Memorandum from Paul Moore, Ex-head of
Group Regulatory Risk, HBOS Plc |
1. MY BACKGROUND
1.1 I was Head of Group Regulatory Risk (GRR)
at HBOS between 2002 and 2005. I reported to the CFO, Mike Ellis.
I had formal responsibility for the bank's policy and oversight
of executive management's compliance with FSA regulation.
1.2 From an FSA perspective, I was the Approved
Person at the relevant time for the Control Functions 10 (Compliance
Oversight) and 11 (Anti Money-Laundering).
1.3 Prior to joining HBOS, between 1995 and
2002, I was a Partner in KPMG's Financial Sector Practice in London
specialising in regulatory services where I advised quite a number
of FTSE100 clients on regulatory matters.
1.4 I have been involved in UK Financial Sector
regulation since it began in 1986. I am a Barrister by profession.
2. EXECUTIVE SUMMARY
I WISH TO
2.1 My evidence relates to all sections of the
Committee's Terms of Reference but is drawn specifically from,
and relates specifically to, my personal experiences at HBOS.
2.2 The main points I wish to make are these:
2.3 I believe that there are important general
lessons to be learned from my personal experiences as a risk and
compliance professional at HBOS and elsewhere that could assist
the Committee and others in the public policy debate about what
needs to be changed in the governance and regulatory system to
help to ensure that the same risks are mitigated in the future.
2.4 In order to draw out the general points
that need to be made, it is necessary to tell at least a part
of the rather complex personal story that occurred at HBOS and
I request the Committee's forbearance with this because it draws
into sharp focus the lessons about the crucial importance of really
effective governance. I give a short summary of the key facts
of my story at HBOS in this section (2.12 to 2.19 below) and add
some further factual information that I would like the Committee
to consider in section 3 below.
2.5 The key general points I wish to make are
2.6 In my view, as an experienced risk and compliance
practitioner, the problem in finding the real cause of the banking
crisis is being made more complex than it needs to be.
2.7 I believe that we are missing the wood for
the trees and that the key solutions to prevent such an event
happening again are simpler than we think. In relation to policy
changes, I make some short recommendations that the Committee
may wish to consider in section 4 below.
2.8 But let's start with the cause and this
fairly obvious proposition: even non-bankers with no "credit
risk management" expertise, if asked (and I have asked a
few myself), would have known that there must have been a very
high risk if you lend money to people who have no jobs, no provable
income and no assets. If you lend that money to buy an asset which
is worth the same or even less than the amount of the loan and
secure that loan on the value of that asset purchased and, then,
assume that asset will always to rise in value, you must be pretty
much close to delusional? You simply don't need to be an economic
rocket scientist or mathematical financial risk management specialist
to know this. You just need common sense. So why didn't the experts
know? Or did they but they carried on anyway because they were
paid to do so or too frightened to speak up?
2.9 What my personal experience of being on
the inside as a risk and compliance manager has shown me is that,
whatever the very specific, final and direct causes of the financial
crisis, I strongly believe that the real underlying cause of all
the problems was simply thisa total failure of all key
aspects of governance. In my view and from my personal experience
at HBOS, all the other specific failures stem from this one primary
2.10 In simple terms this crisis was caused,
not because many bright people did not see it coming, but because
there has been a completely inadequate "separation"
and "balance of powers" between the executive and all
those accountable for overseeing their actions and "reining
them in" ie internal control functions such as finance, risk,
compliance and internal audit, non-executive Chairmen and Directors,
external auditors, The FSA, shareholders and politicians.
2.11 As I recently commented on the BBC Money
Programme called HBOS: Breaking the Bank "Being an internal
risk and compliance manager at the time felt a bit like being
a man in a rowing boat trying to slow down an oil tanker".
If we could turn that man in the rowing boat into a man with a
tug boat or even the Pilot required to navigate big ships into
port, I feel confident that things would have turned out quite
2.12 When I was Head of Group Regulatory Risk
at HBOS, I certainly knew that the bank was going too fast (and
told them), had a cultural indisposition to challenge (and told
them) and was a serious risk to financial stability (what the
FSA call "Maintaining Market Confidence") and consumer
protection (and told them).
