  The challenges of supervising for good consumer outcomes are the same for all sectors: deploying sufficient resources efficiently, focusing on the highest priority risks, considering both present and future risks, and taking action to mitigate risks or to prevent them from increasing, while exercising considerable judgement. This Toronto Centre Note focuses on the use of a risk-based approach to retail conduct supervision.  


Institutional arrangements vary from jurisdiction to jurisdiction - conduct supervision may be undertaken by a stand-alone supervisory authority, or it may be integrated with responsibilities for prudential supervision.  Regardless of the institutional arrangements, the principles and practices of RBS set out in this Note are relevant to the assessment of retail conduct risk. 



Why is retail conduct supervision so important?


Retail focused financial institutions will, by definition, have extensive interactions with consumers or clients.  The manner in which consumers are treated can give rise to either a good consumer outcome or some form of consumer detriment.[4] 


There have been many high-profile examples of the impact of “misconduct” on consumers, and these have been well articulated in earlier Toronto Centre Notes.  However, despite an increased focus by supervisory authorities on consumer protection, examples of misconduct continue to accumulate globally and often have the common threads of (a) information asymmetry – financial firms know more about the characteristics and risks of products than consumers and are sometimes ready to exploit this; and (b) a conflict of incentives between firms seeking profit and the need to treat consumers fairly. This can lead to some form of mis-selling, be it through improper or inadequate disclosure, poor advice, or insufficient rigour in product design.  Recent examples include[5]


  • In 2020 it was revealed that some 7 million clients at Indonesia’s state-owned insurance company PT Asuransia Jiwasraya incurred significant losses as a result of product mispricing, reckless investment of customers funds combined with aggressive window dressing of financial accounts, opaque information to customers, and liquidity pressures.  It is believed that the fraud dated back to as early as 2006.[6]  
  • A recent study of 68 digital credit products in India, Kenya, Nigeria, Tanzania and Ghana found that nearly half of the products advertised some form of rewards programs that incentivised certain consumer behaviours such as continued use of a loan product even when it may no longer remain suitable for the consumer. The study further revealed that some digital credit providers extended loan terms automatically when payments were missed.[7]  
  • Micro-lending is also ripe for consumer mis-selling. Consumers may not be aware of the annualised cost of such borrowing, which is typically short term in nature, with fixed interest rates charged on a daily, weekly or monthly basis.  When translated into an annual percentage rate, studies have shown rates for digital micro-credits ranging from 12% to 621%.  Clear disclosures and a high level of financial literacy would be required to enable a thorough understanding of the effective interest rate. 


Vulnerabilities for misconduct can be created at any stage of the product lifecycle, from product design through to the provision of products and services and the ongoing relationship with consumers during the maturity of the products and services.[8]  Products with very long maturities may be particularly prone to misconduct because the detriment to consumers may not become apparent for a long period – sometimes several years.  At each step, financial institutions should put in place appropriate safeguards to protect consumers from unfair practices.  They should be able to demonstrate these practices to supervisors. A risk-based approach provides a framework for supervisors to focus on the highest risk areas. 


Some common drivers of misconduct include:


Inadequate or misleading disclosure: Consumers cannot understand fully the product features and risks because disclosures are insufficient or inadequate and lack the necessary information.


Suitability: The product is not appropriate for the target market, or a target market is not identified, or the product is marketed to consumers who are not part of the target market.  Examples include the targeting of vulnerable consumers in the sales process or failing to identify vulnerable consumers during product development: consumer vulnerabilities need to be considered throughout the life cycle of product design, delivery and post-sale.[9]  Suitability should also consider the type of consumers and consider their particular needs, for example women, geographic regions (rural versus urban regions), and the socio/economic profile of the consumer. 


Conflict of interest: The compensation of sales staff or advisers may be designed to incentivize the sale of products to consumers when they are not appropriate to the needs and interests of those consumers. 


Many supervisory authorities have articulated their expectations for consumer protection.  The FCA in the UK set out six “consumer outcomes” that financial institutions should strive to achieve to ensure the fair treatment of consumers.  These extend across the product lifecycle.[10]


FCA consumer outcomes


Outcome 1: Consumers can be confident they are dealing with financial institutions where the fair treatment of customers is central to the corporate culture.


Outcome 2: Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly.


Outcome 3: Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.


Outcome 4: Where consumers receive advice, the advice is suitable and takes account of their circumstances.


Outcome 5: Consumers are provided with products that perform as financial institutions have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect.


Outcome 6: Consumers do not face unreasonable post-sale barriers imposed by financial institutions to change product, switch provider, submit a claim or make a complaint.


Regulatory requirements


Increasingly, supervisory authorities have a more consumer facing mindset.  In many regimes there is a focus on fairness in financial institution/consumer interaction; transparency and disclosure of relevant and timely information; and the existence of effective and accessible recourse mechanisms for consumers (the complaint handling process within financial institutions, and also in some jurisdictions other forms of adjudication/ombudsman type services for consumers).


Key elements of a country’s consumer protection regime may include:


A legal framework


The responsibility for conduct supervision is typically set out in a supervisory authority’s statutory objectives, based on terms such as the fair treatment of customers and having due regard to the interests and needs of customers.  The obligation to “protect consumers” is different to the responsibility to minimise the losses that consumers may experience from the failure of a financial institution - which is the focus of prudential supervision.  


The framework may include some minimum regulatory requirements around products, who can sell them, and how they can be sold.  


Disclosure regimes for regulated financial institutions


As noted, many supervisory authorities have a combination of principles-based and prescriptive requirements covering areas such as:

  • objectives of disclosure
  • timing of disclosure pre-sale, point of sale, and post-sale
  • level of expected standardisation - through key information documents or key fact statements 
  • concepts of completeness of disclosed information and ongoing relevance 
  • understandable, plain language
  • some form of comparative analysis and “what if” scenarios.


Focus on financial capacity


In some jurisdictions there may also be a focus on:


  • financial literacy and simplifying disclosure
  • improving individuals’ financial behaviours through education and consumer awareness campaigns.


