Parliamentary Commission on Banking Standards - Minutes of EvidenceHL Paper 27-VIII/HC 175-VIII

Back to Report

Oral Evidence

Taken before the Parliamentary Commission on Banking Standards
Sub-Committee D-Panel on corporate governance: below board level

on Tuesday 27 November 2012

Members present:

Mark Garnier (Chair)

Baroness Kramer


Examination of Witnesses

Witnesses: Antonio Simoes, Head of UK Retail Banking, HSBC, Marc Moses, Chief Risk Officer, HSBC, David Shaw, (Acting) Group Head of Compliance, HSBC, Paul Lawrence, Group Head of Internal Audit, HSBC, and Ann Almeida, Group Head of HR, HSBC, gave evidence.

DQ381 Chair: Good afternoon to you all, and thank you for coming along to this sitting of Panel D of the Parliamentary Commission on Banking Standards. As you know, the Parliamentary Commission was set up in the light of the LIBOR scandal, but obviously we are looking at banking standards as a whole. This Panel is looking at below board level governance, and thank you very much for the submissions that you have already made. The session will probably last between an hour and an hour and a half, if that is all right. I hope there is nothing threatening in the questions we ask you.

Mr Lawrence, I shall start with you. As head of internal audit, you are the third line of defence so you give the independent assurance function to the board. If something goes wrong, does the buck stop with you?

Paul Lawrence: I think it depends on what goes wrong, where and at what level.

DQ382 Chair: You sound like a politician already.

Paul Lawrence: I am not sure if I should, but I apologise for that.

It depends on what goes wrong, the whereabouts in the organisation and the nature of the circumstances. One would hope that, in a properly controlled and governed organisation, you have alerts that things are not working at the first effective line of defence, and then at the second. In some ways, the job of audit is really to provide an independent and objective assurance that those governance and controls are working effectively, so if audit are the unit that pick up the problem, there is probably a larger problem within the organisation. Should there be a situation where nobody in the first line, the second line, or even the third line picks it up, then absolutely, I would feel responsible for not having a good control on the risk universe of the group.

DQ383 Chair: Could you give us an example of what has got all the way through to the third line?

Paul Lawrence: What tends to happen-I shall characterise it by saying that you tend to see early warning signals when we do an audit of a particular unit, whether it is a risk framework around market risk or wholesale risk, or whether it is of a legal entity or a subsidiary at a country level, and you will start to see signs that the audit is not satisfactory.

When we do an audit, we audit two elements. We audit the control environment, which we do black or white-satisfactory or not satisfactory-and we also try to give a management awareness grade to whether we think management are escalating the issues and remediating them. What you tend to see is a snowballing of effects from some early indications in audit; and when we do testing of the first and second lines of defence, they are not operating as they should be. In my tenure in this job for the last three years, I have never seen something collapse straight and go to the third line; it tends to go through a series of early warning systems, and it is then really up to management and the various sub-committees of the board to be responsive to those signals, as and when they are delivered.

DQ384 Chair: I asked if the buck stops with you, but in some respects the buck should stop with the first line of defence, and you are really there to find out why it did not stop.

Paul Lawrence: That is one characterisation. The second line of defence, for example, through the risk function, would have a role in that as well.

DQ385 Chair: The big question that everyone is asking is: how come you guys did not see the crisis coming?

Paul Lawrence: In terms of audit in particular, if you go back to the time of the crisis, audit’s remit at that time was relatively different from the remit we have today. At that time, we were organised in such a way that the audit units were regionally based, and we articulated the risk universe of things that we would look at from largely a bottom-up type approach. What I mean by that is that we look at it geographically or by department.

Since the crisis, we have done a strategic review of what we think audit should do and how it should be positioned in the post-crisis banking world. Now, we have mirrored the internal audit organisations so that audit faces off to the various business lines-we have four global business lines-to the various functions, and to the geographies. In addition, we started to look at the risk universe from the top down, so we reversed the process. The material things that Marc, for example, would have on his risk map in terms of the risk universe he is concerned about, we would map our audit coverage to that.

Did we see the crisis coming? It is fair to say that we did not. We were in relatively good company with a number of people who did not see the crisis coming.

DQ386 Chair: But it was not entirely good company. Quite a lot of people did see the crisis coming and were actually trading on their hedge funds in anticipation of it happening. The reality was that there was quite a lot of warning out there-there were naysayers who were saying, "This can’t go on."

Paul Lawrence: That is fair. If I go back to the way in which audit was positioned, the type of work that we undertook and the type of reporting that we did back to the senior management and to the risk and board committees was not really intended, or was not positioned correctly, to find those sorts of warning signal. We have tried in the last three years to reposition it, so that we are in a much better position to articulate on what I would call current risks and also emerging risks. Also, in the interim, we have had a significant development in a more sophisticated risk function, which has bridged that gap between the first line and what was traditionally the third line of audit.

DQ387 Chair: When it comes to telling the board about what goes on, are you merely giving reports back to the board, or are you getting more useful feedback from them back to you?

Paul Lawrence: It is a bit of a two-way flow. My reporting lines are to the group chairman and to the sub-committees of two boards; I report to the chairman of the group risk committee and the group audit committee. I report to them formally on roughly a monthly or six-weekly basis, and informally I will sit down with them and take them through what I think the issues are in the organisation. From my perspective, there is a lot of traffic to the NEDs and then on to the board.

DQ388 Chair: Can you give us an idea of how much traffic? If you were sending up a board pack, how big would your board pack be?

Paul Lawrence: The board pack can range widely, from 300 pages at its smallest to possibly 1,200 pages when the annual report and accounts are in there.

Marc Moses: But that’s in total.

DQ389 Chair: If you are non-executive director, how on earth will you be able to understand any of that? That is not necessarily a question for you, Mr Lawrence, but you see my point.

Paul Lawrence: Perhaps I should clarify. The internal audit section is probably going to be about 30 to 40 pages. Within that there will be risk sections on emerging risks and a variety of other issues that are pertinent to the board.

DQ390 Chair: What do you expect the board to do with it?

Paul Lawrence: In terms of what I deliver via the audit of risk, they have an oversight responsibility, so my sense is to give them an assurance about those parts of the group that are being controlled within the risk appetite statement and whether the controls and governance features below that are operating effectively. Where they are not, my duty is to report to them that this is where the governance and control sections are not reporting effectively; the sub-committee needs to be aware of that; and perhaps further management action is required. They will frequently act on that and either call for elements of management, which are the subject of those reports, to report on the status, or urge more action from the management.

DQ391 Chair: So you will be asking them to act on recommendations?

Paul Lawrence: We will take situations to them and they will respond to them. That quite often asks for recommendations about further monitoring or reporting.

DQ392 Chair: There is a reasonable criticism of boards that they spend an awful lot of time arguing about conclusions and about reports, but not actually implementing the recommendations, or even coming up with recommendations. Do you think that that is fair comment?

Paul Lawrence: My view is that we have to be careful about articulating what their role is. Their role is one of oversight. A lot of what they execute in terms of the execution and delegation to management is what management do. Management do not always execute effectively or properly, but it may not be the board’s fault that those things happen. So I think they have an oversight role that, actually, they do exercise and they do challenge us on a number of issues.

DQ393 Chair: But banking standards come from the board-from the top. If they are merely reading rather than acting, how do they transmit the standards back down the line?

Paul Lawrence: I think the standards are transmitted back to senior management. Perhaps Marc can talk about that.

DQ394 Chair: We will come to Mr Moses. I am specifically interested in your area.

Paul Lawrence: From an audit perspective, the way I see it is that the non-executive directors and the boards set the policy and direction and they articulate the tone that they expect from senior management. My job is to give them assurance about whether management are doing that within the risk appetite and within the strategy that is being approved. To do anything greater than provide that level of oversight and direction is probably difficult for them to do.

DQ395 Chair: How much time do you spend speaking to non-executive directors?

Paul Lawrence: I talk to them, at a minimum, either by phone or in person, once a week. To put a little perspective on that, if I may, these are at the holdings level, where we have a board and sub-committees; then regionally, we have boards in Asia-Pacific, the US, and they have their respective audit and risk committees; and each of the business lines have their audit and risk committees. So my interaction may be with up to 10 non-executive directors in different parts of the world and in different parts of the business, so it is a relatively large part of my job.

DQ396 Chair: So you do have that interaction with them?

Paul Lawrence: Yes.

DQ397 Chair: How do shareholders or your board know how good their internal audit functions are compared with other banks’-with their peers’-and does it matter to the business?

Paul Lawrence: I would like to think it matters and I would like to think that we are as good in class as our peer group. There is a number of things that we go through. Once every five years, in accordance with the Institute of Internal Auditors standards, we have an external quality assurance review, which matches us not only to the IIA standards-this year we had the review conducted by a professional body, KPMG-but to whether we are with leading practice with our peer group. It is only once every five years, but that is one methodology.

Secondly, we are quite often-

DQ398 Chair: Five years is quite a long time. You could have had two crises in five years.

Paul Lawrence: If not more, actually. It is a long time. That is one standard to which we adhere, but we also report to the audit and risk committees on a regular basis about our own performance: we give them key performance indicators about where we are in relation to the audit plan, whether we are on budget and whether we have adequate resources. We provide them with an audit plan and progress against that.

We are also quite often subject to review by various regulatory bodies. For example, recently we had a joint review in the United States by the OCC and the Fed, which was fairly thorough. So we have a number of ways in which we are examined on a reasonably regular basis.

DQ399 Chair: My final question, before we come to Susan, is how do your views on the functionality of different departments feed into the remuneration of the colleagues sitting next to you?

Paul Lawrence: It varies, and I think it is right that it varies. Some people have bigger impacts on the corporation than others-

DQ400 Chair: Do you have a big impact or a small impact?

Paul Lawrence: I think audit has a proportional impact to the role that we play in the organisation, in terms of keeping-

Chair: Again, you come to Parliament and you are being very political already.

Paul Lawrence: I would like to think it is material in terms of giving an assurance that we are running the material risks around the group in accordance with the risk appetite statement set by the board.

DQ401 Chair: The sense I am getting from you is that it does not feed in that much.

Paul Lawrence: I think it does, actually. We tend to report, largely because of the nature of the job, on an exception basis. There will be large amounts of work we do in which we say, "Yes, this risk framework is working. The controls and the governance behind it are adequate. This is working perfectly acceptably," but I would not trouble the non-executive directors and the board with reports that basically said everything was fine, so we tend to report on an exception basis.

DQ402 Chair: If you were having a meeting-one more final question-with Mr Simoes, where would you meet?

Paul Lawrence: I would invite him to my office, or we would meet in his office, or we would meet in a-

DQ403 Chair: Where did you last meet?

Antonio Simoes: Our offices are three offices from each other.

Paul Lawrence: Our offices are three doors away.

DQ404 Chair: So you are pretty much next door, but would you normally go around to his office, or the other way around?

Antonio Simoes: I last came to your office.

Paul Lawrence: People tend not want to come to my office, or to be seen to come to my office, if I am being absolutely honest-[Laughter.] I do not have people dropping in asking me how it’s going, for a variety of reasons. I am not trying to be flippant but, seriously, if I wanted to speak to someone, I would more than comfortably ask Antonio to come to my office and chat, or I would go there. I do not think that there is anything on the hierarchy about where audit fits in.

DQ405 Chair: You obviously understand the point of the question.

Paul Lawrence: I do. My sense-if I may make a point-is that audit is all about the credibility of its standing within the organisation, and that credibility comes from the credence and support it gets from senior executives and board members. Its credibility also extends to whether it has the right business mix and skill set and the level of interaction it has with the auditee.