2.13 I told the Board they ought to slow down
but was prevented from having this properly minuted by the CFO.
I told them that their sales culture was significantly out of
balance with their systems and controls.
2.14 I was told by the FSA, the Chairman of
the Audit Committee and others that I was doing a good job.
2.15 Notwithstanding this I was dismissed by
the CEO (he wrote that it was "... his decision and his alone").
I sued HBOS for unfair dismissal under the whistle blowing legislation.
Ironically, I was also the "Good Practice Manager" for
whistle blowing purposes at HBOS but could hardly report my case
2.16 HBOS finally settled my claim against them
for substantial damages in mid 2005. I was subjected to a gagging
order but have decided so speak out now because I believe the
public interest demands it.
2.17 At this point I want to stress in the strongest
possible way that I am simply not interested in blame and I don't
think it really ever works. I was ultimately fairly compensated
by HBOS. What I am very interested in is the future. As I wrote
once at to my boss at HBOS itself what we need this crisis to
do for us is "to create a watershed here so we can move on
from the issues of the past (from which we can learn but not blame)
to the brave new world of the future". Although, key people
at HBOS did do wrong, I am also sure that their intentions were
usually good and, in a sense, they were also caught up themselves
in what the Greek tragedies would call the "ineluctability
2.18 Returning to my story: after I was dismissed
and to prove just how seriously HBOS took risk management, I was
replaced by a new Group Risk Director who had never carried out
a role as a risk manager of any type before. The individual concerned
had primarily been a sales manager and was a personal appointment
of the CEO against the initial wishes of other Directors. You
can't blame her for accepting the job as it got her on the Group
Management Board and shortly afterwards the main Board.
2.19 On any reasonable interpretation, this
appointment could not have met the FSA's "fit and proper"
requirements for the roles of CF 10 (Compliance Oversight) and
CF14 (Risk Assessment) which are as follows:
"In determining a person's competence and
capability, the FSA will have regard to matters including but
not limited to ... whether the person has demonstrated by experience
and training that the person is able, or will be able if approved,
to perform the controlled function".
2.20 All these matters were reported to the
HBOS Non Executive Chairman of the Audit Committee as well as
the FSA. I was given no protection or support. A supposedly "independent
report" by HBOS's auditors said HBOS were right but failed
even to interview key witnesses.
2.21 I believe that, had there been highly competent
risk and compliance managers in all the banks, carrying rigorous
oversight, properly protected and supported by a truly independent
non-executive, the external auditor and the FSA, they would have
felt comfortable and protected to challenge the practices of the
executive without fear for their own positions. If this had been
the case, I am also confident that we would not have got into
the current crisis. I believe that my personal story of what happened
at HBOS demonstrates this exactly.
2.22 To mix a few well known similes/metaphors/stories,
the current financial crisis is a bit like the story of the Emperor's
new clothes. Anyone whose eyes were not blinded by money, power
and pride (Hubris) who really looked carefully knew there was
something wrong and that economic growth based almost solely on
excessive consumer spending based on excessive consumer credit
based on massively increasing property prices which were caused
by the very same excessively easy credit could only ultimately
lead to disaster. But sadly, no-one wanted or felt able to speak
up for fear of stepping out of line with the rest of the lemmings
who were busy organising themselves to run over the edge of the
cliff behind the pied piper CEOs and executive teams that were
being paid so much to play that tune and take them in that direction.
2.23 I am quite sure that many many more people
in internal control functions, non-executive positions, auditors,
regulators who did realise that the Emperor was naked but knew
if they spoke up they would be labelled "trouble makers"
and "spoil sports" and would put themselves at personal
risk. I am still toxic waste now for having spoken out all those
years ago! I would be amazed if there were not many executives
who, if they really examined their consciences closely, would
not say that they knew this too.
2.24 The real problem and cause of this crisis
was that people were just too afraid to speak up and the balance
and separation of powers was just far too weighted in favour of
the CEO and their executive.
