Regulatory Focus on Conduct Risk—Hungarian Case Study on Qualitative and Quantitative Tools for Risk Mitigation

Due to the inadequate conduct of their business, financial institutions have recently sustained severe losses, as a result of which the management of conduct risks has become increasingly prominent in regulation. This paper describes the position of conduct risk within the framework of risk management, and uses Hungarian and international examples involving major losses to illustrate the need for the adequate management of conduct risks. This is followed by a description of how to manage the type of risk in question using the qualitative and quantitative tools of operational risk management. A quantitative analysis is then carried out to illustrate the effects on capital requirement achieved by taking into account conduct risks in various components of the internal models.


Possible Manifestations of Conduct risks
A comprehensive understanding of the concept of conduct risk may be developed by reference to an overview of the event types and business practices which, according to the definition provided in the previous section, should be assessed within the scope of conduct risk. This section aims to describe the forms in which conduct risks are manifested, and associate each type with examples where major losses have recently been incurred. In its 2013 release (FCA, 2013) the Financial Conduct Authority classifies conduct risks into three categories. It covers risks inherent to organisations, those resulting from the structure and culture of the financial sector, and those resulting from conditions in the external environment. Importantly, apart from these sources of loss, additional indirect losses, which are difficult to quantify, are incurred from the deterioration in the reputation of individual institutions or the financial sector as a whole, and a sense of uncertainty developed by customers.
The group of inherent factors comprises events resulting in consumer dissatisfaction where, for some reason, customers do not obtain the product that they actually need. In the authors' classification, this category includes risks resulting from information asymmetries, biases and customers' financial capability.
Information asymmetry arises in cases where a customer does not completely understand or misunderstands the terms and conditions of the product in question. This could be due to incomplete product information, mis-selling, or the absence of core financial capabilities, which is discussed in a later section.
In choosing financial products, customers often develop biases to the information available to them under the influence of recent advertising, friends' advice (positive word of mouth), or overconfidence.
Such biases often cause customers to set up false heuristics, which will ultimately determine their decisions.
The general experience is that customers without any prior financial education are incapable of assessing precisely what products they actually need, and their choices of the products offered to them are not made consciously.
A good example of losses caused by intrinsic factors is provided by some of the credit portfolios built in Hungary during the crisis and becoming defaulted subsequently. In the period following the regime change, due to a lack of sufficient financial awareness and to information asymmetries, a major proportion of households borrowed in schemes (e.g., on a foreign currency basis, with a disproportionately high instalment relative to income, or in multiple loans) that were not suited to their financial situations, which at a later stage contributed to the default of their loans to a great extent.
The second main group comprises risks resulting from the specificities of the financial sector, i.e., its structure and processes, including internal conflicts of interest, cultural effects, and situations of ineffective competition.
Internal conflicts of interest may develop where the internal motivations of financial institutions' employees (targets and rewards) are not aligned with the products and services best suited to customers. www.scholink.org/ojs/index.php/jepf Journal of Economics and Public Finance Vol. 4, No. 2, 2018 167 Published by SCHOLINK INC. Underlying this could be defectively designed business processes and incentive systems, and a lack of training provided to employees involved in sales. Risks could be further increased where in the design of its product structure, an institution makes insufficient preparations for the needs of its customers, as a result of which the products sold will not be suited to meet those needs, and may indeed lead to customer detriment.
For the purposes of this paper, corporate cultural effects and processes are construed as including issues relating to responsible governance and organisational processes. Namely, conflicts of interest also arise at the level of senior management, with management responsible for governance undertaking decisions that do not serve the institution's long-term interests.
In situations of ineffective competition, customers are provided access to the product in question at a price that is higher, and under terms that are less favourable than what is appropriate. This could primarily result from cartels of financial market participants, and violations of trade secrets.
In the context of responsible corporate governance, a special mention is warranted of the heavy penalty being increasingly provided on the internet, the lending process is becoming automated, and new participants are entering the market with alternative banking services. Losses may be incurred due to the fact that for the time being, regulations in new areas are insufficient, and are easily evaded as a result.