Chair: You are right about the hierarchy thing-it is about a perception. During the course of the questioning, we will ask you a number of questions about this type of thing, but it is to do with how the business is driven: is the business driven by the bottom line or by processes? Sometimes, little things like who goes to whose office can give a good example, but you will have picked this up, obviously, from studying closely the previous two banks we met with last week.

DQ406 Baroness Kramer: Sorry, Mr Lawrence, but I will keep going at you just for a moment or two.

Paul Lawrence: Please, feel free.

Baroness Kramer: It is just that your answer interested me, when you said, essentially, "Well, looking back at the financial crisis, we were not appropriately structured, and we were not facing off against the right parts of the business to pick that up." Surely what you were set up to do, in a sense, was to pick up issues around the product line-where products were being mis-sold or sold inappropriately. Obviously, PPI and interest rate swaps come to mind. Which line of defence missed those ones? Was it all three? What is the role of audit in something like that?

Paul Lawrence: That is a very good question. I am tempted to say, almost it is through a hindsight mirror because some of these mis-selling issues go back in history, that it probably was missed by all three, but I also think that one has to judge it by the standards that were in place at that time. It is very hard-

DQ407 Baroness Kramer: It does lead me to ask what were you auditing? It wasn’t the big things and it wasn’t the granular product; it is not like there is a lot left.

Paul Lawrence: I think it is fair to say that we were auditing at that time in a more granular way, and we were definitely at a more departmental, low level of interrogation in the organisation. We were actually auditing whether policies and procedures were being followed, but if those policies and procedures led to a bad outcome, we did not have a particular perspective on that. What I would say is that, following the reorganisation that we have undertaken, we feel much more responsible now for the quality of the outcome of the policies and procedures. That was not where we were.

DQ408 Baroness Kramer: In a sense, you were not looking at judgment; you were only looking as to whether people had taken the procedural step. Is that what you are saying?

Paul Lawrence: I think that is a fair comment. It is actually very difficult for an audit unit, based on the skill sets it had and where it traditionally was in the organisation, to pass an opinion on judgments or issues of strategy. I think your observation is correct, but we are in a better place now.

DQ409 Baroness Kramer: Is there a change in the skill set now within internal audit?

Paul Lawrence: I would say so, quite materially. In the last three years we have brought in a number of more senior people, and we have invested in the function. The investment we have had, in dollars and cents spend, is up about 25% in the last couple of years and we have brought in a number of more senior people, who have business experience or risk and control type experience. The quality of internal audit is based on its credibility with who they face off. If we have people who have been in the business or have been in the risk and control functions at a senior level, we have a much better quality of dialogue with management than we used to. We have changed quite materially in terms of the breadth and depth of people we have brought into the unit.

DQ410 Baroness Kramer: Where is that change being driven from?

Paul Lawrence: The executive responsibility for that change is mine. When I came into the function in 2010, we took a strategic revaluation of it to the group chairman and the group CEO, and clearly to the group audit and the group risk committees. We had extremely good support for repositioning audit in the way in which we did. We had the support and buy-in from the board, the NEDs and very senior management. The execution responsibility is absolutely mine.

DQ411 Baroness Kramer: Ms Almeida, I want to try to understand what motivates employees. Historically, what is your perception of the relationship between incentives and conduct standards?

Ann Almeida: It has an influence, clearly, but I would say it is not the only one. What we would call the employee proposition has very much been driven by-

DQ412 Baroness Kramer: Can I ask which way you mean that? Do you mean that incentives are only part of what shapes standards? Is that what you are saying?

Ann Almeida: Yes, but they are not the only instrument that shapes standards; there are other dimensions that shape them. Historically, what has attracted employees to HSBC is clearly its reputation, the globality of the institution and the career development that, generally, has been made available to employees in HSBC. Compensation is clearly an element of it, but it has not been the most important driver of it.

DQ413 Baroness Kramer: I find that very interesting, because most of the perception and, some might say, the reality has in a sense been the other way-in other words, good conduct does not seem to have been a major component of reward, but business generation certainly has been. I suppose my question is: if incentives have been driving good standards, how on earth did we get where we are today?

Ann Almeida: I think it varies. I would say that incentives have certainly driven poor conduct, but incentives in themselves are only part of all of the influences. I do think that the risk framework of an organisation and the values and culture of the organisation inform the conduct of individuals. The history and the expectations have a great bearing, as well as the objectives set and what is incented, rewarded or, indeed, sanctioned. All those aspects have a bearing.

DQ414 Baroness Kramer: If you are on the front line-say, you are a business generator-you have a base pay but, obviously, your variable pay is going to be a significant element for you. On what basis is that variable pay calculated?

Ann Almeida: It will be calculated primarily starting with the objectives you were set, the extent to which you have met those objectives and, importantly and fundamentally, whether your conduct and values within HSBC have met a minimum standard. We look at it in an integrated way.

DQ415 Baroness Kramer: What makes up the kind of things that define the objectives that you have to meet?

Ann Almeida: Essentially, objectives are divided between financial objectives and non-financial objectives. For example, at the group management board level, the financial objectives account for 60% of all objectives and the non-financial objectives account for 40%. In the non-financial objectives category we have the effectiveness of executing our strategy, our people, compliance and reputation. Altogether they account for 40%. As an example for us as senior management, we individually are assessed separately on our values and our conduct. We have to achieve a minimum standard before any other aspect of our performance is considered in a particular year.

DQ416 Baroness Kramer: So that is at senior level.

Ann Almeida: Yes. At other levels, values are formally expected to be taken into account, but there is not a distinct and separate process. The reason why we have distinguished senior management is that it is important to lead from the top and set a practical example.

DQ417 Baroness Kramer: Has any of that-the way that is structured-changed over the past few years?

Ann Almeida: Yes. Again, the categorisation of objectives between financial and non-financial-that is explicit. The formal requirement to take values into account-that is explicit. The requirement for senior management that a minimum standard of values needs to be achieved before anything else can be considered-that is explicit.

DQ418 Baroness Kramer: You have identified a set of values, and you said that good conduct is only partly tied to incentives. What other strategies do you use to support good conduct or values, whichever term you would use to describe them?

Ann Almeida: Right at the beginning one has to define it well and clearly, to make it coherent. What we do is encode it into our group standards manual, which enshrines all of the operating principles and with which every member of HSBC is expected to comply.

DQ419 Baroness Kramer: Roughly how many pages are in the manual?

Ann Almeida: About 200 or 300 pages, depending on the text.

DQ420 Baroness Kramer: Has anyone ever been known to read them?

Ann Almeida: We are obliged to and we have to certify that we have.

DQ421 Baroness Kramer: Sorry, that makes me think of when you go to buy something online, you have to tick terms and conditions, but I have never found anyone yet who read them. You would not seriously suggest that people work their way carefully through the equivalent of a substantial novel but with less excitement.

Ann Almeida: We all certainly do. Each of us updates our respective sections and specialisms. We very much keep it as a live document.

DQ422 Baroness Kramer: Okay, although that is stretching credulity on my part.

Roughly, what is the number of people you would hire de novo, sort of into the officer class, from graduate programmes versus hiring people from outside who might have grown up in a different culture? Roughly what percentage of your staff is home grown HSBC born and raised? Am I asking an impossible question? I am trying to work out whether there is a difference in culture between those you hire in and whose experience is essentially that of HSBC, whereas with some organisations, a significant part of the work force is trained up somewhere else. I don’t know the feel for your organisation.

Ann Almeida: Generally, we look to grow our own capability on the basis that, put simply, we look to offer a career not a position. In our formal graduate programmes in total we have maintained our levels; we have averaged 500 over the past five years. That would be what we call a direct level formal graduate entry programme. Of course, we recruit individuals with graduate qualifications, as opposed to on to a graduate programme, and HSBC has a footprint in 84 countries and territories, so our intake generally is multicultural across the range of the group.

DQ423 Baroness Kramer: Say, for example, you are going to hire a mid-level trader, who would they interview with?

Ann Almeida: They would certainly interview with their line manager; they would meet managers from outside the immediate business area; typically, they would meet a boss higher up in the hierarchy; and they would meet a member of the HR function along the way and at many milestones. Typically, they would have met with a headhunter, for example, who would have done some pre-screening to get them to the interview process. That would be a typical interview process.

DQ424 Baroness Kramer: That is rather interesting, because if you take out HR and the headhunter, which is a highly specialised role, everyone you have named is in the line. There is nobody from risk or compliance-perhaps audit may be stretching it. You realise that that is fairly unusual?

Ann Almeida: When I said that they would also meet with individuals from outside the immediate business area, that could include any one of the control functions-and, indeed, it does. That increases significantly, the more senior the position and so on.

DQ425 Baroness Kramer: I notice you did not name them, though. I am just trying to understand what role is played from that point in time. Out of curiosity, perhaps another way of coming at it is that you mentioned the headhunters you deal with as important people: do they deal directly with HR, or do they mostly introduce the name through the business units?

Ann Almeida: Historically, they used to contact the business universally, but over time we have rationalised the number of headhunters we use and in which area, and we have formal supply agreements with them, so in the main, they would be contacted by HR first and then the relevant business area.

DQ426 Baroness Kramer: Okay, so they are slightly more detached from the business units than they might conventionally have been.

Ann Almeida: Yes.

DQ427 Baroness Kramer: You have not mentioned ongoing training very much. What kind of ongoing training do you have? I am talking particularly about in the conduct area, not in the operational sales area.

Ann Almeida: We do what we call values training, and part of our mandatory training menu includes elements of values training. As an example, last year, when we formally promulgated our values, we led an educational programme all the way from the holdings board to the group management board and downwards. That covered some 60,000 people across HSBC last year; that figure will double this year. Some of our values training is mandatory, and some of it is very much part of induction training, so we keep the values refreshed as people come in. We then have specific leadership development programmes, which will always now have a values element, and sometimes we have bespoke values programmes, in particular.

DQ428 Baroness Kramer: For values, I am going back to the submission that you provided to us. It states: "Our values are:-Dependable and do the right thing… Open to different ideas and cultures… Connected to customers, communities, regulators and each other". I am fascinated by "Dependable and do the right thing"-now there’s a phrase that is open to interpretation. What do you mean by "do the right thing"?

Ann Almeida: Doing the right thing is about, in the first instance, being driven by a robust set of individual values. Effectively, the way I see that is that, at a personal level, it is the first line of defence for an organisation-clearly surpassing, if not at least meeting, all the required policies, procedures, laws and standards, and striving for a best-in-class global standard. "Dependable" is about doing it on a recurring, sustainable basis, not as a one-off.

DQ429 Baroness Kramer: If you do go through the book and read it, there you are, it says, "Dependable and do the right thing". How do you deal with the potential for somebody to read that as, "Grow profits as fast as possible; put loyalty to the group first"? How do you get your interpretation of, "Do the right thing," into the thought process and culture of the employees you were just describing?

Ann Almeida: Through a variety of ways. As I said before, we start by being explicit. The terms we use in our value statements-

DQ430 Baroness Kramer: You said "explicit", but one of my problems is that all this stuff I read is pretty opaque. What is the "explicit"?

Ann Almeida: First, we have tested the values and statements that we use within HSBC. They need to be, and they are capable of being, effectively translated into the 13 working languages that exist across HSBC.

DQ431 Baroness Kramer: I can see the language issue.

Ann Almeida: That is the first one. We give live examples of where good values have been exhibited by the corporation, or not as the case may be; by the banking sector, or not as the case may be; by individuals, or not. It is about bringing the values alive-that is the phrase we use internally. We use case studies, real and hypothetical, examples at a personal and individual level, and statistics about the numbers of individuals who have achieved our values and those who have been sanctioned. We operationalise it and give it teeth and reality in this multidimensional way. Importantly, when we educate, we frame it against different cultural contexts. How one describes and understands values in the Middle East may well differ from a more developed location.