3. A BRIEF FACTUAL
3.1 As Head of Group Regulatory Risk at HBOS
I was required to be the Approved Person who exercises the key
significant influence function for the "Controlled Function
10" ie "compliance oversight". This role requires
the incumbent formally to oversee the adequacy and effectiveness
of the systems and controls in place around the entire HBOS Group
for ensuring compliance with FSA requirements. The role is rightly
regarded by the FSA as an important safeguard of the firm's compliance
with the regulatory regime.
3.2 By its very nature the role of Head of GRR
requires the incumbent to challenge the HBOS Group in relation
to any aspect of its systems and controls, where those systems
or controls are, or may be, inadequate to ensure that the Group
complies with FSA requirements. In addition, he is required to
raise challenge in relation to the way in which approved persons
carry out their responsibilities and, in particular, in relation
to their integrity, due skill, care and diligence. Failure to
raise such challenge in appropriate circumstances would not only
be a dereliction of duty to HBOS but could also lead to personal
disciplinary action against the incumbent by the FSA.
3.3 It follows that there is a natural tension
between the need to raise legitimate challenge on the one hand,
and the likely reaction of those individuals who are the subject
of the challenge. There is also the risk that the individual who
raises the challenge will be criticised for the style or tone
of the challenge.
3.4 During my period as Head of GRR at HBOS,
at the beginning of 2004 the regulatory risk profile of HBOS was
higher than it had ever been; and higher than the Board's appetite
for such risk should have been. By November 2003, the FSA had
assessed key parts of the Group as posing high or medium-high
risks to the achievement of its statutory objectives of maintaining
market confidence and protecting consumers. They wrote that they
were concerned that "... the risk posed by the HBOS Group
to the FSA's four regulatory objectives is higher than it was
3.5 The FSA also wrote in relation to the Halifax
(called "Retail") "There has been evidence that
development of the control function in Retail Division has not
kept pace with the increasingly sales driven operation ..."
and "There is a risk that the balance of experience amongst
senior management could lead to a culture which is overly sales
focused and gives inadequate priority to risk issues".
3.6 My operating plan for GRR was accepted by
the Group Audit Committee and the FSA. That stated that there
were three prerequisites for success. These were:
"The strength, depth and quality
of our relationships and communications with the FSA. This requires
much more work so that all the requisite parts of the group are
working in harmony, with one strategy and a completely different
level of coordination ..."
"The credibility of Group Risk
functions operating as a truly effective second line of defence.
This depends on the standards and policies they set, the depth
and quality of the oversight they perform and the strength of
the relationships they have which allow them to provide functional
and technical leadership. But even more important, it will depend
crucially on the FSA's confidence in this work".
"The demonstrable and enthusiastic
engagement of the operating divisions in the work carried out
by Group Risk functions".
3.7 It is impossible and would be inappropriate
in this memorandum of evidence to set out more than the very briefest
summary of the evidence of what happened during that period. It
was a very busy time and the facts are very complex. Our focus
was specifically to improve the regulatory standards and policies
of the Bank and increase the depth and quality of the oversight
my department performed. In particular we focused our attention
on compliance with the FSA'a first three Principles for Business.
| 1 Integrity||A firm must conduct its business with integrity.
| 2 Skill, care and diligence||A firm must conduct its business with due skill, care and diligence.
| 3 Management and control||A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
3.8 Suffice to say that given the circumstances, I was obliged
to raise numerous issues of actual or potential breach of FSA
regulations and had to challenge unacceptable practices and the
conduct of others in fulfilling their obligations under the Principles
for Approved Persons including very senior executives. Understandably
and however hard we tried to be polite, fair, and evidential,
the work we carried out was bound to upset some people. It was
3.9 Just to give a flavour of some of the key facts but without
providing all the supporting corroborative documentation, I can
testify as follows:
3.10 My team and I experienced threatening behaviours by
executives when carrying out its legitimate role, in overseeing
their compliance with FSA regulations. At this point I would just
like to quote from an email I sent to Mike Ellis the CFO in June
of 2004 which gives a flavour of the culture with which we had
to contend in carrying out our legitimate (and required) oversight
We have spoken at some length this morning on this and more
generally about the current issues in dealing with Retail. We
really do have to do something|and you may wish to lead this|to
change the whole tone of engagement. This is not a battle of wits
but a joint attempt to do what is right for the organisation.