Changes in the regulatory environment present a challenge for participants in the financial market, because although information on most future regulations is available sufficiently in advance, experience is that there are changes for which organisations have no means to prepare.
In Hungary perhaps the greatest loss incurred by the banking sector in recent years was caused by legislative changes aimed at the rescue of foreign currency debtors. Losses resulting from the Settlement Act, the forint conversion of foreign currency loans, and revenues lost as a result of the Fair Banking Act were all legislative changes for which financial institutions had not been prepared at the time of lending.

The Position of Managing Conduct Risk in the Operational Risk Framework
The section below aims to explain, along the requirements set in the CRR and ICAAP manual published by the MNB (MNB, 2017), the possible means of managing conduct risk, and to place those means in the operational risk management framework. As conduct risk should be assessed within the scope of operational risk, its management framework should also be designed in alignment with and closely integrated into the operational risk framework. Essentially, the CRR defines three approaches to the calculation of capital requirement for operational risk (Note 1), of which the Standardised Approach (TSA) and the Advanced Measurement Approach (AMA) require regulatory authorisation, while the Basic Indicator Approach (BIA) does not. To apply an approach that is subject to authorisation, institutions are required to meet quantitative and qualitative criteria, including in particular the design and operation of a comprehensive and integrated operational risk framework. With regard to the fact that operational risks can primarily be managed using qualitative methods, as a first step an overview is appropriate of the possible ways to incorporate conduct risk management into the qualitative criteria related to the application of the standardised and advanced measurement approaches.

Qualitative Tools for the Management of Conduct risk
As seen in Section 2, the definition of conduct risks is complex, and their sources are extremely diverse, whereby the identification and subsequent management of such risks become a complicated task. It has also been pointed out that except for advanced measurement approaches, conduct risks cannot be managed with quantitative methods. By providing for responsible corporate governance and internal regulations, and through the design of product structures, and continuous risk monitoring, qualitative tools enable institutions to assess their conduct risks and manage them adequately.
The qualitative elements of the operational risk management framework include the collection and analysis of internal loss data, the definition and operation of key risk indicators, the risk self-assessment and scenario analysis process, and the formulation and continuous assessment of mitigation actions. Within the framework, a reference point for operational risk management is provided by the overview of the roles and responsibilities of process participants.
Among the roles, responsible governance ranks as the highest in importance, because managers have the rights and powers to ensure the operation of the framework, and to provide the foundations for the commitment of other employees. As seen in the examples, it is essential that the senior management of a firm should be committed, and that it should act with long-term objectives in mind rather than short-term gains. For that purpose, it is paramount for managers to be aware of the sources of potential losses, and to be informed on a continuous basis about current risks.
However, in addition to senior management, several other roles can be identified within the organisation that are integral parts of the operational risk management framework. The organisational unit in charge of fraud management is responsible for the identification and survey of internal fraud incidents, as well as for the adoption of the measures required to mitigate the damage incurred and to prevent reoccurrence.
Conduct risks can often be identified on the basis of customer feedback, which implies the need to allocate significant resources to the continuous assessment and analysis of complaints by dissatisfied customers. Apparently, apart from supporting customer retention, through the development of a detailed understanding of legitimate and ungrounded complaints, the complaints management process also enables the prevention of the root causes underlying information asymmetries, and the consequent lack of confidence and deterioration in customer satisfaction.
Of particular note is the role of Internal Audit, the employees of which are responsible for the comprehensive control of the risk management framework through thematic audits and by providing controls incorporated into institutional processes. Adequate internal audit arrangements enable the organisation to mitigate its losses from negligence, inappropriate business conduct, and wilful damage.
As mentioned earlier, conduct risks may also result from inadequately designed products and process deficiencies. In the course of product design, particular attention is required to ensure that customer needs are adequately assessed. The level of information asymmetry may increase where the products involve parameters of low transparency and a complex cost structure. The situation is worsened where cancellation or product switching is made difficult, or involve excessive costs to customers.