DQ432 Chair: Mr Shaw, perhaps I may turn to compliance. In your written evidence to us, you claimed that compliance has moved away from being an advisory function to a control function. Do you want to expand on that?

David Shaw: Yes. There have been very significant changes to compliance in the last 18 to 24 months. Previously, the group was run on a more federated basis and group compliance was more advisory; in overseas locations, they operated more independently. We have changed that, so it is run from the centre. It is no longer advisory; it basically controls and assures now in a way it never did before. That is, I think, one of the lessons we have learned.

DQ433 Chair: When you say federated, are you talking about federated from a geographical point of view or from a departmental point of view? Could you expand on that? You are a big organisation.

David Shaw: Historically, HSBC is different from a number of banks in that it has separately incorporated banks in a number of major jurisdictions. It is subject to local laws; it has to comply with those to run independently. Equally, the centre has been watching and advising rather than exercising direct control over everything, because it does not know everything. We have changed that generally in risk and compliance particularly. Compliance has become much more empowered. Basically, if the centre says something now, it will go. In the past, that was not the case.

DQ434 Chair: So this is a global control function?

David Shaw: Yes.

DQ435 Chair: Can you give me an idea of what you mean by control?

David Shaw: It has to be regionalised-you cannot do it all from the centre, just because of the geographical diversity-but the people now report up directly and there is much more hands-on control and overview. If points arise where there is a difference of view about how things should be handled, what is said from the centre will go, which in the past was not very clear.

DQ436 Chair: The reason I am pressing you slightly on this is because many people reading, "Moved from an advisory to a control function," would think of advice being a sage person giving proper advice, and a control function being merely a tick-box function. That is what I am trying to clarify. What you are suggesting is not a tick-box function, but I am trying to understand how you run your compliance centrally when you have 200,000 people who work there across 84 countries.

David Shaw: There are 3,500 staff within compliance globally.

DQ437 Chair: That in itself is a big business.

David Shaw: It is.

DQ438 Chair: So what is the structure of compliance? Can you describe how your structure works within the organisation?

David Shaw: There is a group central compliance area.

DQ439 Chair: Based in-?

David Shaw: In London. That looks over regional compliance officers, whether that is in the Far East or in North America, and beneath the regional compliance officers, you have local compliance officers, so there is a clear structure.

DQ440 Chair: Are those compliance officers office-based or country-based?

David Shaw: Country or region-based.

DQ441 Chair: What about within each branch?

David Shaw: No, we have too many branches for that.

DQ442 Chair: Sure, but presumably somebody in a branch has responsibility for compliance?

David Shaw: Yes, it depends on the size of the branch.

Chair: I appreciate that.

David Shaw: Some of them are extremely small. It is hands-on, but it is very much down to the country and the particular circumstances as to what is appropriate.

DQ443 Chair: Necessarily, you are quite a long way away-obviously, if you are sitting in London as head of compliance, you are quite a long way from Queen’s Road Central, or whatever, in Hong Kong. None the less, how do you ensure that, at a branch in Kowloon, somebody is actually adhering to the ethos that you are trying to push down from the top? It is not just about ensuring that you are ticking the boxes, because you just said that it is not about box-ticking; how do you ensure that that teller on the other side of the world is actually adhering to the ethos and standards that you want to set, based in Canary Wharf?

David Shaw: I think the answer is that it has to be done by the people on the ground, but we have to set the tone from the top to the regional people that this is how it is and that they have to comply with what group says now.

DQ444 Chair: But there are a lot of interfaces there. There is the board, there is you, there is-

David Shaw: There is a compliance executive board with the top eight people, including the regional people, and committees beneath that. Certainly it has been made very clear to them and they are aware that they have a duty now to report up to the centre. If things arise, they have a duty to discuss that with the centre, and if there is any dispute, the centre will tell them what we think it should do. They are very aware of that and that is linked-

DQ445 Chair: How do you know they are very aware of that? How do you know that they are going to do this?

David Shaw: From the conversations that we have with the-

DQ446 Chair: All 3,500 of them?

David Shaw: No, from the regional compliance officers, who are the head people.

DQ447 Chair: You have a lot of links in the chain-that is my point. You have a lot of interfaces between different people. We all know from working in any organisation that Chinese whispers and all the rest of it mean that certain things from the top are interpreted very differently at the bottom. I am trying to get an understanding of how you can check-perhaps internal audit is looking at this-and ensure that it gets through.

David Shaw: I may pass this to Marc, but I think the real point is that it has been a huge change, but part of that change is linking up compliance with risk and risk and compliance working together to push down the message of how this is going to operate globally, so that we have the same standards.

DQ448 Chair: Do you want to expand on that, Mr Moses?

Marc Moses: Yes, thank you. One of the big changes that we made at the beginning of 2011 was to bring compliance into risk. The rationale behind that, as we just talked about, is that compliance was traditionally an advisory function, which meant that it interpreted rules and sent those rules out to the various legal entities. Increasingly, however, with things like anti-money laundering, transaction monitoring and sanctions, you had much more of a process; therefore, operationally, you had to be much more of a risk manager. The previous model, which was compliance to group compliance into the CEO of the country, was actually the stronger line-call me old-fashioned, but I think you are going to listen to whoever pays you. In the past, it was the CEO who paid the various functions, but now, we have global functions, so the head of compliance owns the 3,500 people across the globe. It sets policy, procedure, standards, hiring and firing, budget, and performance measuring. In that way, they know who their master is. That is really very important.

DQ449 Chair: Let me just be clear on that. You have an office in Queen’s Road Central, which is obviously a fairly substantial office, and you have a compliance officer in there who is running the compliance, but he is reporting directly to you.

Marc Moses: No. There is clearly a hierarchy, as we have talked about, so the head of compliance will have-

DQ450 Chair: Sorry. They are ultimately reporting to you, not to the bloke who runs the office.

Marc Moses: Ultimately, it all comes up to the chief risk officer. If you think about it, the head of compliance has the various heads of regional compliance and the heads of compliance within the business. The thing that I focus on more is not so much reporting lines as accountability, so people are very clear what their accountabilities are at every stage.

DQ451 Chair: If you have a compliance officer in some regional outpost who becomes pally with the chief business officer who is running that particular outpost, the compliance officer’s job, his career, his reporting lines all go back to you, so he cannot be protected, if you like, by that.

Marc Moses: Yes, absolutely, and that was the change at the beginning of 2011. That was a massive change for the firm as a whole-to have four global business lines as well as the 10 global functions and our technology department.

DQ452 Chair: How has that been received? How is that working on a day-to-day basis?

Marc Moses: I think it is working excellently. It is well embedded now.

David Shaw: I agree with that. I should have mentioned-Marc did-when I talked about the regional group, that we also have at the centre business compliance officers, so they are looking at the businesses down, as well. There is a sort of dual oversight of the various overseas operations.

Antonio Simoes: If I may give an example from my business because I think it illustrates this. Obviously I sit in London, not in Hong Kong, but in my business we have a head of compliance who reports for the entire business-the UK business-and he reports to the regional head of compliance, who then reports to David; but, as David was just saying, we also have a head of compliance for retail banking. So there are two controls both for the business and the geography.

DQ453 Chair: Different people?

Antonio Simoes: Yes. We have David Cass, who is the head of compliance for retail globally, and then we have Alan Ramsay who is the head of compliance for Europe. I have two checks even within compliance.

Marc Moses: That is a check and balance.

DQ454 Chair: So you have a matrix?

Antonio Simoes: Yes, exactly.

DQ455 Chair: That is very clear and very helpful. Thank you. As we are talking about business compliance, back to you Mr Shaw: at what point is compliance involved in the construction and authorisation of new products?

David Shaw: Again that is one of the changes we have made. There has always been a compliance input into new products, but it certainly has been beefed up in a fairly major way, particularly in retail banking, so that you have a new product committee which compliance and other support functions sit on. I think the distinguishing feature of it is that it doesn’t just look at a new product and say, "This looks all right. It complies with the rules. Thank you very much," but it has a continuing role to watch how it develops, how it is implemented, how the sales are going on and an overview of how that product is being handled. That is a very big change, certainly in the UK, and that is what we intend to do now which, looking at the terms of reference, is a considerable advance on what we had before.

DQ456 Chair: You will be involved in a commercial decision, constructing a product. Does that not change the dynamics?

David Shaw: "Involved" in that you are one of a number of people feeding input into it. You are not necessarily going to say, "I don’t agree with the commerce of that." You are going to say, "These are the important features."

DQ457 Chair: Yes, but when you have a new product, a designer comes up with something, that person is having a new baby-it is fantastic, they are very proud of it and you are there almost at the christening. The point is that you are potentially the person who will be raining on the parade and saying, "I’m sorry, but you cannot do this because it is not compliant."

Marc Moses: It is not just compliance, but the functions have an input into it, be it operations, finance or compliance and risk, and they all have to sign off on that.

DQ458 Chair: What I am getting to here is that if compliance is involved in a decision-making process to say either yes or no to a new product, to a certain extent you are moving to the front line of defence and you are not the second line of defence any more. You are involved in a room with a group of people where your entire independence of thought may be compromised by peer group pressure.

Marc Moses: So people have to have the empowerment and feel that they have the back-up from the senior managers.

DQ459 Chair: How does that work? How do you ensure that?

Antonio Simoes: Can I work through an example? We have product control committees-apologies for the jargon. At the country level, we have four committees for four different types of products: banking, protection, lending and savings. Let us take savings, because it is probably the most real one where there are quite a lot of issues of product approval and suitability. The product first gets approved within that committee, and it gets elevated to what we call the UK governance, where, as Marc was saying, both risk and compliance have to approve it, and we also have a European wealth management oversight committee, where those products go to that level. If you think of the escalation from the first product committees to the country level and to the regional level, there is a series of steps in place to make sure not only that those products are well designed-David’s point-but that they are appropriately sold. The majority of the products that get stopped, if we wish, are stopped not because of the design of the products but because of the way they are being sold or they are proposed to be sold.

Marc Moses: It is the reputational risk around these things.

DQ460 Chair: That is very important, and we are going to come to that aspect, but for now I want to stick to the impartiality element of the compliance function and the risk function. It is all to do with making sure that a decision is absolutely clear on the basis of the compliance function. I take your point about the ongoing scrutiny of this, and I want to go on to that, but what I want to really understand is how the compliance function and the compliance input into a new product is somehow stepping back and making a completely impartial and clear-headed decision, not affected by his mates, his daughter’s godfather, his golf partner, his tennis partner or any of his colleagues, all of whom, in designing this thing, want to bring wealth and return on shareholders’ funds. Compliance can be raining on people’s parades-not always, obviously, but it is very difficult-and I want to know how you absolutely have that clarity and what mechanisms you have in place to do that.

David Shaw: You could have it in a different way, where the business decides on the product, goes through the whole process and submits it up for approval. You could have that, but it is not a very constructive way of dealing with it.

DQ461 Chair: Why not?

David Shaw: Because basically it is a lot better if the input, "This does not work," comes in during the formulation.

DQ462 Chair: Why? I can see the argument, but we are trying to gather evidence, so what we are really after is clear explanations of those two processes. Why is one better than the other?

Marc Moses: One of the mantras in risk and compliance is that we are there to enable and protect. The protect bit is where we say no, and the enable bit is to work in partnership with the business to come to the right answer given our risk appetite, given our values and given our reputation. The clear thing in all of this is that you need to know where your line in the sand is that you will not cross, and the business understand that, so we build that trust with the business. There are various avenues for escalating undue pressure either to David or myself, or through our risk map. There is a number of forums in which you can raise that or escalate an issue.

It is a bit Pavlovian, but I come back down to the question: who is paying you? If you make the wrong decision, it is not the business that is paying you and it cannot influence your remuneration; it is the function. We have laid down what our standards are, what our expectation is and what our values are. Again, it is about the tone from the top: if they see that the chap at the top has the respect of the business and when he or she says no, the answer is no, that is what permeates down to the troops.