Yes, now that people with a huge amount of external experience
are now accountable in GRR for oversight, it is not surprising
that the level of enquiry is going to be more detailedthat
is to be expected ... and actually welcomed.
Some behaviours are going to need to change, particularly
the sentiment that constantly questions the competence and intentions
of GRR carrying out its formal accountabilities for oversight
plus the ever present need to be able to prove beyond reasonable
doubt as if we were operating in a formal judicial environment.
The more we adopt this approach, the more adversarial it all becomes,
the more emotional it becomes, the more personal it becomes and
the worse the relationship becomes. It becomes a vicious circle
which needs to be broken. We need you and Andy [Hornby] to intervene
here to create a watershed here so we can move on from the issues
of the past (from which we can learn but not blame) to the brave
new world of the future. Actually, the responsibilities for getting
into the current position are held all around the organisation
and not just in Retail ... and I include Group Risk functions
in this. What would be absolutely fatal would be if there was
ever a perceptionexplicit or implicitthat different
parts of GF&R took different views. Then you get the "divide
and rule" happening. We must all be as one and communicate
We will get there but there will also be some pain in the
process of change.
3.11 The CFO to whom I reported failed constantly to provide
adequate support when issues arose.
3.12 He strongly reprimanded me for suggesting at a Group
Audit Committee that a person with my role should be protected
by having a direct reporting line to the non-executive in case
they had to raise criticisms of the executive.
3.13 He (along with others apparently) strongly reprimanded
for raising issues relating to a "cultural indisposition
to challenge within certain parts of the firm" when reporting
to the Group Audit Committee. I said"I would not want
the Committee to be under any illusion as to how strong the tensions
were as GRR carried out its oversight work and I have to say that
there have been some behaviours which I would consider to be unacceptable".
The KPMG Audit Partner told someone who reported back to me that
he thought I had a "death wish" following this meeting.
3.14 The Company Secretary failed to minute crucial comments
I made at a formal Board Meeting which I attended to report on
a detailed review that Group Regulatory Risk had carried out to
determine whether the sales culture at HBOS had got out of control.
It had. The minute should have read
"That from a strategic perspective, very careful consideration
should be given [by the Board] in the development of Retail's
operating and strategic plans as to exactly what level of sales
growth is achievable, given current capacity, without putting
customers and colleagues at risk".
When I raised this with the CFO he suggested in writing that
I would be wrong to request an amendment. He wrote:
HBOS minutes are not a record of verbatim comments as this
would be incredibly time consuming and repeat a lot of what is
in the agenda papers and, therefore, a matter of record. We encourage
open discussion at meetings and wouldn't wish people to be speakingjust
for the record. If there is something important that is said and
not covered in documents of recordthen it should be minutedbut
I thought that the Board minute was OK. You should be under no
doubt that we do and always will adopt proper procedure. I can't
comment on the Retail RCC as I wasn't there.
If you have concerns, I suggest that you discuss the same
with the Company Secretary (ie Harry Baines not his secretary
Pamela) who can advise you more fully on the minuting process.
The Board minutes for July were approved at the September meeting.
3.15 I was strongly reprimanded by the CFO for tabling at
a Group Audit Committee meeting the full version of a critical
report by my department making it clear that the systems and controls,
risk management and compliance were inadequate in the Halifax
to control its "over-eager" sales culture. Mysteriously,
this had been left out of the papers even though I had sent it
to the secretary. When I sent it out as a late paper to the distribution
list for the Group Audit Committee papers, he wrote as follows:
This really looks bad and just look at the circulation list!
There was no need to attach the appendices to your report in the
first instance as they have already been seen/made available to
all Board members. But if you were going to do so we ought to
have got it right. People will be wondering why we are circulating
separately a document they've already seenits looks like
we're making an issue of it when we're not.