Inappropriate decisions could lock customers in difficult financial situations for up to several years, and
where the possibilities of exiting such a situation are limited, or nonexistent due to aggressive customer retention or mandatory product bundling, this could easily lead to the financial default of the customer.
In product development and sales, institutions should seek to ensure that their interests are not enforced to customers' detriment, and that they do not abuse their dominance resulting from their higher financial capabilities.
For the control of the products launched by institutions and of the related sales processes, we recommend the implementation of a product inventory document. We consider that in order for decision makers and auditors to develop an adequate understanding of the conduct risks associated with individual products, a list including the potential risks in each product needs to be created and maintained on a regular basis. In alignment with the structure described in Section 2, the product inventory should include the following data: a) To assess inherent risks so that the institution offers each customer the appropriate product: basic product information, unique product varieties, related products and services, parameters suitable to deceive customers, sales channels; b) To mitigate the risks from the specificities of financial institutions: the conflicts of interest arising, remuneration structures, potential aggressive sales situations, customer complaints, product switching and terms of cancellation; c) To mitigate the risks in the external environment: applicable legal regulations and any relevant amendments foreseen, previous fines, supervisory instructions, and relevant IT innovations.
With regard to conduct risks, the collection of internal loss data is important because, as will be discussed in detail in Section 3.2, capital requirement approaches based on advanced models rely on validated loss data, which are also required for the analysis of the other components of the qualitative framework.
Financial institutions use key risk indicators to assess and monitor the risks in their internal and external environments. Given the complexity of identifying conduct risks due to the diversity of loss sources, the use of specific key risk indicators could support institutions in the assessment and mitigation of risks. Among other uses, the indicators enable the continuous monitoring of internal fraud incidents, the customer complaints received and the effectiveness of complaints management, the handling of legal action, and the fines received. It is to be noted that it is not only legitimate customer complaints that are suitable to predict losses, but also ungrounded complaints, because an increase in the number of complaints filed could indicate deficiencies in a product or process which may lead to a higher level of customer dissatisfaction.
The next qualitative tool in the advanced approach is the assessment of uncertainties in the business environment, and the assessment of the effectiveness of the processes and controls implemented, i.e.
self-assessment. The analysis of loss events that have occurred and the identification of loss sources that could occur in the future both rely on the data collected internally, as supplemented by information provided by external databases, media coverage, and key risk indicators. In order to reduce the occurrence of conduct risks, institutions should seek to ensure that the scope of their self-assessments includes all relevant processes, external and internal regulations, and their effects. The results of self-assessment also provide input to scenario analyses and mitigation actions.
As part of the process of scenario analysis operational risk events of low frequency but with a tendency to involve major losses are identified and surveyed, and the extent of the possible losses is estimated.
As shown in the examples listed above, in many cases conduct risks arise in the form of single events involving major losses. Accordingly, it is appropriate that institutions should develop scenarios that estimate the effect of potential conduct risks, and also provide guidelines to reduce the probability of their occurrence. With regard to the fact that scenarios are typically developed along the Basel categories, conduct risks are best captured along the event types internal fraud and clients, products and business practices (types 1 and 4, respectively), but it also to be noted that other event types may obviously also involve relevant losses (e.g., in the form of fines). As regards internal fraud, the scenarios should include loss events occurring as a result of deficiencies in controls or processes.
Scenarios concerning business practices such as defective products and the process of product launch and sales should assess the risk of losses from legal compliance, aggressive sales, misinformation, possible fines and damages to customers. It is also recommended that reputational risk events be also incorporated through customer complaints, negative media coverage, and loss of customer confidence.
The risks identified by means of self-assessment and scenario analysis should be managed by institutions through mitigation actions an action plans in order to minimize the losses incurred, and to reduce the probability of the future reoccurrence of the event concerned. A key task is to present the risks identified and the ways to mitigate them to management on a continuous basis, since management requires detailed and up-to-date information to make responsible decisions.