Antonio Simoes: Can I make two small comments? One is that the business needs to have that compliant attitude too. I understand your concern about the control, but I think it starts with us, as the first line, having that attitude.

DQ463 Chair: One question: do you have somebody who works on your business side who is a compliance expert that is not a compliance-

Antonio Simoes: Yes, we have a control function within the first line. They are not a compliance person-

DQ464 Chair: But he or she will be fully aware of the local rules and regulations.

Antonio Simoes: Yes, absolutely.

DQ465 Chair: So already at that point, even when you are right at the blue-sky thinking stage, you have got somebody coming in and saying, "No, actually, guys, sorry, that is really not going to work."

Antonio Simoes: Absolutely. That function-apologies for the jargon again-is called BRCM within retail, so that is the business risk function. That is the first-line control. The second thing I would say is that you would be absolutely right in your concern if all this was done at the country level, so if I were the country CEO who controlled everybody-exactly to Marc and David’s earlier point-that could happen. What is important is the regional and global business escalation, because even if I and my first line were somehow putting pressure on the different functions, those functions have reporting lines to the region, the group and through the global businesses. That is the key difference from five years ago, potentially.

Paul Lawrence: If I could add what we witness from an audit perspective, I think that the real issue here is the independence of the reporting line in compliance and in risk. In our observations, that has been materially strengthened with the advent of the global functions, which I think is the crux of the issue. That has made a material difference.

Antonio Simoes: And the reviews are done by the functions, not by the business. So we are now in that process.

DQ466 Chair: Okay. I want to go on to what Mr Shaw talked about: the ongoing reviews of the product. Presumably, what you are looking at is a number of different things: that the product does not change into something that was not intended; that the rules do not change and therefore exclude the product; and that it does not drift outside its selling limits-say, into retail banking when it should not have got there. Is that what you are looking at?

David Shaw: Yes, and it is also that when we put a product on the market, there is a review afterwards to see-

DQ467 Chair: How soon afterwards?

David Shaw: Normally within six to 12 months.

Antonio Simoes: So we have a possible implementation review every six months.

DQ468 Chair: So you have had a proper launch, a chance for it to bed down, and then you can see how it is working.

Antonio Simoes: Yes.

DQ469 Chair: Who are the people who were doing the review in terms of the compliance?

David Shaw: You would have a senior compliance person on the committee. Part of the ongoing process would be to keep looking at that as well.

DQ470 Chair: Are those the same people who were involved in the original meetings?

David Shaw: Probably; it depends.

DQ471 Chair: They are conflicted at this point, aren’t they? Because presumably, at the beginning of this process, they were involved in the approval of the product as it was, and now they are looking back to check that their decision was right. Admittedly there are certain changing criteria, but none the less, what happens if, hypothetically, they spot six months or a year later that they missed something? Have they got the courage to say, "We got it wrong. We need to pull this"?

David Shaw: I think they would, but I think that it is not-

DQ472 Chair: You say that with a lot of confidence. Are you trying to persuade us?

David Shaw: No, I am trying to say something different. Looking at it going forward, you are not asking whether the product is flawed. A lot of the problems that have arisen did not arise from the fact that the product was bad; the problem has been with the implementation and selling of it. Therefore, it is about looking at the process of how it is working, asking if the training is working and if we are getting complaints, rather than the more fundamental question of this being a completely flawed idea. That could happen, but I think that that is rather rare.

Antonio Simoes: May I give a specific example? We have just withdrawn a fund. We had two funds called "world select", and when we launched the second one we realised that the advisers could not differentiate between the two. What happened was that although the two funds were appropriate, the advisors could not differentiate, so in the system they were recommending the wrong fund. The suitability was not high enough. This was not picked up initially, but after three months of seeing the suitability levels not improving, we withdrew the product. That was done with compliance, with risk and with the first line. That is a real example from two months ago.

DQ473 Chair: Thank you, that is very helpful. Back to Mr Shaw, do you have internal standards which you drive from the compliance department but which are not set by regulation?

David Shaw: Yes. I think that everyone knows what our standards are. We set out the general policy in 16-whatever it is-and I think that everyone is well aware of HSBC’s ethos and attitude. The main thing is the tone from the top, as well.

DQ474 Chair: I am not sure you necessarily answered the question. Thinking about HSBC’s ethos and policy, I am not sure that I know what it is. Are you ensuring that HSBC simply complies with the rules and regulations at the time?

David Shaw: It is about reputation.

DQ475 Chair: Is reputation part of the compliance function, or is it part of everybody’s function?

David Shaw: It is everyone’s.

DQ476 Chair: So how do you in the compliance department interpret that requirement to safeguard HSBC’s reputation?

David Shaw: I think we take it that they know what the philosophy of the firm is, certainly from-

DQ477 Chair: Who knows what the philosophy of the firm is?

David Shaw: The senior compliance staff, and we hope that it permeates all the way down, because they are-

DQ478 Chair: I hate words like "hope" and "expect"-

David Shaw: They get a lot of training-

DQ479 Chair: You have 3,500 people who work for you, and you are permeating within an organisation with-is it 200,000 members of staff?

Antonio Simoes: 270,000.

DQ480 Chair: Across 87 different counties?

Antonio Simoes: It is 84 now.

DQ481 Chair: How many product lines have you got?

Antonio Simoes: We have four global businesses and each one would have at least 10 business lines.

DQ482 Chair: So that is 40 product lines, potentially. It is a really complex organisation-a big, big, big, complex organisation-and you are in charge of ensuring that the organisation looks after the compliance. It scares me when you use words like "hope" and "assume".

David Shaw: I shouldn’t have used those words.

DQ483 Chair: You should not, no, definitely. Please demonstrate to us how it is that you can absolutely ensure that not only are you compliant the whole time, but that you are also expounding that, so that your reputation from the point of view of compliance is intact. Mr Shaw, I am putting the pressure on you a bit, because it is you who is using those words.

David Shaw: The general policy is here in paragraph 19.5.5, which is to observe the highest standards of integrity and so on, and to comply with the letter and the spirit and the standards of good practice. It is not just a question of complying with the rules; it is about the spirit and observing high standards of integrity and fair dealing. That is the general overview. Clearly, that is emphasised all the time.

A lot of the decisions that come along are not on whether we are compliant with the rules; they are much more general that. They are, "Do we like the feel of it?" and "What’s the reputational bit of that?" A lot of decisions are made on that basis, rather than on whether we are complying with the rules, because it is a given that we have to comply with the laws and regulations, but we certainly go a lot further than that, and want to do it with high standards, following the letter and spirit. The whole of the compliance department is very aware of that from the questions that arise.

DQ484 Chair: A lot of that is judgment-based though, is it not?

David Shaw: Yes it is.

DQ485 Chair: How do you ensure that your 3,500 members of staff have the right judgment?

Marc Moses: We have an assurance function within compliance. We instituted it two years ago, at the beginning of 2011. It sets key performance indicators for the function, as well as key risk indicators for the-

DQ486 Chair: How many key performance indicators have you got?

Marc Moses: Probably about 12.

DQ487 Chair: So they really are key.

Marc Moses: Yes-there’s not 500 or something like that. The assurance function will go out and look at the compliance function in a particular region or country and report back against those.

DQ488 Chair: Who is accountable if the judgment turns out to be wrong, and who judges whether the judgment turns out to be wrong?

David Shaw: Are you talking about within the compliance function?

Chair: Yes.

David Shaw: Obviously, if a bad judgment is made, it is a question of what level it is made at. The people at the top are accountable too if they fail to set in place the right standards and procedures. It rather depends how it arises, but compliance is responsible for the decisions that are made.

DQ489 Chair: They are independent decisions, are they?

David Shaw: They are certainly independent decisions. As you say, they are judgments and sometimes you can get it right or wrong. The main thing is whether you had the right processes and went through the right information and process in reaching that decision.

DQ490 Chair: What sort of diagnostics do you have? When something goes slightly wrong, in terms of looking back-you raise a good point on going back and ensuring that the process got to the right point-how do you go about reviewing a bad judgment to see how you got there? I take the view that people will make mistakes and there is nothing you can do about that and judgment is difficult, but you can only make the one mistake once. If you make the same mistake over again, you are a fool. It is all about learning from your mistakes. I want to know how you set about learning from any mistakes that you do make in compliance.

David Shaw: Clearly, you assess your subordinates all the time on how they are performing and whether complaints or incidents arise. That is a given in any department. I guess if something goes wrong, it often is not just compliance; it is a series of units or support functions or businesses that have been participating. Then there will be an internal review as to how this arose and why it fell down. If it is particularly serious, internal audit would do a review and do that independently.

DQ491 Chair: But in the first instance it would be an internal compliance review?

David Shaw: I can think of one at the moment where there are various groups doing it and assessing how it fell between the cracks.

Marc Moses: It is not the same person from the same functions. If the implication is that there is a conflict of interest, a multi-skilled group would look at that. If it was serious enough, we would report it up to the risk management committee-that is, the executive risk management committee-and then to the group risk committee, which is a committee of the board.

DQ492 Chair: How often do you interact with the board? Is it when things go wrong, or is it regular-about compliance and risk?

Marc Moses: I think I am pretty unique. I attend every single holdings board meeting.

Chair: And that is in your capacity as-

Marc Moses: As risk and compliance head.

Chair: This is my last question. Susan, I will come to you in a minute.

Baroness Kramer: That’s okay. Enjoy yourself.

DQ493 Chair: In terms of remuneration-as you know, everyone is preoccupied with the remuneration of bankers-what contribution does compliance make in terms of evaluating a member of staff?

David Shaw: It does make a contribution, because it is consulted on whether people have fallen down in their duties and has observed someone who has fallen down in his duties.

The degree of co-operation with compliance is important. We expect the businesses fully to co-operate and be absolutely open and honest when discussing things with us. If they didn’t do so, this would be a black mark against them. Our input on the behaviour of managers does filter in.

DQ494 Chair: It sounds like a negative response. You are looking at whether people have got it wrong.

Marc Moses: Forgive me-

Chair: I think Mr Shaw was about to say something different.

Marc Moses: I look at it as risk and compliance, because it is the risk and compliance function at the end of the day.

DQ495 Chair: Okay, fair enough. I will tell you why I am asking the question: just to save you the trouble. What I am after is: what is the reward for being good? It is much more difficult to say how much someone has saved the bank rather than how much someone has made the bank. [Interruption.] Maybe it isn’t; maybe you have worked it out. What I am looking for is how you evaluate those truly virtuous members of staff who are looking at avoiding problems, which is a compliance function. Can you have some input into their remuneration in terms of how good they have been in turning away business that would pose a reputational or compliance risk?

Marc Moses: The answer is yes. Both Ann and I sit on the remco. One of my major inputs into remco is whether the businesses adhere to their risk appetite. For the top 310 people-the code staff-we do a review twice a year on their risk behaviour: internal audit, compliance and operational risk within the risk function. We look at each of those individuals and we measure them against-did they adhere to risk appetite? Did they break limits without seeking authorisation first? What were their operational losses? How many high-risk audit points were outstanding for a particular period of time? Even things like informational security: did they have a clear desk policy? That feeds into a rating for them. That will absolutely have an impact on their remuneration.

We also-we have done this for the last two years-look at all the key issues that have been brought to the group risk committee, which, as I said, is a committee of the board, and analyse with internal audit, operational risk and compliance exactly who is responsible for what happened. If it did not happen in a particular year-it happened in a previous year-the clawback applies. We absolutely have a very major say in that.

Again, I go back to my Pavlovian example: if people know that that is the consequence of bad behaviour, my observation is that you might have an exception once, but they don’t do it again. If they did, they would have probably left the firm by now and not even be considered for a bonus.