Intervention and enforcement powers


Jurisdictions typically provide supervisory authorities with some form of intervention or enforcement powers around harmful business practices and provide for compensation regimes for consumers who suffer losses as a result of harmful or unfair business practices.[11]


Risk-based supervision


While the concepts of RBS were historically developed to guide prudential supervisors in their work, they are equally applicable to conduct supervision.[12]  Some of the universal characteristics of RBS for conduct supervision to keep in mind are:


  • Risks are addressed in a systematic manner, giving priority to what matters most.  


  • RBS requires the assessment and consistent grading or scoring of financial institutions and issues.  


  • RBS recognises that risks can originate from a variety of sources, both internal and external to a financial institution. 


  • Risk-based supervision is dynamic and forward looking.  It allows risks to be identified and addressed early on.  In applying an RBS approach, checking compliance with these rules will form only a small part of the work that supervisors do.  A risk-based approach will go far beyond establishing whether conduct rules are being complied with to assess the extent to which firms are being governed and managed in a way that promotes good consumer outcomes.


  • RBS supports improved decision making and the most effective use of supervisory resources.  


  • RBS is not confined to traditional financial institution facing work and should continue through the process of continuing supervision - be it through off-site or on-site work.  


  • Key elements of RBS include the concepts of understanding and assessing inherent risk, the assessment of controls and governance, and the strength of financial resources, all of which are discussed later in this Note.




Illustrative example: dynamic and forward-looking supervision


Supervisory authority A has introduced strict and prescriptive conduct of business rules for its advisory sector (covering advice on mortgages, insurance, investments and pensions) with a focus on improving disclosures to consumers.  Financial institutions have been given 18 months to fully comply.  The assumption is that the new rules will reduce misconduct, but the supervisory authority has failed to recognise that phased implementation can have wider ramifications.  While there had been some initial resistance from industry, most companies are working to adjust their business practices to incorporate these requirements.  How might this impact your assessment of inherent conduct risk for advisory financial institutions?


  • One of the key characteristics of RBS is that it is dynamic and forward looking.  However, given the extended timeframe for adoption it may be premature to consider the positive impact this change could have on inherent conduct risk.  Supervisors may wish to flag this as an area of future review – not least to assess the effectiveness of the new disclosure requirements.



  • This is not the end of the story.  There may be cases where financial institutions may take advantage of the long lead time to adopt aggressive sales practices in advance of this change. Supervisors may wish to monitor closely the program of implementation for certain financial institutions and request more detailed metrics around sales volumes to ensure that there is no unusual uptick in sales in the months leading up to the new rules coming into effect.  The supervisor may also wish to prioritise these financial institutions for an earlier review to assess both the features of the new disclosures (to ensure compliance) and to assess their effectiveness.




Supervisors can use RBS principles to guide their assessment of conduct risks.  In applying a risk-based approach to conduct supervision there are some first principles to keep in mind:


  • Sources of future misconduct can emerge at any point in the lifecycle of a product.  Therefore, a supervisor’s initial assessment of inherent risks may be fairly wide reaching and consider a range of activities within a financial institution related to the product or activity being undertaken – product development, marketing and selling, continuing relevancy considerations, and post-sales activities - including complaint handling and remediation.  


  • Opportunities for supervisors to assess conduct risk can occur at any point in the supervisory cycle of a financial institution, starting with the authorisation process and the consideration of the fitness and propriety of key personnel, regular risk assessments, supervisory actions, and the continuing processes of day-to-day supervision.


  • There is no “one size fits all” list of conduct risk drivers - these will be influenced by the industry sector being supervised, and the types of activity being undertaken by the financial institution. 


  • Good consumer outcomes should be part of the culture of financial institutions and should be embedded and evident in their decision-making processes.  The process of risk assessment and the consideration of the governance and oversight of a financial institution will provide the supervisor with an opportunity to understand and assess the cultural influences on a financial institution’s conduct. 


Key elements

As described in Toronto Centre (2018a), the key elements of RBS that supervisors need to consider are:


  • Impact: An assessment of the effect of an adverse outcome (on the financial institution and on the supervisor’s objectives).  


  • Risk assessment: The broad process of identifying significant activities; considering the macroeconomic environment; looking at the inherent risks associated with a given activity or business line of the financial institution; and assessing the adequacy of governance, controls and financial resources in respect of the risks being undertaken.


  • Small firm strategy: Supervisory authorities may be responsible for a variety of smaller financial institutions who individually may be considered low impact but where wide-spread conduct failure across a particular sector could cause significant harm. 


Other key elements of RBS include supervisory intervention and enforcement, which are covered in Toronto Centre (2019b).   


The impact of a financial institution (and of each activity undertaken by the financial institution) provides an important building block for risk-based supervision.  In considering impact, a supervisor is trying to assess the extent of the detriment (in terms of supervisory objectives) if an adverse event were to occur – in this case the harm to consumers.[13]  For retail conduct supervision, relevant metrics include:  


  • The number of consumers using the financial institution’s products and services.
  • Types of consumer.  For example, the supervisor should consider whether the impact is different for certain subsets of consumers being targeted, such as lower income/less financially literate consumers, women, or those in rural and poorer regions.       
  • Potential consumer losses (taking account of any compensation or redress mechanisms) and the ability of different types of consumers to absorb the loss or seek redress. 
  • Potential financial damage to service providers in the chain.
  • The systemic importance of the financial institution (could the event cause damage to the financial system or the wider economy through a loss of confidence?).


Impact metrics are important drivers of the allocation of supervisory resources and of considerations of supervisory priorities.  Supervisory resources are typically concentrated on higher impact financial institutions.  For example, some supervisory authorities use impact metrics to set a baseline expectation for the allocation of staff, with each level of impact corresponding to the number of supervisory staff allocated to a particular type of financial institution.  


The concept of systemic importance is interesting in the context of conduct supervision.  Systemic importance is traditionally considered through the lens of prudential supervision, but the underlying concept of broad harm typically associated with systemic importance may also be relevant to retail conduct supervision.   For example, retail payment systems may in some economies play an important role in the flow of funds between people and businesses, so misconduct relating to a retail payment system may seriously undermine confidence in the financial system.  