This section has shown that the management of conduct risks fits in well with the operational risk framework. The accurate collection of internal data, the definition of specific key risk indicators, the extension of self-assessment and scenario analysis, and the adoption of the related measures support organisations in the timely identification of risks, and in dampening their loss effects.

Links between Conduct Risks and Capital Requirement
In this section, an attempt is made to assess the effect of loss events associated with conduct risk on capital requirement, and to offer possible methods for giving adequate consideration to these events for the purposes of capital requirement calculations. Already mentioned in the foregoing, the BIA and TSA approaches to the quantification of capital requirement are based exclusive on institutions' gross revenues, and as such they do not allow conduct risks to be taken into account.
Accordingly, for the purposes of this paper the assessment was carried out using the internal models of three Hungarian financial institutions, and owed to regular ICAAP reviews conducted annually, all relevant data (Note 2) were available for the full reconstruction of the internal models. With regard to Pillar 3 of the Basel regulations setting out disclosure requirements, and to the fact that the decisions authorising the use of the advanced measurement approach are publicly accessible on the MNB's website (Note 3), we used the models of the following three institutions that have adopted AMA: OTP Group, FHB Group and Budapest Bank Zrt. However, also having regard to the fact that the methodology and structure of the internal models, and the capital requirements quantified through their use are not public, we have dispensed with the presentation and comparison of the specific models. For that reason, the purpose of the analyses below is limited to impact analysis, and our results are presented mostly in the form of percentages without abusing confidential business and banking information.
A prominent conduct risk event that concerned all financial institutions and required a special approach to the management of operational risk involved losses from compliance with legislation aimed at the rescue of foreign currency debtors (Note 4) (hereinafter: losses related to foreign currency loans).
Regarding the loss events concerning foreign currency debtors, the MNB has previously adopted the position (MNB Circular 2015) that the loss events would have to be included in institutions' loss databases, but would only have to be considered indirectly under scenario analysis in the models used by institutions for the quantification of capital requirements. The MNB refers to two reasons for the indirect treatment in models: first, the loss is considered as a single and presumably non-recurring event, and second, direct treatment would be unfair on banks that have adopted advanced approaches compared to those applying the BIA or TSA approach.
With regard to the foregoing, as a solution that respects the principles of equal treatment and proportionality, in alignment with Section 257 of the EBA Guidelines (EBA, 2014), the MNB considers that conduct risks should be taken into account in a forward-looking manner. That is, the risk of infrequent but severe conduct risk events, including losses related to foreign currency loans, should be assessed by institutions as part of scenario analysis, and for internal models additional capital requirements should be allocated on the basis of scenario analysis results rather than taking such risks into account on the historical part.
This paper seeks to answer the question whether for institutions with internal models, taking into account losses associated with the event concerned on the historical part of the model would actually have led to a significant amount of additional capital requirement. To answer that question, we ran the internal models of the three banks referred to above in two ways each: a) by taking into account the losses related to foreign currency debtors as stated by the supervised institutions, we re-estimated the fitted distributions for all model segments that included the category comprising the Retail business line and the Clients, products and business practices event type, given that the Circular referred to above classified the loss in question into that category. Where in the internal model an upper threshold parameter is applied, we left its setting unchanged; b) similarly to the previous point, we re-estimated the parameters of the fitted distributions, but set the upper threshold at the level of the loss event in question.
Before presenting the results, it is appropriate to clarify the role of the upper threshold as a model parameter. In AMA models, the upper threshold is an upper limit on the loss events simulated, i.e., a parameter that ensures that no loss is simulated above a certain economically plausible level of loss.