3.16 I was making an issue of it! The Chairman of the Group
Audit Committee thanked me for tabling the full version of the
report and said that he now understood how serious the issues
3.17 As I have said, it is not surprising with all the difficulties
that there were going to be people who would be upset. In a sense,
the very nature of challenge is this and openness to challenge
is a critical cultural necessity for good risk management and
complianceit is in fact more important than any framework
or set of processes.
3.18 Notwithstanding the difficulties we had faced, Group
Regulatory Risk received excellent feedback from almost all quarters
for the work it had done including:
The FSA were positive and said on 26 November
2004, "Our relationships with GRR in particular have been
good ... We are quite comfortable to rely on GRR|and that is the
Mr Tony Hobson the Chairman of Group Audit Committee
said in November 2004 that he could not "believe the turn-around
in our relationships with the FSA".
MORI reported that the major organisational change
in GRR had been effected highly successfully.
PwC concluded in a report on the effectiveness
of risk management at HBOS that "We have been impressed with
the limited number of senior personnel that we have interviewed
in GRR". I was amongst those they met.
On 30 November 2004, another main Board Director
wrote "An excellent year all round building on a similar
result in 2003". On 30 November 2004, Mr Tony Hobson added
to this, "Thanks for the opportunity to contribute and to
see your views [on GRR]. Very helpful. It's obviously very positive
feedback for Paul and the team and I can only reiterate your positive
3.19 Notwithstanding the positive feedback, as explained
in section 2 above I was then summarily dismissed (portrayed as
"redundancy"). James (now Sir) Crosby, the then CEO
of HBOS contrary to HR policy, HBOS's own internal ethics policy
called "The Way We Do Business" as well as all other
principles of fairness (let alone employment law) wrote"The
decision was mine and mine alone". He said that I had lost
the confidence of key executives and non executives but refused
to explain why. I claimed that my dismissal was unfair and that
I had a claim both for unfair dismissal and for a claim under
s.48 of the Employment Rights Act 1996. In other words, I had
a "whistle-blowing claim" under that Act for raising
3.20 HBOS finally settled my claim against them for substantial
damages in mid 2005 and I signed a gagging order at the time in
our settlement agreement.
3.21 As I stated above in section 2 above, a supposedly "independent
report" by HBOS's auditors said HBOS were right but failed
even to interview key witnesses. No doubt they and the FSA would
rely upon this report. In relation to this report, you should
be aware that, following the very first response to the report
from my lawyers and me which challenged it vigorously, HBOS settled
within a very short time.
3.22 As referred to in section 2 above, on my unfair dismissal
a person was appointed as Group Risk Director who was an ex sales
manager who had no experience of risk management or compliance.
I have already referred to this in some more detail in section
2 above. This was a personal appointment of James Crosby and some
might question whether this fulfilled his fiduciary duties as
a Director under Company Law or Principle 2 and 3 of the FSA's
Principles for Business set out above.
3.23 My concerns on this appointment were reported to
the FSA but despite the clarity of their guidance on assessing
fit and properness (see section 2 above) they permitted the individual
concerned to become an Approved Person. It is extraordinary in
my view that the FSA permitted this, when this role is so important
to the fulfilment of their statutory objectives. Maybe they felt
constrained as James Crosby was a non executive director of the
FSA at the time?
3.24 One final interesting but telling anecdote of my personal
story relates to Charles Dunstone (founder of the Car Phone Warehouse).
Charles was a non-exec director of HBOS which made good sense
given their strategy of turning the bank into a retailing operation.
He is clearly an outstanding business leader. But, strangely,
he was also appointed to be the Chairman of the Retail (Halifax)
Risk Control Committee (a divisional audit committee). He admitted
to me that he was very friendly with Andy Hornby and that they
met quite often socially. Of course, he was supposed to be challenging
Andy Hornby. He obviously had no technical competence in banking
or credit risk management to oversee such a vital governance committee.