Risk assessment

Conduct supervisors need to follow a process of risk assessment to understand the inherent nature of conduct risks embodied in a financial institution’s significant activities and the extent to which these risks are adequately governed and controlled.  The adequacy of the financial resources of the financial institution also remains important, even for conduct supervision.      


Supervisors need a logical way to conduct a supervisory assessment of conduct risks.  Having assessed impact, the key question for the supervisor is how likely is it that the financial institution/activity/product being assessed will give rise to some form of consumer detriment, and the impact on different types of consumer. 


The likelihood of retail misconduct can be influenced by a range of factors and these are discussed in greater detail later in this Note.  The essential point is that supervisors need to have a thorough understanding of (a) the inherent conduct risks embedded in product features and triggers that can lead to potential misconduct, and (b) the effectiveness of governance and controls within a financial institution to manage these risks.   


The risk assessment model described in Toronto Centre (2018a) provides a natural flow for this kind of assessment.  However, the choice of a risk assessment framework is a decision of individual jurisdictions and so the chosen approach may vary.  Whatever framework is in use, it needs to be agreed and consistently applied across the supervisory authority and should align to risk-based principles.  A common approach used in RBS is set out below in diagram below and is highly compatible with conduct supervision. 

Small firm strategy 

Supervisors may be responsible for a group of smaller financial institutions, which may offer similar products and may have common consumer practices.  Supervisors may not have the resources to undertake detailed risk assessments for each individual small financial institution and instead may wish to consider other approaches to understand the level of conduct risk.  A range of tools exist for supervisors of smaller financial institutions, including the use of questionnaires or targeted thematic reviews[14], and industry outreach and education activities, to target areas where there is a potential for misconduct.  These approaches can be a much more efficient way to utilise limited supervisory resources and guide future supervisory work for extreme outliers.[15]  






Illustrative example: small firm strategy


Following a recent supervisory on-site review of a smaller securities firm in country B, the supervisors observed that the firm failed to properly disclose the fees chargeable on client accounts.  Although the requirements for disclosure were set out in supervisory guidance, the firm failed to meet the specific requirement to disclose any changes to fees throughout the year, in addition to the requirement to provide an annual fee schedule.  In responding to the supervisor’s inquiries on this omission, the firm indicated that it was common industry practice to include intra-year changes to fees as part of the annual fee schedule.  


This led the supervisor to undertake a targeted thematic review of securities firms’ fee disclosure practices and resulted in the supervisor issuing an industry letter setting out commonly observed disclosure deficiencies and reminding the industry of the relevant requirements. 


The use of risk matrices as a tool for the risk assessment process

A risk matrix is a useful tool to capture the risk assessment of a financial institution, and can include conduct risks alongside other inherent risks, including prudential ones.    


There are many drivers of conduct risk and a deep understanding of the level and nature of inherent conduct risk will require the supervisor to pull apart the activity under assessment to target the most important risks.  The concept of inherent conduct risk is discussed in greater detail later in this Note, however the general process to assess inherent risk covered in earlier TC notes is equally applicable and can serve as a reference point for conduct supervisors.[16]


Where a supervisor is solely responsible for retail conduct supervision the risk matrix can be modified to focus on the more relevant inherent risk categories for retail conduct risk, namely conduct, operational, and financial crime/money laundering risks.   


Where the supervisory authority is responsible for both prudential and conduct supervision, the use of an integrated matrix would be considered a suitable approach as conduct risks can be considered alongside prudential risks such as credit, insurance and market risks.  Similarly, the quality and effectiveness of a financial institution’s governance and controls in mitigating conduct risks can be considered alongside their quality and effectiveness in mitigating prudential risks.  The process of risk assessment is broadly the same for both prudential risk assessments and conduct assessments. However, supervisors should be mindful not to double-count inherent risks.[17]


A generic risk matrix, which could be used for the assessment of both conduct and prudential risks, is shown below.[18]   






Area of Focus 

External risks 

Inherent risks 

Risk management and governance 

Net risk



Financial resources 

 Significant activities








Financial Crime/AML


Senior Management

Internal Audit

Risk Management




















































Overall rating

















Identification of significant activities 

A starting point for the conduct supervisor in filling in the risk matrix will be the identification of the key activities undertaken by the financial institution.  The supervisor may choose to look at the activities of a financial institution through its business units or products, or for smaller financial institutions they may consider the business as a whole.  There is always the danger of going either too granular or too high level in the selection of significant activities.  The approach taken should enable the supervisor to distinguish the inherent risks specific to each significant activity and to each financial institution.[19]  


The selection of significant activities can be an iterative process and the supervisor should be prepared to pull apart business units or groups of seemingly similar activities to ensure that important risks are not being masked by combining them.  

External environment

Before considering inherent risks, supervisors will also need to consider the risks that might arise from the broader economy (macro-economic environment) or changes in a particular industry or sector that can influence its assessment of inherent conduct risk.  





Illustrative example: external environment   


Recent reports from the central bank in country C indicate that measures to ease rising inflation may include an increase in borrowing rates.  Until now, the country had been experiencing low interest rates and very buoyant lending markets, particularly in the residential housing sector.  


The supervisory authority has a regular annual program to undertake risk assessments of its largest banks and is considering how this recent report should be incorporated into their risk assessments. The residential lending business is highly reliant on the use of mortgage brokers and advisors and there was discussion in the industry that some mortgage advisors may relax their suitability assessments and rush some approvals through in advance of the anticipated change in interest rates.  Supervisors are concerned that any relaxation in the credit risk assessment process may result in some unsuitable (unaffordable) mortgage products being provided to consumers, some of whom could suffer losses or other detriment as a result.  