The upper threshold therefore restricts individual simulated losses to an economically relevant range. In our opinion, the above two options are needed for the purpose of our calculations because in the case of Option (a), even if losses related to foreign currency loans are taken into account in fitting the severity distribution, this will effectively have no impact on the capital requirement, because in the simulation the upper thresholds prevent the loss effect of the event in question from being realised. That is, by applying upper thresholds we artificially restrict the simulated values to a considerably narrower interval relative to the loss effect of the event in question, thereby underestimating the real effect that the loss event in question has on capital requirement. This is adjusted in Option (b), where the upper thresholds are set at the level of losses related to foreign currency loans, i.e., it is possible for the banks to realise an event of similar severity in the simulation. The relevant results are shown in the chart below, where the three institutions referred to are marked A, B and C.

Currency Loans
Source: authors' calculations. Figure 1 shows that by taking into account losses related to foreign currency loans in a way that the upper threshold parameter is left unchanged, i.e., the loss event is only taken into account for the purpose of determining the parameters of the severity distribution fitted, no material capital requirement add-on is obtained for any of the institutions. If, by contrast, the upper threshold parameter is set in each model as the loss incurred by the institution from the occurrence of the event in question, the effect is obviously significant: the capital requirement has almost doubled for Bank "A", and multiplied by more than 2.5 times for Bank "C", and by nearly 7.5 times for Bank "B". In the case of Bank "B", the increment that is significant even in comparison to the other two institutions is attributable to methodology. For the purpose of AMA modelling, the severity distribution fitted to loss events classified into specific model segments are frequently modelled by institutions in two "tranches", whereby a less fat-tailed distribution (Note 5) is fitted to less severe but frequent losses, and a fat-tailed distribution (Note 6) to severe but infrequent losses. For Bank "B", relative to the other two institutions the tail distribution was modelled on a considerably larger number of internal data, as a result of which the parameter of the frequency distribution estimated for the events on the tail is significantly higher compared to the other two banks. This means that in the case of Bank "B" the calculation of capital requirement involves a much larger number of simulated events from the tail of the severity distribution (following the adjustment to the upper threshold) relative to the other banks, which results in a significant capital requirement add-on. The foregoing clearly shows that if internal models had given adequate consideration to the losses related to foreign currency loans, this would have meant a significant capital requirement add-on for entities using internal models. Overall, it is therefore apparent that the principle of proportionality would indeed have been breached if entities using internal models had been required to give adequate consideration to the event in question for the purposes of capital requirement calculation, whereas for entities that adopted BIA and TSA approaches, the event in question would not have resulted in a capital requirement add-on, given the independence of their capital requirement calculations from the amount of the losses incurred.
In the following, we examine the extent to which institutions' capital requirements for operational risk is determined by conduct risk events, excluding losses related to foreign currency loans in compliance with the expectation formulated in the MNB's Management Circular, and the share of such events within capital requirements. Again, this question is only relevant to financial institutions applying internal models, because the level of capital requirement in entities adopting BIA and TSA approaches is considered independent of the number and magnitude of loss events associated with conduct risk.
In the course of annual ICAAP reviews, we found that pursuant to the EBA interpretation currently available (EBA, 2014), which cannot be considered as comprehensive, financial institutions tend to identify conduct risks against different sets of criteria compared to one another. Of the three institutions examined above, the definition used by Bank "A" for conduct risk is the closest aligned with the practice that we considered to be the best; therefore, for our calculations we relied the internal loss events of Bank "A" related to conduct risk. For calculation purposes, we had opted against excluding conduct risk events from modelling, and thus identifying the reduction in capital requirement as the effect of the events of the type in question. There are two reasons for this. First, in AMA models, conduct risk events are potentially classified into multiple segments based on the segmentation used by the institution, as a result of which the exclusion of the events in question could materially change the parameters of up to several severity and frequency distributions; and second, where the institution accounts for a diversification effect among model segments, the above practice would also eliminate the diversification effect accounted for among conduct risk events, as a result of which the results would no longer be comparable. Therefore, to ensure comparability, we opted for the use of AMA to estimate the capital requirement separately for the filtered conduct risk events, which we projected onto the institution's non-diversified capital requirement on grounds that in accounting for diversification among model segments, diversification may also occur among conduct risk events. In our view, the capital requirement estimated only for conduct risk events is comparable to the total non-diversified capital requirement for operational risk, and their ratio affords a conclusion as to whether the event type in question accounts for a significant part of the capital requirement.