DQ496 Baroness Kramer: The reason why my eyes keep flicking to the annunciator is that there is going to be a vote at some point in the House of Lords. If I suddenly get up and leave, that is why.

Mr Moses, in your role as the CRO, if somebody came up to you and said, "What are your three top objectives?", what would you name?

Marc Moses: I have more than three, but the three top-

Baroness Kramer: I have noticed that with HSBC. There is a lot of everything.

Marc Moses: We are very comprehensive. I would say setting, with the board, the right risk appetite for the firm and ensuring that it is embedded within the firm; the second piece is around setting the right global standards. We have come out and said that we will set the highest global standards, which is the highest standard in any particular country. Again, we have to embed that and, as in David’s point, ensure that it is consistently applied throughout the globe. The third piece has to be around people and resources. Do I have the right number, the right skill set, and the right succession plan to deliver and execute on what we said that we are going to do?

DQ497 Baroness Kramer: Help me with risk appetite. When you say that, is that a largely quantitative calculation that you are discussing?

Marc Moses: It is a combination. It is primarily quantitative, so it looks at things like earning, capital, liquidity, appetite for loan impairment losses and other losses, and it also covers the various risk diversifications, such as appetite within market risk and credit risk. It also touches on things such as reputational risk and operational risk. Reputation is the most subjective or qualitative of those. It looks across the whole piece.

DQ498 Baroness Kramer: So as you start to frame things through the lens of risk appetite, how do you scope out the more "unknown unknown"-type issues that are not easily grasped by that aspect of analysis?

Marc Moses: That is very good question. Can I take you through the path? We have our risk appetite. We will do stresses on that risk appetite. Even in a one in seven year stress, you should still be within your risk appetite. One in 25, you will be outside, but we then ask ourselves, "Are we comfortable how far outside we are?" If we are not, we have to adjust the risk appetite.

Having done that, we then look at our risk map. This is the qualitative piece. For the 23 different risk disciplines across the regions and businesses, we score ourselves both on where we are currently and the projections in terms of risk. It might be credit risk, market risk, operational risk, compliance risk, accounting risk, tax risk or legal risk. There is a whole set of them. From that, we have a heat map so we know where to focus. Anything that is red on that, we would classify as a top and emerging risk. I, in compliance, will get from all the various areas probably 50 top and emerging risks that I will then distil. I always try to get to a top 10, but it has always been 13 or 14. We will then look at those risks, which are the emerging risks. They will be things like the eurozone. Two years ago, we were focusing on Greece before it was an issue. We are focusing on things such as cybercrime risk and on the regulatory risk that we have currently or geopolitical risk. All those result in questions such as, "What is the risk? What is the impact? Who is accountable and responsible for it? What is the mitigating action?" That will be discussed at the RMM-

DQ499 Baroness Kramer: RMM?

Marc Moses: Sorry, the risk management committee, which is the executives as well as the heads of the functions. Those issues will also be discussed at the group risk committee, which, as I said, is the committee of the board. We then take this to every single board as well. We will then focus on two or three of the key things that the board wants to challenge the executives on in terms of what we are doing against them. It is not like pressing a button and then you come out with the unknown unknowns, but it is done through discussion internally within the firm and externally with other chief risk officers and in other industry and risk forums. There is no proprietary benefit in not sharing that information. The proprietary benefit comes from what you do with the information, and that is the stress testing and therefore the mitigating action that you would take if you were outside your risk appetite.

DQ500 Baroness Kramer: So you mean deciding whether you reduce the extent to which you pursue a particular product or market or whatever. That is the proprietary bit.

Marc Moses: Yes. Take Greece, for example. You take your position, you stress it and, if you are uncomfortable with the number that you come out with, you reduce your position.

DQ501 Baroness Kramer: I can see that many of the risks that caused the last crisis would have appeared on that risk map, in the way that you describe it. Something like PPI-you raised the question-how would that ever appear on that particular map?

Marc Moses: Because under compliance we also have subsections of AML suitability, and that is where that may catch that.

DQ502 Baroness Kramer: How would it be caught under suitability and then raised up, as it were, to flag? It seems that the only flag anyone had was that it produced excessive profitability, which is not something that is usually on anybody’s risk mapping.

Marc Moses: Actually, it is very interesting. One of the things that we do within our reputational risk committee is to look at trades with large profitability to assess whether that is normal for the market. You don’t get anything free. If it is because you are taking large reputational risk or there is a suitability issue, that is where it would be flushed out.

DQ503 Baroness Kramer: When you use suitability, to what extent are you looking to external organisations-Which? might be an obvious example-to act as a flag: in other words, almost as an expression of complaint or to raise issues?

Marc Moses: We gather our data from all sources, not just internally. We will gather data from articles in the paper or, in your example, Which?, if it is something that impacts us. That is the only way you can gather as much information as possible to make a decision on the suitability of a particular product or the reputational risk attached to that. I can’t say that I go out and look at the Which? report every week.

DQ504 Baroness Kramer: No. I am just wondering to what extent there is a certain outsourcing of risk assessment, if you like.

Antonio Simoes: It may be at the retail level, because the Which? report is very specific. We do look at three external indicators: the FSA number of complaints, which are external rather than internal; and the ombudsman numbers, obviously; and anything related to Which? or any other survey, we do review within the business. Yesterday we had a meeting where we discussed the latest Which? report, which unfortunately brings out HSBC as has having very long terms and conditions. That comes back to your point about having too many pages. That is one of the things we are reviewing with legal, risk and compliance: if our terms and conditions are too long. That is one of the issues that has been flagged externally that we are now pursuing internally. So, we do look at external data.

DQ505 Baroness Kramer: Is that different from historically? Are any of these triggers different from those you would have seen in place a few years ago?

Antonio Simoes: Complaints, no. Complaints is an area where we have always had strong focus because the regulators-such as the FSA-focus a lot on external complaints. I would say that currently we look more at external inputs than we probably did four or five years ago, particularly on the retail space. The retail area is one where suitability and conduct risk has developed substantially over the past three to four years. That is an area where-I can’t speak for pre-2007-I would imagine the number of indicators was much lower then than now.

DQ506 Baroness Kramer: You said that you raised these on up, essentially, to board level. I am trying to get a sense of what it is that passes the test to go on up to board level. Is it largely the more narrowly quantitative risk appetite issues? Would it be an issue such as suitability? Would that go on up to board level, or is that something you consider ought to be managed at a much lower level? I am trying to work out what it is that passes on for board-level attention.

Marc Moses: I think it is a question of significance. If suitability was particularly significant because of a particular product or our exposure to it, then we would absolutely take that up.

Paul Lawrence: I think there is judgment in what is referred upwards.

Marc Moses: Yes, there is.

Antonio Simoes: And the suitability aspects tend to be referred to the retail banking and wealth management risk committee, which also has a non-executive director. So a lot of the retail issues get escalated to the business line as well as up to the board. I would say suitability aspects tend to go less to the board, more to the line.

Marc Moses: It depends on the severity of the exceptions. We actually have a process so that you have got your risk committee, say, at retail banking and wealth management and we have it at global banking and markets-we have it for all the businesses and also for the regions. If there is a particular serious exception, that gets raised up to the next level, which will be for the function or for the risk discipline, or to group. Group will then take that and make an assessment-you are absolutely right-in terms of the severity of the point. There is no magic number. It is not that it is 10 or 13; if it was 15 or 20, then it would be 20 points on top of an emerging risk, but it is sort of averaged between 12 and 15-

DQ507 Baroness Kramer: There is an element of judgment. What would be your situation? Risk, say, has signed off on whatever the new product is and has been involved with the product right from, as you said, the very early development-conceptual and development stages-so in a sense it is embedded all the way through to the final approval decision. You then decide that it is not working or that there is a fundamental problem-to most outsiders, it would appear now that there was an element of real conflict. In a sense, it is going back and saying, "We didn’t make the right call." How difficult is that in terms of dealing with the board? You have quite a networked, integrated arrangement rather than a chain, separated one, and I am trying to work out to what extent that makes some of these decisions quite difficult to raise up finally to board level, rather than to seek to resolve them yourself looking down.

Marc Moses: I look at it the other way. We have a great governance structure, such that you can feed up these issues and it will get to group level and to the board if it is significant. I have not had any issue with saying no to something. I have not had push-back when one has said no to something. Indeed, one of the things that we do for board is to report twice a year examples of where we have said no and not progressed or pulled transactions, because it wants to know that as much as about the transactions we have done. Baroness, I do not think that that is an issue.

Antonio Simoes: If I may, there is an element in terms of our values, so the idea of acting with courageous integrity is to speak up and to have the courage to stand in front of something that you believe is not right. That element is rewarded. I would not say we are unique, but we are an organisation that values speaking up more than maybe other organisations do.

DQ508 Chair: Mr Simoes, I will stick with you. We have talked a little bit about how much you guys look outside to the commentary by people such as Which?, in terms of getting feedback on how you do some of your business and on your products, but one of the things it brought up was that, if a consumer wants to open an HSBC packaged account, that consumer has a bit of reading to do. Do you know how much reading that consumer has to do?

Antonio Simoes: To open an account, as I mentioned, we have the largest Ts and Cs in the industry. That was something raised over the weekend and we are reviewing it-we had a meeting on this yesterday.

DQ509 Chair: Do you know how much?

Antonio Simoes: I know it takes a long time. Apparently, someone from Which? read it and there was an hour and a half of reading, if I believe correctly.

DQ510 Chair: I think that person was lying actually, because I have it here-less a package of Ts and Cs, more an offensive weapon. We will go through it, because it is quite interesting. It is 165 pages in total, 30,000 words, in 11 different documents. "HSBC General Terms and Conditions", with current account terms and conditions and savings terms in this one; "Personal Internet Banking Terms and Conditions"-

Baroness Kramer: The print is tiny; I could not read it even with my glasses on.

Chair: "Travel Insurance" is quite a lumpy one. "Welcome to HSBC Advance", "Your Life Cover", "HSBC Advance Roadside Breakdown Assistance"-very helpful stuff, but a lot of things to read through. "General Price List and Interest Rates", "Charges"-which is refreshingly slim, only three pages on that-and "Overdraft Service: Be prepared for life’s unexpected costs"-glasses will be one of the unexpected costs-and "Important changes to your terms and conditions", and on it goes. There are 165 pages.

You have 207,000 members of staff across 84 countries, and 40 different business groups. Among all those people, somebody must have turned round and said that that was ridiculous. How did you get to that situation?

Antonio Simoes: As I said, we are reviewing and trying to reduce the terms and conditions.

DQ511 Chair: But how did you get to that situation in the first place?

Antonio Simoes: There is a good explanation. As you were reading through it, there was a series of products. "Advance" as a proposition, has a series of products within it. As you notice reading through it, some of them are separate products. A current account, for instance, would have much shorter Ts and Cs. That is still not a good excuse. We need-

DQ512 Chair: How long would a current account Ts and Cs be?

Antonio Simoes: They would be 10 or 12 pages long. A basic bank account, for instance, would have a much smaller Ts and Cs.

DQ513 Chair: The general terms and conditions for a current account.

Antonio Simoes: You probably have the advance one in front of you.

DQ514 Baroness Kramer: I have just taken a quick look at your insurance one.

DQ515 Chair: There is also a savings account. But the one that I am talking about is 48 pages long.

Antonio Simoes: That is the Advance one, yes.

DQ516 Chair: But it is also a current account.

Antonio Simoes: Yes.

DQ517 Chair: It is a lot, in small writing.

Antonio Simoes: It is, and we are committed to reviewing and simplifying it. We need to have clarity and have a customer perspective.