The supervisors determined that the following steps would be necessary:


  • While credit risk is the primary risk in the case of residential mortgage lending, the changing macro-economic environment may create some opportunities for mis-conduct as mortgage advisors may attempt to “qualify” clients before the anticipated rate change when this product is not suitable for them.
  • The supervisor considered which financial institutions might be most involved in potential mis-conduct and identified 8 large mortgage brokers that had a significant market share. 
  • The supervisor considered that a thematic approach would be the best way to canvass the 8 identified mortgage brokers to understand what changes (if any) were being made to their lending criteria and to understand any spikes in their mortgage approval volumes and identify if this is a more widespread problem.
  • The supervisor also considered the potential impact of any adverse changes in the performance of the mortgage portfolio on the lending banks and the reputational risks that could arise if banks and advisors were found to be mis-selling their mortgage product (qualifying unsuitable borrowers) and subsequent defaults on mortgages occurred.
  • The supervisors of the major mortgage lending banks considered how the recent central bank report should be considered in the context of the macro-economic assessment and whether it was significant enough to warrant additional supervisory work.


Inherent conduct risk  

Inherent risk is the risk before the consideration of any governance, controls and financial resources.  Inherent risk arises from the nature of the activity – it is intrinsic to the activity itself.  A common implementation error is to consider how this risk is being governed or controlled when assessing the level of inherent risk.  Supervisors need to be careful to look purely at the inherent risk before the consideration of any governance and controls.  



Conduct risk is the risk that the financial institution will harm consumers through some form of misconduct such as abusing information asymmetries or failing to provide adequate information. Supervisors must consider how susceptible a financial institution is to conduct risk - what are the conduct risks intrinsic to the activities being undertaken by the financial institution and how do these compare against the other risks that the financial institution is running? 


The assessment of inherent conduct risk is multi-dimensional because it is both product and industry specific, and because vulnerabilities for future misconduct can be created at any point in the lifecycle of a product.  Key to this risk assessment process is to distill the conduct risks that are intrinsic to the activity or business line that is being assessed.    


The list of possible “misconduct events” is quite lengthy and in some cases sector specific.  The supervisor cannot be expected to analyse the likelihood of each of these occurring.  Rather, through a careful analysis of the features of the product (or significant activity), the supervisor should be able to determine which misconduct events are more likely to occur (probability) and how much consumer detriment they may cause.  The starting point should be for supervisors to deepen their understanding of the characteristics of the product or activity - what are the risks intrinsic to that significant activity or product and do these risks create vulnerabilities or opportunities for misconduct?  



Illustrative example: inherent retail conduct risk 


The lead supervisor for a local pension administrator in country D noted that her team had been receiving an increasing number of complaints from members of one of the defined contribution pension plans administered by this firm.  Increasingly concerned about the steady number of complaint calls, the supervisors arranged for an off-site review of the complaints data maintained by the plan administrator to understand better the root cause of the problem.  Upon review it was revealed that plan members were questioning some of the investment returns they were receiving and did not seem to understand why the investment returns were so much lower than expected.  This off-site review led the supervisor to take the following steps:


  • Request a copy of the quarterly and annual pension plan statements provided to active members to understand the types of disclosure made to them on investment returns and the size of their pension investments.


  • Prepare for an on-site review to look at the suitability assessment process undertaken by the firm to assess the risk appetite of the plan member and their selection of investment products.  


  • Request a copy of the examples provided to plan members who have given notification of retirement to understand the level of information provided on the pension that will be paid out to them.


The review revealed that due to the complexity of the product the inherent risk rating should be increased to High and that there was a need for stronger controls in the form of enhanced disclosure.  As a result, the supervisor recommended that the plan administrator enhance the level of disclosure to include “what if “scenarios to describe the possible investment returns under various interest rate and other scenarios. 


Approaches to assessing inherent conduct risk - some key drivers

Risk-based conduct supervision requires a proactive approach to enable the early identification of product features that may give rise to consumer detriment or make a particular product more vulnerable to some form of future misconduct.  A risk-based approach calls for a full understanding of the risk drivers that could lead to future misconduct events. 


Inherent conduct risk can arise from a wide range of factors, including:


  1. Product design and complexity: Products that are more complex in nature and have embedded features may be more difficult for retail consumers to understand and may be difficult to explain to the average consumer.  Product complexity can be driven by:
  • Some form of embedded contingency for performance, linked to some form of indices.
  • Resets of charges based on future events.
  • Performance promises, and guaranteed returns which are contingent on something happening.  
  • Maturity of products.  In the case of products with a very long period to payoff (pensions and other long-term savings, residential mortgage lending), poorly explained characteristics may not become apparent for many years.
  • Opaque features that do not distinguish the product from other products.



When products are complex, this can create an opportunity for mis-selling as purchasers may not fully understand the risks associated with the product and may not be able to assess whether it is suitable for them.  This can be exacerbated if the sellers (advisors, brokers) of the product do not have a comprehensive understanding of the product features and risks, or if there are some vulnerabilities in the target market around financial literacy and capability.  There may also be an intent to mislead a consumer to achieve volume sales and in these cases the product literature may be drafted in a manner to mask the true risks or to inflate the predicted returns or the future value of products.  



  1. Intended target market: The target market assessment is an integral part of the product development process and should be considered at all points in the product life cycle to take changing circumstances into account (including post sale, where a product feature may have been significantly changed).  Understanding who the product is intended for – and equally who it is not intended for - will also influence other considerations such as the kind of disclosure that is necessary, how the product is marketed and promoted, and the type of advisors retained to sell the product.  Products and services sold to retail consumers should be designed to meet the needs of identified consumer groups and should be targeted accordingly. 


  1. Delivery mechanisms and the use of technology: The way in which a product is delivered or sold to consumers can influence the level of conduct risk.  For example, where a sales process is outsourced to a third party this may introduce some additional risk as it may be more difficult for the manufacturer of the product to control how the product is marketed and sold.  The use of third parties should serve as a flag to the supervisor to understand better this relationship. 


While there are clearly many advantages in the use of digital platforms such as increased access for consumers to financial products, and more efficient means of delivering products, the use of digital platforms can also create challenges for consumer protection.  Some of these risks include:[20]

  • Failure of technology.
  • Cyber risk and the theft or misuse of personal data. 
  • Inappropriate targeting of products to consumers.
  • Inadequate electronic disclosures - information may not be delivered in a manner that can be easily understood by the consumer, which could lead to a tendency for consumers to “click through” the disclosure pages on a website. 