In respect of the conduct risk events of Bank "A", for modelling purposes we relied on the methodology proposed by MacDonald-Scarrot (2012): using the result of the Hill estimation, we divided the losses associated with the event type in question into two groups according to severity, and fitted a less fat-tailed (lognormal) distribution to events in the segment of less severe losses. To events in the segment of severe losses, we fitted a fat-tailed Pareto distribution, which is the distribution indicated by the thresholdproduced by the Hill estimation for events above the threshold. For each of the two segments, we also estimated a frequency distribution, for which we used a one-parameter Poisson distribution due to its ease of treatment. From the two pairs of severity and frequency distributions thus estimated, we used Monte Carlo simulation to derive the annual loss distribution, the 99.9 th percentile of which was established as the capital requirement in accordance with the Basel provisions. Projecting the capital requirement thus obtained to the total non-diversified capital requirement of Bank "A" for operational risk produces a ratio of 10.92%. For a better interpretation of the result, it is to be noted that in the internal loss event database of Bank "A", conduct risk events account for a mere 1.66% of all loss events, whereas calculated in terms of severity rather than the number of items, the same ratio comes to 12.44%, i.e., 12.44% of all losses incurred by Bank "A" are associated with conduct risk. The foregoing therefore shows that conduct risk events are less frequent but tend to be more severe, which is why they account for a significant 10.92% of the total capital requirement for operational risk quantified using the internal model. This indicates why regulatory focus has recently shifted to losses associated with conduct risk: from institutions' perspective, such events represent exactly the type that is the most relevant in terms of operational risk management, being infrequent but involving major losses for institutions.
Finally, assuming that conduct risks are assessed in a forward-looking manner by means of scenario analysis, we wish to demonstrate the relationship of the capital requirement thus obtained to the total capital requirement for operational risk, and to the capital requirement obtained above by means of treatment on the historical part of the model. In line with the objective set, the amount of the capital requirement is again quantified on the basis of loss data from Bank "A". As part of scenario analysis, at a workshop the institution's experts in most cases provide three estimates for a process/product/event deemed to be of risk: the frequency of the process/product/event, and the average and extreme amount of loss in the event of its occurrence. As typically three estimated values are available to the modeler, in most cases the simplest possible modelling method will be used: as a frequency distribution, the Poisson distribution will be selected, because the parameter of that distribution is easily quantified on an expected value basis from the estimated frequency parameter. By contrast, as a severity distribution a lognormal distribution will be selected most frequently, because the two parameters of that distribution (µ, σ) are provided by the solution to a system of equations in two variables.
Based on the lognormal and Poisson distributions obtained by solving the above system of equations, Monte Carlo simulation can be used to produce annual loss distribution, the 99.9 th percentile of which will be equivalent to the capital requirement. For the purposes of our calculations, in the case of the parameter of the Poisson distribution, given the need for scenario analysis to capture extreme losses that have not occurred but could plausibly occur, on an expert basis we assumed a 10-year horizon during which the extreme event would occur once. Pro-rated to an annual level, this is equivalent to a frequency of 0.1, which was also used as the parameter of the Poisson distribution. In estimating the parameters of the lognormal distribution, we identified the mode as the mode of conduct risk losses in the internal loss database of Bank "A". As the extreme value included in the second equation of the system, identified as the 99 th percentile of the loss distribution in question, we set the largest conduct risk loss used by Bank "A" in its modelling. Following Monte Carlo simulation and taking the 99.9 th percentile of the annual loss distribution, we obtained the result that the capital requirement thus established accounts for 4.61% of the total non-diversified capital requirement of Bank "A" for operational risk, as opposed to the 10.92% obtained by taking into account conduct risk losses on the historical part of the model. It is to be noted that the results obtained in scenario analysis are largely dependent on the amount of the extreme loss determined by experts participating at the workshop, and on the frequency of that loss occurring; consequently, the result obtained above is best seen as a benchmark value.