DQ518 Baroness Kramer: May I say one thing across you, Mark? You had better get somebody to take a look at this. I think that your insurance document is out of date with the legislation that we passed a year ago on consumer insurance. I only say that because I was on that Bill. If you are going to hound people this much, you might want to take another look at it. Your duty to disclose information looks to me as though it is absolutely skating the lines of the law.

Antonio Simoes: I am not aware of it, but I can come back in writing to the Commission. I am not aware of this specific issue.

DQ519 Chair: Perhaps we will have a chat with all of you later.

It is an important point. You are talking about yourself being the world’s favourite bank and all the rest of it, and yet this is ferociously complex stuff. Genuinely, nobody can read that, and I doubt even if your compliance department would go through it that frequently. If that is just a packaged account, think of all the other products you have. I cannot see how it can be done.

I come back to my original question: how did you let it get to that situation?

Antonio Simoes: In terms of regulation and the amount of things that we needed to cover, it has increased the terms and conditions substantially over the years. It is our responsibility to simplify them and, as I mentioned, we are reviewing them.

DQ520 Chair: But why only now? It is 2012. You have been around for-

Antonio Simoes: You will see that all the banks have terms and conditions. You probably saw that from the report.

DQ521 Chair: Yes, I know, but it is amusing to pick this up in front of you guys. So we are beating you up on this one, but it is an important point. We have to have different questions for the banks, because you are all watching each other’s interview questions. Barclays will clearly be looking at its terms and conditions. It might be sitting behind you now.

Antonio Simoes: We are reviewing it. We will simplify it from a customer perspective.

DQ522 Chair: But it is a culture. It is a sort of "protect me" culture, as it were, as a writer of this stuff. We have seen this across the financial service industry going back to the ’80s, where it has grown, grown and grown. All that happened was that somebody said, "Well, we just have to have endless disclaimers, otherwise somebody will sue us." But at the end of all this, it is your customer who you are neglecting. You are now devolving your risk to 165 pages of eight-point writing, which is not easy to read at the best of times, knowing that you can wriggle out of pretty much everything because you know as an absolute fact that nobody would have read it.

Antonio Simoes: You will see that regulation has forced us to do that. I agree that we are in a situation where we should not be. It should be simpler, but a lot of it has been driven by regulation and we, as banks, have been forced to comply with a lot of what is in those papers. We will simplify it, make it plainer English and less words, but we will still have a lot to comply with. We need to get to a position where customers are reading the terms and conditions, and we are doing the right thing for them.

DQ523 Chair: Do you think a customer would read one page?

Antonio Simoes: I think so. In other industries, most consumers are not reading the terms and conditions either. I think we have, as an industry, to simplify that, but we also need to educate customers to know what they are buying as well as what we are advising. We need to move to that position. We will simplify the terms and conditions, but I do not think that they will be much shorter than, let us say, half of what they are today, because we need to comply with the regulations.

DQ524 Chair: Eighty two and a half pages is still an awful lot, isn’t it?

Antonio Simoes: It is. If I understand correctly, that is for six products.

DQ525 Chair: Six products and 11 documents.

Antonio Simoes: We need to simplify it. From an HSBC perspective, we can do better. We tend to follow the law probably more than other banks and we tend to put everything in writing. I think that is a characteristic of HSBC as a bank, and we are doing that. We trigger that with our colleagues in legal, and compliance and risk, to simplify the terms and conditions.

DQ526 Chair: It is a bit of a cultural thing, though. We heard earlier from you, Ms Almeida, about the HR manual. That is a manual that every member of staff has, which is 300 pages long.

Ann Almeida: It is the group standards manual. It covers all the operating standards including people-related aspects.

Chair: And every member of staff has that.

Ann Almeida: Yes.

DQ527 Chair: So every member of staff has something twice the size of the packaged account terms and conditions to read.

Antonio Simoes: Yes, but it covers risk, legal-it covers everything.

Paul Lawrence: We have a manuals system, and the overarching manual is the group standards manual, which is what we aspire to in terms of general guidance, which all the executives are requested to read. That is a very manageable document to read. Below that you have various subsets of documents that cover risk or the various functions or the various global business lines, and they are pertinent to each department, function or global business line. Not everybody has to read everything, because that would be an insurmountable task, but they are aimed at particular functions and global business lines.

DQ528 Chair: The sense I am getting, from the hour and a half or so for which we have spoken, is that HSBC genuinely wants to look after the customer, but in trying to achieve that it has got completely lost in terms of overburdening everybody with too much paperwork and not necessarily box-ticking, but a process-driven approach to things, and sometimes the customer gets slightly forgotten about. I am trying to understand how you got to where you are, and how you are going to make the journey to where you need to be. I get the sense that there is a desire, but I do not necessarily get the sense that there is a clear plan that really understands what the customer wants.

Antonio Simoes: Every organisation has rules and values and, as Ann started by articulating, during the past three years we have had much more of an emphasis on values: acting with courageous integrity and being open, connected and dependable. The "connected" element is all about putting the customer at the heart of everything we do. It is easy to say those words, but how do you embed them? That is what we are doing now. I think the rules that I mentioned are extraordinarily important, but unless you have the culture, you will not change the culture. The emphasis has been right in focusing more on the values rather than just on the rules, but from a compliance and risk perspective you need to have those rules. So it is a balance.

DQ529 Chair: When was the packaged account set up as a product-our friend with the 165 pages of Ts and Cs?

Antonio Simoes: The Advance account-from memory, and I can confirm-would have been three or four years ago.

Chair: Three years ago, so just after the financial crisis.

Antonio Simoes: Yes.

DQ530 Chair: So as you were going through the review of your processes to see if you could-

Antonio Simoes: You may know that we have a premier proposition globally and we launched Advance globally three years ago. We had Advance in individual countries before that.

DQ531 Chair: But there would have been a process of constructing this new product. You would have been involved in it together, one way or the other, to look at it and make sure there was the right process, the right product and all the rest of it. How was that 165 pages of Ts and Cs not picked up?

Antonio Simoes: I would argue that we have been focusing more on complying with rules rather than necessarily focusing on a customer-friendly journey.

DQ532 Chair: But then the ongoing process is waiting for Which? or a consumer group to come back and say, "You have got this wrong. This is ridiculous."

Antonio Simoes: We have simplified a lot of our terms and conditions. One of the things we have done in many of our other accounts is to have only one set of terms and conditions.

DQ533 Chair: But how did it take Which? to do it? As Susan said, why have you outsourced your customer satisfaction? Apparently, none of the 207,000 people who work for you has picked this up, and it takes Which? to pick it up. You have all these reviews going on of these products to make sure that they are still compliant and still what the customer wants, but something as blindingly obvious as 165 pages of Ts and Cs-as I say, if you rolled that up into a tube and hit somebody around the head with it, it would constitute an offensive weapon. It is an awful lot of paperwork. How has that managed to last for four years?

Antonio Simoes: I agree. I have several points. We use GfK, an external agency, to measure customer satisfaction. I would argue that the size of the Ts and Cs is not the first thing that customers complain about, so we focus on a lot of other things.

DQ534 Chair: Because they won’t read them. They almost certainly won’t even look at them.

Antonio Simoes: Some customers would. I agree that they are too long. From a suitability perspective, if we go back to the core of what we are trying to do, which is to serve customer needs, I would argue that there are issues that we are dealing with that are more important, such as the design of products and the way they are sold to customers. I absolutely agree with you that the terms and conditions need to be shorter. In terms of the scheme of 12 points that Marc was articulating, for me, as the head of retail, they are important but they are not my first priority in terms of simplification; it is more important to have robust products and to make sure that they are satisfying customer needs. But it is something that is on our agenda.

DQ535 Chair: But how do you define customer needs? This is quite an important point: it is all very well saying that these are compliant and meet customer needs and all the rest, but we are seeing a new entry to the marketplace, Metro Bank, which is saying, "You know what, we have had a look at every other one of these banks. We have had a look at HSBC’s Ts and Cs, and we think they are rubbish." People just want a bank account. That is all they want: a simple bank account, as opposed to a simplified bank account, that they can use and that does what it says on the tin, financially. With you, people do not know what it says on the tin, because the tin is too big to read.

Antonio Simoes: There are many other products beyond current accounts.

DQ536 Chair: I am sure, but this is a good example. We can talk about PPI. We can talk about interest rate swaps. There are all sorts of other products we can talk about that have got a pretty bad track record. Interest rate swaps are something that I have deliberately not brought up, because obviously there is quite a significant legal review going on there, and you guys are heavily involved in that. But don’t think that we have forgotten about it: it is something we have not touched on deliberately. But how on earth did you not pick up PPI?

Antonio Simoes: I think PPI would have been picked up currently through our product approval procedures.

DQ537 Chair: It wasn’t.

Antonio Simoes: As Marc said, one of the key issues that we look at is the profitability of the product. A product that is disproportionately profitable would not be approved in our current processes. PPI is an industry issue, and the industry has failed consumers. I believe that currently we would not approve a product such as PPI.

To go back to your previous question, in terms of customer needs, we profile every customer in terms of their risk profile and their customer needs. That is what we do with any new customer, particularly if we are going beyond current accounts. I agree that current accounts are a very simple product; if we go into wealth management, which is where a lot of the suitability issues emerge, we have a clear system to identify customer needs. That is how we start-by doing them and then fulfilling them.

DQ538 Baroness Kramer: To carry on for just a moment with this, I think you would agree that a genuinely informed customer is probably your best defence against mis-selling and abuse-not that you can say, "Ha, ha, we told you so on page 112," but that your customer actually understands what they have just bought or agreed to, what it is going to deliver for them and what they can expect. I have a sense that, in the same way as for employees, although it is easier to deliver the values of the firm if you know very clearly what those values are, the style seems to be to set up a sort of field of brambles through which you have to push yourself to get to any of that information. If you are an employee, it must be a nightmare to extract what you need from 300 pages-nobody can possibly keep that at the forefront of their mind-and it must be for customers, too, when they are trying to get a way through this to know what they have just bought. It may be a protection, so you can say, "Yes, we have ticked the box."

I was looking, too, at your principles, and there are nine of them. I bet you nobody could instantly quote them off to me: you would have to think and try to pull one out. There is no way those nine are on the tip of your tongue. I am not going to embarrass you by asking you to quote me the nine principles now, but you will be interested to know that, of the nine, customer focus does not pop up until No. 7. May I suggest that that might account for some of the issues?

This concerns us because, in terms of standards and conduct, and avoiding mis-selling and the like in the future, surely one of the things you have to tackle is the level of communication. Does your board understand this particular approach? Where is it coming from, this approach of building a defence that is impeccable from an expensive lawyer’s perspective but meaningless from a customer perspective? Where the heck is that being driven from? Is this a board-level drive? Do they know? I wonder whether they have ever opened a bank account.

Antonio Simoes: If I step back from a values perspective, we have one page here, just to be clear, that articulates, "Open, connected and dependable", and what is acceptable and not acceptable. So we have four levels-role model, strong, weak and unacceptable-and three values. That one page has 12 cells.

DQ539 Baroness Kramer: I bet you couldn’t tell me what is in those 12 cells, if I pushed.

Antonio Simoes: No, I could tell you.

DQ540 Chair: Go on then.

Antonio Simoes: Actually, I have the page in front of me.

DQ541 Baroness Kramer: But you get the point. There is a difference between functional-

Antonio Simoes: No, but actually the values themselves have been cascaded to a point where everybody you meet of the 270,000 people, in different languages, would be able to say what, "Open, connected and dependable", really means. I agree with you that people wouldn’t for the nine business imperatives, but we haven’t made a conscious effort to cascade them down.

It was very good piece of work done in 2008. Both Ann and myself were involved, with a series of other colleagues. Stuart Gulliver, our current CEO, has rolled them out over the last two years. I think those values are deeply embedded in what we are doing, and they really codify what HSBC is.