Common misconduct events include the misuse of personal data to leverage cross-selling opportunities between business units within a firm, inadequate or opaque disclosures, and biases in the decision-making process for granting access to a product.



  1. New products (accompanied by rapid growth): New products in and of themselves do not necessarily give rise to higher conduct risk.  However, where the financial institution is attempting to be a first or early mover in a particular market and has rushed a new product to market this may create opportunities for misconduct.  New products combined with high rates of growth may be an indicator of conduct risk. 



Financial institutions may look to cut corners in a desire to launch a product to market and may employ less rigorous assessment when considering the target market and the risks associated with the product.  They may also employ aggressive sales tactics to achieve desired volumes and corner their market share.  Considered in common with the other vulnerabilities cited earlier in this section, there is a heightened risk that these products will be mis-sold. 



  1. Incentive arrangements: The type of incentive arrangement available to service and product providers should be an area of interest to supervisors.  While intended to reward productivity and profitability, compensation arrangements can, if poorly structured, incentivize behaviours that may lead to poor consumer outcomes.  Problems associated with compensation arrangements commonly arise when there is some form of conflict of interest in the marketing or selling of products, and where the interests of the intermediary/financial institution representative are put ahead of the interests of the consumer.  





Common issues related to compensation arrangements include: 

  • Cross-selling incentives - staff being compensated if they sell additional/potentially non-related and unsuitable products to a consumer.
  • Commissions /bonuses linked to sales volume of products – this may lead to aggressive sales/marketing tactics.  
  • Differences in compensation among competing products – this can lead an intermediary or representative to promote products that are not suitable for the consumer.  
  • Where compensation for individuals in control functions is linked to sales volumes or some form of sales performance thresholds.



Financial institutions should have appropriate governance and controls for managing their incentive structures, including performance management frameworks that reward good consumer outcomes and promote ethical behavior; clear remuneration policies that are aligned to “treating customers fairly”; and some form of claw back of compensation or other performance consequences for unfair consumer outcomes. The supervisor should consider what a firm’s remuneration practices and controls say about the culture within a firm.  Is an aggressive approach to sales encouraged by the compensation scheme?  Are good consumer outcomes measured through post-sales surveys?  Do good consumer outcomes translate into some form of recognition/reward for employees? 


While not itself a driver of inherent risk, complaints data can provide supervisors with useful information to understand potential areas of inherent conduct risk.  A wide variety of product vulnerabilities may be identified through the assessment of complaints data, so financial institutions – and possibly conduct supervisors – should perform deep dive analysis to understand the characteristics of complaints data (aging of complaints, resolution rates) and features (by age, gender, ethnicity, geographic location, socio-economic groups).  Where there has been a notable increase in complaints, or where a financial institution has a higher level of complaints than its peers, this may be a first indicator that something is wrong with a particular feature of a product or perhaps with the culture within a financial institution.  This information can be used by supervisors to focus their supervisory work. 


As set out in Toronto Centre (2019a), supervisory authorities should develop internal guidance around the rating system to be applied to the assessment of inherent conduct risks.  The rating system should be structured to clearly distinguish the severity of the risks and to prevent a supervisor from defaulting to a medium or average rating.  The supervisory authority may also wish to avoid the use of numeric ratings as it may suggest a level of precision or formulaic approach to arrive at a rating.  The rating should be based on the information available to the supervisor and their judgement around the importance and relevance of this information to the rating.  

Ratings commonly used for inherent risks (including for inherent conduct risk) are: low, medium low, medium high and high.  Some activities by their nature may garner a higher level of inherent conduct risk as a result of their reach and impact.  For example, the provision of pension advice can carry a higher level of inherent risk as it affects people’s future income in retirement, and poor pension advice can lead to significant consumer detriment.  Other products such as general insurance products (for example motor or home contents insurance) may have a lower level of inherent conduct risk as the consumer detriment from being sold the wrong product may not be as significant.[21] 



Illustrative example: significant activities and inherent conduct risk  


Supervisors are reviewing a pre-inspection package of information for financial institution E in advance of an on-site inspection.  The financial institution has a significant consumer loan portfolio, comprised of residential loans (50%), credit card loans (40%), and other general forms of consumer lending (10%).  The supervisory team had earlier made the decision that the consumer lending unit should be considered as one activity in the risk matrix for the purposes of the risk assessment.  However, following a review of the pre-inspection materials it became clear that the features of each type of consumer loan were quite distinct and it 

would be more appropriate to separate them out for the purposes of the assessment of the inherent conduct risks. The most notable differences were:


  • The residential loan portfolio was fairly straightforward, comprised of loans with mostly fixed rates of interest and fixed amortisation periods.
  • On the other hand, credit cards are subject to variable rates of interest and increases in limits occur at a regular frequency. The supervisor is aware that that there had been some well publicised cases in other jurisdictions of credit limit increases being granted without the explicit consent of consumers and flags this as a potential area of heightened conduct risk.
  • The supervisor concluded that the general consumer loan portfolio (10%) was not sufficient in size to warrant a risk assessment, because it was not a significant activity.  


A decision is made to split the significant activities into residential mortgage loans and credit card lending for the purposes of this risk assessment.   Based on the off-site and on-site supervisory work, residential mortgage lending was assessed to be a medium low inherent conduct risk, while credit card lending was assessed to be a medium high inherent conduct risk.  



Governance and controls

Consistent with a risk-based approach, having identified the significant activities and inherent conduct risks, the next step for a supervisor will be to undertake an assessment of the quality, effectiveness and appropriateness of governance and controls in relation to the assessed inherent conduct risks.


The Board is responsible for the strategy of the financial institution and in ensuring that, in executing this strategy, senior management develop appropriate processes to monitor and control the conduct of the business.[22]  The controls and management are just as important to getting conduct ‘right’ as they are to prudential soundness; and as a result RBS supervisors should spend time assessing these in the context of conduct.