The lesson learned from the foregoing is that in practice, relative to the forward-looking scenario part, the historical part of AMA models applies a much greater capital requirement penalty to infrequent but severe events. This is consistent with the objective set for each model component: the historical part is to assess the risk in events that the institution has already realised in the past, whereas the scenario part is to assess the risk in events that have not occurred but are nevertheless plausible. Note that in our view, that is precisely the reason why the loss resulting from compliance with legislation aimed at the rescue of foreign currency debtors should be treated on the scenario part of the models. As the size of the loss in question does not adequately reflect the operational risk profile of the credit institutions, treatment on the historical part would result in a disproportionate capital requirement add-on not only compared to credit institutions adopting BIA and TSA approaches, but also compared to the actual risk profiles. Therefore, taken into account on the scenario part and subject to adequately conservative parameter estimation, the loss event in question also becomes manageable in internal model, which ultimately allows an economically sensible and reasonable capital requirement to be quantified.
Finally, the interested reader is reminded of the fact that current non-model based approaches to capital requirement calculation (BIA, TSA) do not enable the quantitative treatment of loss events associated with conduct risk for the purposes of capital requirement calculation, Consequently, as already explained in the relevant section of this paper, the assessment and evaluation of conduct risks is seen by the regulator as viable essentially within the qualitative framework of operational risks, and in particular by means of scenario analysis. This deficiency concerning recognition in the capital requirement is expected to be remedied, even if only partially, by the new approach to the calculation of capital requirement for operational risk proposed by the BCBS (Note 7). The BCBS is set to develop a single approach (SMA (Note 8)) to replace those used to date, which has been released as a draft for the time being. Nevertheless, even that draft implies already that in the new approach, similarly to non-model based approaches, the amount of capital requirement will depend on the profitability of the institution (Note 9). According to the current draft of the regulation, conduct risks could be incorporated into SMA as adjustment factors. Where the value of the Business Indicator exceeds EUR 1 billion (BCBS, 2016), adjustments will be needed according to the size of the losses incurred. As shown in earlier sections of this paper, even a single event may represent a major adjustment factor; however, due to the high Business Indicator threshold this will only be relevant in the case of larger institutions. For smaller institutions, the management of conduct risks will continue to require qualitative methods.

Summary
This article explained the position of conduct risks in commercial banking risk management, and reminded the interested reader that the EBA has yet to develop a precise definition for conduct risks within the scope of operational risks, as a result of which specific guidelines for the interpretation of the concept are only provided by the EBA recommendation on the supervisory review process. The regulatory focus on conduct risk is explained by several factors: first, due to the inappropriate conduct of their business, in recent years institutions have incurred major losses from the regulatory fines imposed; and second, in addition to product structures that have been standardised to date, products that are designed to meet unique customer needs and represent a source of higher risk have become increasingly prominent. The paper explained that conduct risks may essentially arise as a result of factors inherent to institutions, the structure of the financial sector, and the external environment, and provided detailed examples to illustrate each case. The paper further explained how the components of the qualitative framework of operational risk management, as regulated in the CRR, can be used to manage conduct risks, namely, the ways in which the risk in question can be mitigated by means of the system of key risk indicators, scenario analysis, self-assessment, and mitigation actions. Finally, an impact analysis was conducted using the AMA models of three Hungarian institutions, which led to several key conclusions. First, it became apparent that taking into account the losses from compliance with legislation aimed at the rescue of foreign currency debtors in internal models would in fact have resulted in a disproportionate capital requirement add-on for institutions using models compared to institutions calculating non-model based capital requirements, as released in the MNB's Management Circular. Second, an explanation was provided for the regulatory focus on the type of risk in question from a quantitative perspective: in the internal loss database of an institution, the number of conduct