Another HBOS non-exec said to me one day of him and his role "Well,
they got that appointment wrong, didn't they". Even more
extraordinary than this, Charles Dunstone himself admitted to
me and my colleague one day words to the effect that he had no
real idea how to be the Chairman of the Retail Risk Control Committee!
3.25 This just shows how little real regard HBOS had for
the importance of the non-executive roles. It is also probably
in breach of Principles 2 and 3.
4. SOME RECOMMENDATIONS
4.1 A very short summary (and not yet fully thought through)
of the list of some of the policy points which arise out of my
experience which need to be debated are as follows:
4.2 Remuneration and performance management of exec ... eg
regulatory sign off, bonuses held in a trustee account over longer
time frames to ensure short termism does not take hold.
4.3 A more detailed policy and rules which allows the FSA
to test the cultural environment of organisations they are supervising
eg tri-annual staff and customer survey. There is no doubt that
you can have the best governance processes in the world but if
they are carried out in a culture of greed, unethical behaviour
and indisposition to challenge, they will fail. I would now propose
mandatory ethics training for all senior managers and a system
of monitoring the ethical considerations of key policy and strategy
decisions within the supervised firms.
4.4 Much more formal qualifications and competencies for
risk managers and compliance professionals so that only fit, proper
and competent people can be appointed as CF10, CF11 and 14Compliance
Oversight, Anti-Money Laundering and Risk Assessment. These roles
are becoming as important as CFO role and need something like
the ICA/Institute of Actuaries to regulate their training and
4.5 Regular formal independent audit of risk management,
compliance and internal audit functions to keep them honestand
to make them feel they will be backed up/protected if they do
their jobs properly and cause a bit of inevitable friction.
4.6 Risk management and compliance with at least an equally
weighted reporting line to a non-exec with sufficient time and
profile to balance the executive. The non executive need to be
"executive" in relation to their primary accountability
of overseeing the executive. No person responsible for a key internal
control function can be dismissed without a full and minuted meeting
of the non-exec and the incumbent must be given a right of reply.
The FSA should formally approve such decisions.
4.7 Much much more focus on competence and independence of
non-executives eg register of non-work social meetings, pre-appointment
investigation of "links"/potential conflicts of interest
eg cross-board connections. I'm on your remuneration committee
if you're on my audit committee, pre-appointment record of reasons
why a person is competent for a particular committee.
4.7 Much more involvement of the regulators in the terms
of reference of the statutory auditorsthe level of cost
associated with formal independent audit is inadequate and needs
to be radically increased. How can a firm like HBOS be audited
for £5 million or less?
4.8 Much more rigorous and prescription of the regulation
of affordability and suitability requirements for the sale of
credit products|to prevent ordinary people who cannot resist the
temptation of getting into excessive debt.
4.9 Further development of Whistle Blowing rules to make
sure that those who raise legitimate issues are not just "bought
off" with shareholders money|.the case should be reviewed
by the regulator and action taken if necessary to ensure those
responsible cannot get away scot-free.
4.10 Much much better pay for senior regulators so that the
FSA can recruit the bestpay twice as much, get four times
as much done at eight times the quality.
5. A FINAL OBSERVATION
5.1 One final observation I would make about the HBOS disaster
is this; wasn't it actually Sir James Crosby rather than Andy
Hornby who was the original architect of the HBOS retailing strategy?
At first this was good in that it purported to be a "Customer
Champion" strategy. The problem was that a reduced margin
strategy is predicated on the need for improvements in cost control
and at the same time massive increases in sales. It is now clear
that this disastrous "grow assets at all costs" strategy
was what led to HBOS's downfall and humiliating demise by the
forced acquisition by Lloyds.
5.2 Sir James is still the Deputy Chairman of the FSA and
advises the government on how to solve the mortgage crisis. Some
might now also question what his "contribution to financial
services" has in fact been when this will have led to millions
of people in excessive debt, 10,000s who will lose their jobs
and many more whose balance sheets have been impacted by the precipitous
fall of the HBOS share priceapart from the reduction in
competition in the retail financial services market threatened
by the new Lloyds Group?
5.3 Shouldn't the Committee be asking him to testify?