There must also be mechanisms in place to cascade these conduct expectations, to establish the responsibility of key control functions, and to monitor performance.  Local controls (at the business unit level – the “first line of defense”) and more enterprise-wide control functions such as risk management (the “second line of defense”) and internal audit (the “third line of defense”) are a core part of conduct risk assessment.    


A useful starting point to understanding how a financial institution approaches conduct risk is by looking at the frameworks used to identify, measure and manage conduct risk.  A financial institution’s approach may be influenced by the regulatory environment, and in the case of more prescriptive regulatory requirements the financial institution may take a more compliance-based approach to managing its conduct risk.  Supervisors should avoid taking a similar compliance-based approach when assessing the governance and controls environment.  The application of a risk-based approach to conduct supervision should drive the supervisor to gain an understanding of both the characteristics of the governance and control environment and the effectiveness of how governance and controls actually perform in practice.  An understanding of management and the board’s attitudes to conduct issues can also tell the supervisor a great deal about a financial institution’s culture and values.[23] 


The poor culture of a financial institution is often cited as a key reason for events of financial misconduct.[24]  It is a significant area of focus for supervisors and has been explored in a number of Toronto Centre Notes.[25]  The scandals referred to earlier in this Note all have in common some form of failure of culture.  


Culture has many definitions, but the underlying premise is about behaviors in financial institutions and what is tolerated.  “Tone from the top” may be an over-used phrase, but boards will have a significant influence on what is viewed as acceptable business practices by virtue of their actions, or in some cases their lack of attention and action.[26]




Illustrative example: governance


Supervisors have recently completed a conduct inspection at Bank F and have been impressed by the extensive set of policies and procedures established by the bank.  The supervisors have undertaken an extensive review of these policies, supplemented by discussions with key members in the business line and members of the compliance team.  They all seemed to have good knowledge of the products they were selling, but their answers appeared to be very superficial when it came to explaining reporting metrics and how early conduct problems are flagged to the Board.  Some of the responses they received in relation to these questions about the Board’s engagement included:



  • “We know the business and the Board trusts us to get the job done”
  • “The Board at the end of the day is really interested in how much money this product is going to make”
  • “The Board likes to hear about sales volume and new product development - they are really forward-thinking, and their focus is on driving the strategy”.


This information caused the supervisors to expand the scope of their review to include:


  • A review of the reporting the Board was receiving on a regular basis, with a focus on product performance.
  • The nature of discussion at the Board with heads of business and risk management, to assess the extent to which there was sufficient discussion and challenge of the information being provided, including the Board’s attention to follow-up matters.
  • Direct engagement by the supervisors with members of the Board to assess their understanding of the kinds of conduct risk they were running and how they gained assurance that these risks were being well managed and controlled. 


Looking at this problem on a narrow basis, the supervisor initially thought that the Board might just not be getting the right information.  However, when considered more broadly, the supervisor concluded that the true root cause may be the firm’s culture and an insufficient interest and commitment by the Board, and perhaps senior management, in treating customers fairly.  The supervisor queried the Board on how it satisfied itself that consumer interests were being taken into account as products were being developed for their market. The responses by members of the Board revealed that they lacked a deep understanding of their responsibility to protect consumers and this was ultimately reflected in the rating assigned to the governance column of risk matrix as “Needs improvement”.


As part of the supervisory recommendations following the review, Bank F was required to consider what steps it needed to take to enhance its focus on conduct risk and to deliver better consumer outcomes, including the role that the Board should take in making this focus a priority throughout the bank. 




In applying a risk-based approach to the assessment of governance and controls it is important to recognise that:


  • Ineffective controls may not only fail to mitigate external and inherent risks but may amplify them.
  • The assessment of the adequacy of governance and controls needs to be aligned to the inherent risks identified.  The higher the inherent risk, and the higher the impact of the financial institution, the more rigorous the governance and controls need to be.  The conduct risk framework should be proportionate to the size and complexity of the financial institution and the nature of the assessed risks.  Larger financial institutions should be expected to have more extensive enterprise-wide frameworks for assessing and managing conduct risk compared with smaller financial institutions. 


In undertaking conduct risk supervision, supervisors may naturally want to use the product life cycle as a “road map” to guide the assessment of the quality and effectiveness of governance and controls.  While a consideration of a product life cycle can serve as a useful reference in considering vulnerabilities to conduct risk, it may take supervisors into areas of risk that are not important.  Looking at controls and governance at each point in the lifecycle of a product may be warranted where that particular product is assessed as having a high level of inherent conduct risk and there is concern that any control failure could result in a significant consumer detriment.  For a simple investment product however, the biggest risk may be that of mis-selling and a more focused approach, looking at the controls and governance around the sales and distribution process, may be more appropriate.  


Key to a risk-based approach is first, to focus on the highest priority risks inherent to the activity being assessed, and second, to ensure that the governance and controls are properly aligned to the high priority risks that have been identified.  Supervisory resources are scarce and there may be little value added in assessing governance and controls at every point in a product life-cycle when your inherent risk assessment is pointing you in a specific direction.  


Risk-based supervisors must be mindful that the assessment of governance and controls should not focus solely on their mere existence but also – and much more importantly - on their effectiveness.[27]  In the example provided below the complaint management processes are not an effective control because they are used in a very narrow way, to provide statistics, rather than as a source of information to identify areas of emerging risk and to inform potential product enhancement.



Illustrative example: complaints handling


The conduct supervision team in country G has embarked on a thematic review of the complaint management processes used by five different insurance companies in their jurisdiction.  They note that detailed information is being collected by all of the insurance companies on the number of complaints and the time frames in which the complaints are resolved.  All companies report that a high number of complaints are resolved at the first point of contact (between 70-80%).  


However, the review noted that unresolved complaints (up to 30%) tend to languish and sit on an open register for considerable periods of time. They also observe that a common technique employed by the insurance companies is to continue to provide the complainant with variations on previously provided responses in the hope that the consumer will cease their contact with their company.  In some more drastic cases, particularly where fees are involved, the insurance company will often just rebate or reduce the fee to get the complaint off their books.  