Marc Moses: If I may, a lot of the senior people have been measured on values. We have had three peers, thee direct reports and three skip-level reports, reporting anonymously-you see the name, but you cannot attribute the comments-on all of these. People are ranked as role models, strong, weak or unacceptable. That is the first gate that Ann was talking about. If you are not strong or a role model, you do not even get considered for a bonus. First, it is getting embedded within the firm because people are providing input; and secondly, there is a definite consequence to not living the values.

Ann Almeida: If I may, they are asked to give examples. The polite term we use is, each of us has suggestions on our development needs. So they give practical examples where, in their view, we have exuded the values, or not as the case may be, and what we each need to look out for.

Antonio Simoes: Two examples, in terms of values and the impact to your Ts and Cs. I have recently taken over the leadership of the UK bank, and we have identified two areas where we are potentially falling short of our values as a bank in the UK. We said, on "dependable", that most people within HSBC are behaving dependably. In terms of being "open" and "connected", from a "connected" perspective, we have lost, in some cases, the focus on the customer because there is too much regulation and bureaucracy. We have a particular focus on reducing bureaucracy and focusing on the customer. The Ts and Cs are part of that.

In terms of "open", we focused a lot on openness of thought and openness to diversity of thought. So we have a big diversity initiative on different thought. We are a very ethnically diverse bank, but we tend not to be very good on gender diversity. We have had a lot of initiatives that try to correct where our values are not at where they should be. I think our values do guide what we do day to day. Not necessarily the business imperatives, but you could question any of our colleagues, and everybody would come back to, "Open, connected and dependable", and, "Acting with courageous integrity".

DQ542 Chair: I have just a quick question. It does speak volumes to me that you felt that you needed to bring a copy of this with you, in order to have it in front of you. You cannot, obviously, remember it.

Antonio Simoes: No, I just wanted to wave it and say that we have it. I was part of creating it and I feel quite proud of it. It is not a memory aid.

DQ543 Chair: Okay. I think it is too complex, but you made an important point which is that nobody would be even considered for a bonus if they were below expectations, so weak or unacceptable. That is very good. What financial incentive is there to go from strong to role model?

Antonio Simoes: So in my scorecard, for instance-I am just going to my own year-end evaluation-there are two ways in which it would manifest itself. My scorecard is more geared to the non-financials than to the financials. There is a big transformation in the UK, and so my scorecard is 60% non-financial and 40% financial. Within the non-financial, compliance and risk is a large part of it. As a minimum, for the group I think it is 15% for everybody. In my case it is 20%. If I am really living the values and my risk and compliance record is flawless, let’s put it that way, that 20% would count to my variable comp. So there is a positive as well as a negative. It is an entry barrier, but it also counts on the scorecard itself. In my case, 20% of my variable comp would be based on my compliance and risk track record.

DQ544 Chair: Within this?

Antonio Simoes: Within the scorecard. I have a scorecard, which Ann actually articulated, but let me just spend one second on it. It has one quadrant that is financial, one quadrant that is not financial. Within non-financial, which for me is 60%, 20% or a third of it is compliance and risk. That gets done independently by the functions, not by me as a self-assessment. So for me, 20% of my overall variable comp is compliance.

DQ545 Chair: Okay. We are talking about you, and you are obviously a very important fellow and you get all this stuff. What about the junior staff? How would junior staff understand that the movement up from strong to role model would give them an incentive? Presumably, everybody abides by this?

Antonio Simoes: Yes.

DQ546 Chair: So for a junior member of staff, who does not necessarily understand the culture-to a certain extent you have to spell it out in very simplistic terms, which is not unreasonable-how do they understand and what financial incentive do they have, in terms of their discretionary pay, for moving up?

Antonio Simoes: Within the UK we have 36,000 staff in retail. We describe it in a simpler way, but the what and the how are the two important things. It is exactly the same logic-what you are achieving and how you are achieving it. For each member of staff, we have exactly the same logic. If you are not meeting the values, you are not considered for a bonus. Obviously, if there is a transgression of values, they would be either dismissed or disciplined and so on. But, even if they are not necessarily at strong, they would not be considered. So, if they are at the weak level-

DQ547 Chair: Yes, we talked about that a bit earlier-you have got to get across a hurdle, which is the gap between weak and strong. What I want to know is how you incentivise people to go from strong to role model?

Antonio Simoes: Examples are people I have met recently who have called out the wrong behaviour. The individual in the branch, IT centre or call centre who has called out the wrong behaviour is being rewarded in their year-end performance. They are specific examples of not tolerating, let us say, bullying or irrational behaviour, and the person who has called out the wrong behaviour is being rewarded.

DQ548 Baroness Kramer: Let me pick that up, because you are saying whistleblowing.

Antonio Simoes: I didn’t. Maybe it was just my accent, but no, I didn’t say that.

DQ549 Baroness Kramer: Well, tell me more about whistleblowing and whether you regard that as a sort of parallel audit system. How does it work?

Antonio Simoes: Yes, we have it within compliance, so I will pass it on in a second. We encourage whistleblowing. I deliberately did not use the word whistleblowing, because it tends to be quite a formal process, but, within the line, we encourage people to speak up and have the courage to live by the values and call out the wrong behaviours. That is what I just said. There is a parallel process within HR and compliance-

Marc Moses: There’s a compliance disclosure line. Anyone in the firm, if they want to raise an issue, can either call a particular line or write to the head of compliance. The majority of them actually come through anonymously, so they do not give their name. But each one of those complaints will be researched, and if the charge is upheld, action will be taken. For those who are willing to give their name, we will work with them and report back to them as to the outcome of the investigation.

DQ550 Baroness Kramer: Can I hold you for a second? I am quite curious about this "calling out", which I would regard as the most important aspect of whistleblowing, in a sense. We cannot find it among your 12 boxes.

Antonio Simoes: We do have, "Set exceptional standards for others of personal accountability and productivity", and then there is, "Responds proactively to difficult circumstances showing resilience"-

DQ551 Chair: Sorry, could you point me in the right direction please?

Antonio Simoes: So, where you have "Dependable", in the third box down, the second thing is: "Set exceptional standards of personal accountability and productivity. Responds positively to difficult circumstances by showing resilience, urgency and calmness". We do not have anything that says "whistleblowing", I agree, but we do reward-

DQ552 Chair: But actually, you articulated it very well a bit earlier. You pass up the line things that concern you. There is nothing like that in there.

Antonio Simoes: If I may assess this objectively, I think that that is an element where HSBC has always done that. We haven’t had a lot of-

DQ553 Chair: Yes, but it is not in here. The trouble is if you write a set of guidelines like this and leave something out. You did say that you were very proud of this, and there is quite an important bit of internal control that is not in there.

Antonio Simoes: There is, there is "Standing up for what’s right", which is the main contribution we have done in terms of acting with courageous integrity. That is how we talk about it from the top.

DQ554 Chair: This amounts to a clear set of instructions, and it is not unreasonable-I am not going to be too critical-but if you are going to give a clear set of instructions, do you not need to give a complete and clear set of instructions? This does not seem to be complete in terms of something as basic as making sure that you have all your members of staff, not as kind of internal policemen, but none the less keeping an eye on each other in terms of reporting up.

Antonio Simoes: It is a good point, but it would probably be longer, and it would be-

DQ555 Chair: You have got an awful lot of lovely things in here, such as "encourages openness in others", and "listens carefully to others and shows empathy". That is all very laudable stuff, but you would not necessarily want two boxes of listening to others in all this stuff when you could have one that would be, basically, to tell your boss if you feel worried about the conduct of others.

Antonio Simoes: Yes, speaking up and standing up for what is right, exactly. Those are the top priorities-

DQ556 Chair: All of this is standing up for what is right. I am sorry; you probably think that I am getting at you, which, of course, I am. But that is our job-we are scrutinising you.

Antonio Simoes: I appreciate that.

DQ557 Chair: I have not read it through because, if I am being perfectly honest with you, when I started looking at this I found it a little dull. But if I was to go through this, I would find an awful lot of stuff. There is an important point here because, actually, if I worked for you guys and I was thinking of opening an account to get my new salary, there are 165 pages. To look at the culture document is 300 pages and the précis is however many pages. This is another document. We have all worked for these big organisations before and there is an awful lot of this cultural stuff. Yet, if you do look at it, you pick up that there are bits that are missing. If it is not complete, why have all this stuff?

Antonio Simoes: I will leave Marc to explain that in a second. There are two things: I think that there is a lot of cynicism on any large organisation, particularly one with 270,000 people, I agree. We list-

DQ558 Chair: There is not that much cynicism; you have been reasonably successful to get to that point.

Antonio Simoes: No, I was going to say that this set of values is probably more authentic and felt by most of the leaders. This is not a typical mission statement that you have on the wall that nobody looks at. To give you an example of the amount of training we have done, 80% of all senior management in the UK-that is 3,000 out of 3,600 people-have gone on a two-day training course on values-based leadership. Of all the courses we have had-Ann can attest-this is the one with the highest satisfaction. People really feel passionately about values. I think that, in this moment and in society, it is important that this is one thing that all of our employees wanted to hear about and be part of. Of the 330 pages, I think that this page is actually more understood and fairly close to what we do on a day-to-day basis.

Marc Moses: I suppose my comment would be that there is theory, but there is also practice. I can assure you that that, in practice, people live it to the point that they know that to do the right thing is to escalate when something is wrong. The other thing-

DQ559 Baroness Kramer: How frequently does somebody put a message into your system?

Marc Moses: Very frequently.

DQ560 Baroness Kramer: Typically, is it relatively an individual thing, where they have, for example, seen someone making phone calls that they should not have?

Marc Moses: It tends to be more individual.

DQ561 Baroness Kramer: Does the systemic stuff get up there, or is it much more at the personal level?

Marc Moses: It tends to be more at the personal level, but there will be cases where-

Paul Lawrence: There have been instances where criticism has been made against either accounting policies and practices or particular practices around valuations in certain subsidiaries. They are anonymous, and we take cases like that seriously. Internal audit may well have the wherewithal that compliance would not to do an evaluation of that and produce an independent report. It varies, but I think that we tend to see the more serious whistleblowing cases.

What may also help clarify the conversation is that there is a difference between whistleblowing, and escalation in the day-to-day running of the businesses which is part of management’s responsibility. Escalation is going through to the relevant business and governance forums about issues that are not going well and need to be remediated. Whistleblowing tends to be very much more that there is something that is not right here, whether of a sinister nature or people not acting with integrity or there is something wrong. I think that we need to make that differentiation in the conversation.

DQ562 Baroness Kramer: The reason why I am asking-it is like the queen who asks the ultimate question-is how come nobody noticed? That is the obvious question. You can think back to interest rates, PPI, LIBOR and even some of the issues that were embedded in the more systemic risk and whatever else, but you wonder why nobody noticed. The way in which that gets around the formal resistance is through the self-reporting or whistleblowing-type mechanism. I was just trying to get a grip on what level of maturity that had. In the United States, there is a big financial reward available if you are a whistleblower, which has a big impact on the culture. But you are saying that most people are calling anonymously, so they are obviously not thinking that they will get rewarded for putting messages into the system, because otherwise you wouldn’t do it anonymously. I am just wondering whether this has any real vibrancy at all within the HSBC culture.

Antonio Simoes: As we have just said, a lot of the whistleblowing relates to mostly personal conduct, where people really feel that they cannot speak up, and they would therefore use the line. A lot of the, "How did no one see it coming?" would come to the risk appetite. If I look at the UK retail bank, despite all the issues we have just described, our risk appetite is such that we lend less than what we have in deposits. We have an advances-to-deposit ratio that is well below 100%-it is 85% at the moment. That led us, pre-crisis, to lend much less, if you think about in simple terms-in terms of mortgages. I think that put us in a good position when 2008 came.