There are three key control weakness in these firms’ complaints management processes:  


  • No effective escalation process for complaints.  Unresolved complaints tend to stay within the complaints team and there is no formal process to refer the more complex or persistent complaints to other areas in the insurance company to assist in their resolution. 
  • Lack of root cause analysis. The goal of the complaints team is to fix the problem rather than to understand the root cause of the problem.  As a result, all efforts are on managing the complaint away rather than on also using the complaints data to inform management about problem areas with their products. The insurance companies are relying on high 


resolution rates at the first point of contact as a measure of an effective complaints process, rather than undertaking any further analysis to understand flaws in the product. 

  • Management’s approach to inciting customers to go away is not really dealing with the complaints, and encouraging staff to take this approach is sending out the message that customer concerns are not important.  This lack of care may also be indicative of other cultural weakness that could be detrimental to consumer interests. 


It would be difficult to judge the complaint management processes as being an effective control as they are used in a very narrow way, to provide statistics, in contrast to being used as a source of information to identify areas of emerging risk and to inform potential product enhancement.  As a result of this and other control failings, the supervisor assesses the quality of controls as "Needs improvement".  




In assessing internal controls and governance supervisors should consider:


  • In some jurisdictions governance and controls for non-financial risks may be less advanced than those for financial risks.  In some cases, conduct risk considerations will be simply an add-on to existing risk management frameworks, or may be consigned to a narrowly defined compliance function.  Supervisors will need to challenge financial institutions, at the highest level, on how conduct risk has been integrated into roles, responsibilities and the overall risk management framework, and on how the effectiveness of these frameworks can be demonstrated.
  • For certain sectors, like the securities industry, segments of their business may be highly regulated for conduct risk and be subject to prescriptive requirements, such as mandatory disclosure requirements.  Supervisors will need to assess the extent to which this rigour has been carried across the full life cycle of the product, going beyond disclosure requirements. 
  • Historically, conduct supervision has focused primarily on the point of sale of a product.  The increased focus on “better consumer outcomes” has resulted in the development of assessment frameworks which cover the entire life cycle of the product, from product development through to post-sales performance and (where required) remediation.
  • Observed control failures in other areas of risk management may signal rising vulnerability to conduct risk.  Repeated compliance breaches, particularly in relation to retail sales activity, may be indicative of some form of mis-selling or aggressive sales tactics. 
  • Boards and senior management may talk about their financial institution being “consumer centric” when referring to their product offerings and strategy.  However, financial institutions need also to demonstrate how the concepts of “treating customer fairly” and “good consumer outcomes” are considered in their decision making around strategy and product development, and how they are delivered in practice. This could include having a complaint handling process that meaningfully uses data to improve product offerings and consumer outcomes. 
  • Carefully crafted and thoughtful conduct management frameworks can be easily derailed by the actions and behaviours of even a single individual within a financial institution, particularly those who wield significant influence.  Supervisors should therefore be mindful of dominant characters in both the Board and in senior management, particularly at the Chief Executive level.

Financial resources

A consideration of the strength of financial resources has commonly been the domain of prudential supervisors.[28]  The adequacy of financial resources is also relevant to conduct supervisors, because financial institutions may be called upon to compensate individual consumers, to contribute to consumer protection funds, to provide liquidity for collective investment schemes, and to have sufficient capital to be capable of being wound down in an orderly manner.    


Supervisors should therefore expect financial institutions to consider conduct risk as part of their capital planning exercises. 

Implementation challenges

Compliance focused regimes: Where jurisdictions have introduced prescriptive regimes for conduct supervision, for example detailed disclosure requirements, supervisors might rely on compliance with these rules as their primary source to assess conduct risk.  However, the application of a risk-based approach will drive a deeper understanding of the most important risks and provide a basis on which to judge the adequacy of the governance and control of these risks. 


Applying a reactive rather than a proactive approach to conduct supervision: Supervisors should anticipate possible sources of consumer detriment through a proactive approach, and should not focus solely on responding and remediating misconduct after the event.  Similarly, supervisory authorities may be more focused on sanctioning rather than on the prevention of misconduct.  Enforcement can be a useful tool to deter others from misconduct, but it should not be the only tool employed by conduct supervisors. 


Risk assessment is too one dimensional: This can result in a narrow assessment of conduct risk without understanding the multiple factors/indicators of conduct risk.  For example, some supervisory authorities have relied almost entirely on prescriptive disclosure regimes as a means of addressing potential misconduct, with only a limited consideration of the impact of other types of conduct risk, including the provision of advice, and the suitability of products for different types of consumers.


Lower priority: Conduct supervision may receive lower prioritisation, particularly where conduct and prudential supervision are housed in one authority and compete for the same scarce resources.


Resistance from financial institutions: Where supervisors have increased their focus on conduct risk, this may create some tension with financial institutions.  Financial institutions which have historically been less consumer centric may struggle to transition their business models and resist bearing additional costs to change business processes and enhance controls.  Equally, these financial institutions may pressure governments to ease up on measures because of concerns about costs, competitive challenges with other jurisdictions, and loss of market share. 


Not applying a cradle to grave approach to conduct supervision: Conduct risk should be considered at each touch point with a financial institution, starting with the authorisation process or the assessment of key personnel.  These early assessments can inform the supervisor’s views on the probability of future misconduct.


Technology limitations: Limitations in the collection and analysis of data may impede the supervisor’s ability to identify areas of potential misconduct.  Where supervisors have responsibility for numerous financial institutions, advanced analytical tools can be helpful in identifying patterns of behaviour or conduct and in flagging potential risk indicators. 


The key concepts of risk-based supervision (RBS) are highly relevant to conduct supervisors and many of the approaches traditionally associated with prudential supervisors are readily applicable for conduct supervision regardless of the institutional arrangements (integrated or stand-alone conduct authority) or the sector being supervised. 


This Note has suggested a number of areas where supervisory tools can be readily directed to include retail conduct risk within a RBS approach.  This includes the use of impact metrics, the identification of significant activities, the assessment of inherent conduct risk, and the assessment of governance, controls, and financial resources as mitigants of the inherent risk.  


The Note has set out some of the unique drivers of inherent conduct risk and examples of consumer misconduct potentially arising from these inherent risks.  Similar to prudential supervision, the selection of significant activities is a key starting point and supervisors will want to consider whether that selection is at the right level to draw out the key drivers of inherent conduct risk. 


There are a number of implementation challenges associated with introducing and carrying out risk-based conduct supervision and these can come from both external stakeholders and sometimes within the supervisory authority itself.  Incremental change, continuing training and continued stakeholder engagement can help to ease the transition to new and increasing conduct requirements.  Another important aspect of conduct supervision is having an effective supervisory intervention and enforcement regime.  


However, despite the growing focus on preventing consumer misconduct, supervisors continue to observe high rates of retail misconduct.  Increasing supervisory attention to this area can help raise the standard of consumer protection practices within financial institutions and lead to better outcomes for consumers.  






De Nederlandsche Bank. Supervision of Behaviour and Culture:  Foundations, Practice and Future Developments.  2015.


European Insurance and Occupational Pensions Authority.  Framework for assessing conduct risk through the product lifecycle.  February 2019.  


Financial Conduct Authority.  Guidance for Firms on the Fair Treatment of Vulnerable Customers. February 2021a.


Financial Conduct Authority.  Fair Treatment of Customers.  Updated March 2021b.


Financial Consumer Agency of Canada. Domestic Bank Retail Sales Practices Review.  March 2018.


Financial Stability Board. Strengthening Governance Frameworks to Mitigate Conduct Risk:  A Toolkit for Firms and Supervisors.  April 2018


Group of 30. Banking Conduct and Culture: A Permanent Mindset Change.  November 2018.


Haynes Royal Commission. Report on Misconduct.  February 2019.


Toronto Centre.  Improving Corporate Governance in Regulated Firms.  January 2016a.  


Toronto Centre.  Conduct: Prevention, Detection, and Deterrence of Abuses by Financial Institutions.  February 2016b.


Toronto Centre.  Risk Based Supervision.  March 2018a.


Toronto Centre.  Implementing Risk Based Supervision: A Guide for Senior Managers.  July 2018b.


Toronto Centre.  The Development and Use of Risk Based Assessment Frameworks.  January 2019a.


Toronto Centre.  Turning Risk Assessments into Supervisory Actions.  July 2019b.  


Toronto Centre.  Supervising Fintech to Promote Financial Inclusion.  December 2019c.


Toronto Centre.  Supervisory Responses to Retail Misconduct.  January 2020a


Toronto Centre.  Risk-Based Supervision for Securities Supervisors (and Other Supervisors of Small Firms).  February 2020b


Toronto Centre.  Risk-Based Supervision of Cross-Border Groups.  December 2021.


Toronto Centre.  Supervising Corporate Governance: Pushing the Boundaries.  January 2022a.


Toronto Centre.  Supervisory Implications of Artificial Intelligence and Machine Learning.  July 2022b. 


World Bank: Consumer Risks in Fintech: New Manifestations of Consumer Risks and Emerging Regulatory Approaches. Consumer Risks in Fintech. April 2021



[1] This Note was prepared by Karen Badgerow.  Please address any questions about this Note to This email address is being protected from spambots. You need JavaScript enabled to view it.

[2] See Toronto Centre (2016b and 2020a). 

[3] A series of Toronto Centre Notes explain risk-based supervision.  See Toronto Centre (2018a, 2018b, 2019a, 2019b, 2020b and 2021).

[4] For ease of reference the term “consumer” will be used throughout this Note to refer to current and prospective customers or clients of financial institutions.

[5] See also Financial Consumer Agency of Canada (2018), Financial Stability Board (2018), and Haynes Royal Commission (2019) for further examples of retail misconduct and proposed regulatory and supervisory responses. 

[6] The Jakarta Post: Understanding Indonesia’s largest financial scandal.  October 26, 2020. https://www.thejakartapost.com/news/2020/10/25/jiwasraya-understanding-indonesias-largest-financial-scandal.html

[7] World Bank (2021). 

[8] See European Insurance and Occupational Pensions Authority (2019).   

[9] For a fuller discussion of vulnerable consumers, see Financial Conduct Authority (2021a).  

[10] For more details on the FCA approach see Financial Conduct Authority (2021b).  

[11] Supervisory intervention and enforcement are discussed in Toronto Centre (2019b). 

[12] For more detail on the key principles of RBS see Toronto Centre (2018a). 

[13] For more details on the measurement of impact and its role in risk-based supervision see Toronto Centre (2018a). 

[14] A thematic review is where the supervisor selects a particular area of focus to assess and undertakes an in-depth review (off-site or on-site) of the practices of a range of financial institutions.  The approach is useful for identifying any common industry problems, highlighting better practices, and identifying outliers. See Toronto Centre (2020b).

[15] Small firm strategy is discussed in more detail in Toronto Centre (2020b).

[16] Inherent risk is discussed in detail in Toronto Centre (2019a).

[17] Misconduct can also be a feature of other inherent risks - such as operational risk and money laundering, so supervisors will need to ensure that there is no double counting of the inherent risks when they undertake their risk assessments.

[18] This generic risk matrix is taken from Toronto Centre (2018a), where it is discussed in more detail.   

[19] The identification of significant activities is discussed in more detail in Toronto Centre (2019a).

[20] Additional information on these risks can be found in Toronto Centre (2019c and 2022b).  

[21] There may be examples where the inherent risk for home contents insurance is higher, particularly where products are being sold in geographic regions that may be vulnerable to weather related events and where these insurance products exclude losses arising from floods and other natural disasters.  

[22] See Toronto Centre (2016a and 2022a) for a fuller description of the supervisory assessment of the quality and effectiveness of corporate governance.      

[23] See Toronto Centre (2022a). 

[24] See Group of 30 (2018) for a detailed discussion of the importance of culture and governance.

[25] See Toronto Centre (2020a).   

[26] A comprehensive overview of the topic of supervising for culture and behaviours can be found in De Nederlandsche Bank (2015). 

[27] Again, see Toronto Centre (2022a). 

[28] See Toronto Centre (2019a).