Our risk appetite was more conservative. Did it pick PPI? We were the first bank in the industry to stop PPI. We were the first high street bank in December 2007 to stop PPI, because we did not think that the product was fulfilling customer needs at that point. Our risk appetite is more conservative, and it has made us stop doing certain things. I don’t think whistleblowing would necessarily have raised these concerns. I think it is more through the risk appetite that we would pick up some of those issues.

DQ563 Baroness Kramer: Okay, so it is the formal structure rather than whistleblowing.

Antonio Simoes: I think so.

DQ564 Chair: We have a few wrap-up questions. Regarding business and risk, what are your thoughts on the notion of a professional standards body providing qualifications and overseeing conduct of individuals and staff, in addition to the minimum requirements through the FSA or local regulators?

Marc Moses: I think that is an interesting concept and one that we have discussed. There is no professional qualification, as it were, for risk.

Chair: Or indeed for banking in general.

Marc Moses: There are various qualifications you get in terms of securities, but not in general.

DQ565 Chair: The thought behind all this is that if you are a chartered accountant and a member of the Institute of Chartered Accountants-that kind of thing-you can be struck off. While that does not necessarily stop you being a regulated individual, it means that you can no longer practise as a banker, risk manager or compliance officer.

Marc Moses: Personally, I think it is an interesting concept, and one that we have actually discussed within the bank. I am a chartered accountant, so I have been through the Institute and the exams. It is, in a sense, much easier to identify someone in finance because they have the qualification, and you can look at their experience.

With risk, and even in banking, it tends to be your knowledge, experience and the skill set that you build over time. But that can be quite variable, so I think it is an interesting concept.

Antonio Simoes: I think so. I think we need to look at standards across the industry. The question is: should there be a single standard? As Marc was describing, there is a series of bodies for accountants and others. I think it is an area to explore, and I believe that the BBA and other institutions are looking into it. Should we have a standard across the industry? I have no opposition. My only question is, will the burden of administrating such certification merit the benefits? I am just not sure.

DQ566 Chair: It doesn’t sound like you have given it a huge amount of thought.

Antonio Simoes: On professional standards?

Chair: Yes.

Antonio Simoes: I think it is potentially a good idea. I have not personally been involved in developing professional standards across the industry.

DQ567 Chair: Really? You are head of business; you are head of UK retail.

Antonio Simoes: Across the industry.

Chair: But even so, you are head of UK retail. You must have had some input.

Antonio Simoes: We do have specific standards for our own retail bankers. If I understood your question correctly, it is about whether we should have a standard across the entire industry. I think there are some benefits. I am just not sure whether one single standard is the right way to go for the entire industry.

DQ568 Chair: I am slightly worried that you have not had a lot of conversations about this. The banking industry is mired in scandal and loathing-I am not too sure whether you have come down to our level yet, but you are pretty close, and certainly journalists are as well. Even if it is just chatting with your wife, surely you must wonder how on earth you can raise the standards of the whole industry, or at least raise standards in the eyes of the public.

Antonio Simoes: Yes, and we have thought about how to raise the standards at HSBC.

DQ569 Chair: But the whole industry has a problem.

Antonio Simoes: Yes, and I think we as HSBC need to improve the image of HSBC and hopefully improve the image of the industry.

DQ570 Chair: So you want to be standards leaders. Is that what you are saying?

Antonio Simoes: We would like to uphold our standards and hopefully improve the image of the industry. I do not think it is necessarily my role to think about the standards of the industry. That is the only thing I would say.

DQ571 Chair: Oddly enough, that is exactly the answer that I hoped you would not give. Absolutely. I feel very strongly about this. Surely it is in all your interests to be part of a profession that you all feel proud of. Surely it is not about saying, "We’re better than them over there on the other side of Lombard Street, and to hell with them." Surely you want everyone to have good standards. Surely you want to have every bank, everybody who participates in the LIBOR market, to look at each other and say, "I can trust that person because he’s a member of the British banking board", or whatever it is.

Antonio Simoes: I personally have had this discussion at the British Bankers Association. I think that we as an industry need to come up with a solution. I am just not sure whether having one set of standards and a particular certification is the right solution. That is my only comment.

Paul Lawrence: Maybe I can put the internal audit perspective. There is work going on with the IIA and jointly with the FSA about working on a code of practice for the internal audit industry and financial services. The FSA are sponsors, the IIA is co-chairing it and there are a number of practitioners at the table. It is really about articulating a code of practice about how those regulated financial services industries should operate their internal audit unit. It is a very laudable ambition: the industry should come out with a set of standards that we can all be held accountable to.

However, it has been extraordinarily difficult to get any consensus around the table of what our mandate is and what we are actually here to do. Just by talking to other people in the internal audit industry, there are very different standards and rationales as to what the purpose of the internal audit function is. It is a laudable ambition, although I think the practicality of articulating a standard, along with the additional execution problem of getting to it, is going to take some time, but I think the direction of travel is absolutely correct. Roger Marshall, who was in front of this Commission at some stage, is chairing that committee. The difficulty is huge.

DQ572 Baroness Kramer: If I can just ask you a last question, Mr Lawrence. You came in, as I understand you said, in 2010, and you have been part of a real change in the internal audit process at HSBC. You described some of that to us. With two years under your belt, what change has there been in the way your board responds to internal audit? You obviously cannot share detail, but is there some way you can express to us the response now when you go to the board with a level of concern? Is it taken up? Does it get followed through? What kind of standing does it now have when internal audit feeds through?

Paul Lawrence: I’ll try to answer that question. Maybe I can paint a picture. What we have tried to do is to create for internal audit a certain amount of credibility in the organisation. That credibility comes from the way the board and the NEDs support us, and the way risk function support us and that Stuart Gulliver and Douglas Flint support us. That depends on the business mix and skills that we have below it, and the interaction of my audit team with the businesses and their understanding of risk and risk appetite. There is a lot that goes into winning that credibility. We have come a long way in doing that.

I do not think the journey is finished. If you ever think you have finished, you probably underestimated the task, I suspect. But we do now go to the subsidiary committees of the board-audit and risk committees-and occasionally direct to some of the NEDs about particular issues. We have strong engagement and strong challenge from them. Without giving details, we have conversations about why some of the departments within the group appear to be serial disappointers-possibly a good way of describing them-when we have issues that do not seem to get remediated, even though we have policies and procedures about them. To answer your question fairly, we have strong engagement with NEDs-better than we had two years ago-about what I believe are the material risks facing the group as we go forward. My desire is that we have that engagement in a stronger fashion. We are taking them better issues, better in that they are more relevant in terms of the materiality of the risk-are they within the risk appetite statement they have signed off? The engagement and the conversations are better. But I can only do that if credibility of the function within the organisation is as I have described it. They add to that credibility by supporting me in doing that.

DQ573 Chair: A couple of weeks ago we had a journalist who was also an anthropologist, Joris Luyendijk, and he shared with us some of his investigations talking to a number of people who are practitioners within the banking world, particularly the investment banking world. One of the things that kept coming back was the skills gap, which comes as a result of the pay gap. Those people in the front end of the business are the ones who are going out and winning business and generating business. They tend to be better paid, particularly in the investment banking side of things, than the people who are supervising them and monitoring them in terms of compliance and risk. Does this mean that there is an inherent built-in flaw in the system in that people will tend to go for the most money they can make so the best people will go to the front-line jobs-I don’t mean to be too rude about you two individually-but perhaps the not so brilliant people will be in risk and compliance?

Marc Moses: I used to be a trader and now I am in risk, so read into that whatever you want. I think the front line plays a part. They take risk as well as manage risk. The second line of defence, be it compliance or risk, is basically managing that risk. There is a difference. I think we pay people by their performance. I think we pay people at whatever the market rate is and I think we are very competitive. From that point of view, I am attracting the right people; they don’t want to be traders but want to be risk managers and take a completely different career path.

Then there is the supply and demand of the industry. There are certain areas within risk that have been very hot over the past couple of years. Percentage-wise that increase has been much larger than in other areas. The other thing to bear in mind is that if you look at the composition of remuneration between the second line and the first line, it is a greater percentage clearly in terms of the fixed pay, as opposed to variable. In the front line it is much more variable. That variable is deferred and it is subject to clawback. We are dealing with different animals here. People choose to do one or the other.

DQ574 Chair: Mr Shaw, do you have anything to add?

David Shaw: I think that is right. Marc is right; there is huge demand for good people in compliance at the moment. There is lots of competition. Certainly you have got good people others would like to poach and so on. But it is a different skill set. The culture, if you go back five or six years, was who is going to produce the most money. I don’t think it was ever us but I think it has long gone now and the control side of the business has asserted itself in a quite different way.

DQ575 Baroness Kramer: Earlier in the discussion about compensation you talked about the split between financial and non-financial objectives and their contribution. In terms of peer evaluation or evaluation from other departments, who evaluates whom? Do Mr Moses and Mr Shaw or perhaps someone within their organisation actually get to evaluate Mr Simoes? Does that happen in the organisation? Is the risk compliance side ever evaluated by the operational side? Is there a peer evaluation type arrangement?

Antonio Simoes: In my case I get evaluated directly by my two lines-the CEO for all of Europe and the CEO for retail banking and wealth management. I have peer review on values, so there are three of my direct reports, three peers and three people above me. There are nine people who give feedback on one page on values and behaviours. Risk, compliance and audit give input into the 20% in my scorecard that is risk, so there is a lot of input, and ultimately I get evaluated by the two people I mentioned. I do get that, but I do not evaluate the control functions, which is your second question. I do not give input into compliance or risk, so there is an independence going that way.

DQ576 Baroness Kramer: If compliance and risk felt you were pushing constantly at the boundaries, they could have an impact on about 20% of whatever it might be.

Antonio Simoes: No, more actually. If they felt that I was constantly pushing, it would go through my values and behaviour filters. I would have zero actually.

Marc Moses: It would not enter the gate, because if your values are below a certain thing, you do not even get considered for bonus.

DQ577 Baroness Kramer: So your side of the operation, Mr Moses and Mr Shaw, could actually bring the gate down and just say, "You don’t pass the entry barrier."

Marc Moses: Let us be clear. That gate-down is brought by the feedback by three peers, three direct reports and three skip-level reports. That is that one. Where we have input is that if you get through the gate, we look at each person’s risk behaviour, and we will make a recommendation on that. If you were involved in a particular issue that cost the bank money or impacted its reputation, that would also be something that we would report on, because we sit on REMCO, and we would recommend clawback, if it was in a previous year.

DQ578 Baroness Kramer: That is interesting, because you identified financial and reputational impacts that might lose the bank business. One of the problems with that is how you stem the behaviour long before you get to that point, so that you are sure you have the values system culturally embedded and your main mechanism is not a clean-up operation after the fact.

Marc Moses: As we described earlier, it is both the values and the mechanisms that we have, such as the reputational risk committee and the various risk committees that will consider all these things.

DQ579 Baroness Kramer: No, I meant all that versus incentives or pay. Are you just relying on people to extrapolate from the fact that if they do it wrong, it will be clawed back in a future year?

Marc Moses: What people are seeing are the consequences of when someone does something wrong. That, in a sense, drives behaviour going forward.

DQ580 Baroness Kramer: It is interesting, because in some of the other banks we have talked to there is much more clearly peer evaluation from risk and compliance on a much subtler basis.

Marc Moses: I think that is the feedback that audit, operational risk, and compliance give on those individuals, which then gets fed through to REMCO.

Chair: Thank you very much indeed. When we started, I said that we would be no less than an hour and no more than an hour and a half. That was two hours and 10 minutes ago, so I am very grateful to you all for coming. I am sorry if we have perhaps roughed you up a little, but it is very useful to have your insight into this Commission, which is probably not reporting until March next year.

Prepared 24th June 2013