What does ESG mean for banks and why is it important?
Banks are not unique, but they are subject to greater scrutiny than many other sectors. This scrutiny comes from regulators, customers, governments, and investors, among others. This means that ESG requirements may be more likely to be imposed, often by regulators and governments, or pressure may come from investors and customers.
There are several different types of banks, and this will influence the way that ESG issues are prioritized and managed. Small, local banks, including credit unions (US), building societies (UK), and similar institutions in different jurisdictions, are often formed for a specific purpose, and are often owned by customers or communities. Larger banks, covering large regions or countries, will be subject to greater regulatory pressure and are more likely to encounter investor activism. The same applies to multinationals, but these will be meeting the needs of multiple governments and regulators and often have different interested parties focused on different issues in different countries. There is also an important distinction between retail banks and corporate and wholesale/investment banks, as stakeholders will differ and have different priorities, although many of the major banks operate in all parts of the sector.
Key risks of ESG in banks
Understanding the various types of banks will help us identify the key risks that are essential to our role as internal auditors.
ESG risks for banks will typically emanate from their core activities and their interactions with stakeholders. For example, there will be risks from lending and investing activities, from managing and serving customers — particularly individuals and small businesses — as well as employing staff and running the offices. The examples below are based on specific impacts experienced by banks in recent years:
- Environmental
- Funding controversial projects and activities, such as fossil fuel development.
- High levels of air travel among bank staff.
- Social
- Paying low wages (e.g., below minimum wage) to cleaning staff.
- Lack of clarity or consistency in explaining and selling products to customers. For example, banks in the UK routinely mis-sold payment protection insurance attached to loans; the compensation bill ran to over £50bn.
- Funding projects (e.g., dams) which displace communities.
- Governance
- False or exaggerated claims in ESG reports (greenwashing).
- Perceived excessive pay to senior staff (“bankers’ bonuses”).
- Creating or facilitating complex corporate structures to avoid regulation or taxation.For example, setting up operations where regulation is more relaxed (regulatory arbitrage) and channeling profits through jurisdictions with lower taxes.
Regulatory environment
As noted above, regulators are a key stakeholder for banks and, arguably, the regulatory landscape is the predominant reason that ESG is more important for banks (and other financial services sectors) than other industries. Risks that involve, for example, consumer protection, are heightened with banks, as regulators set clear expectations and standards; and banks are often the first impacted by emerging practices. For example, stress tests on climate scenarios have been piloted for large banks by regulators and central banks including the Bank of England, the European Central Bank, and The Federal Reserve Bank of New York, and we should expect this to become a regular occurrence going forward. This article highlights how the UK regulator is driving environmental requirements; it also refers to the European landscape which, in many respects is more advanced. Other jurisdictions are following, albeit at different speeds.
ESG reporting for banks
In general, ESG reporting requirements are the same for banks as they are for other entities. But due to their scale, complexity, and a greater demand for such information, banks are more likely to be included within such requirements than many other sectors. Of particular relevance are the introduction of ISSB standards and European Sustainability Reporting Standards (ESRS), but others may apply in different jurisdictions. An issue common to all sectors, but heightened in banks due to their scale, complexity, and value chain, is the availability, integrity, and completeness of data as outlined in this McKinsey article. Good data is clearly required for banks’ own risk management and for stress testing, whether in-house or driven by regulators.
Internal audit’s role
As with any activity, internal auditors that work within banks should start by incorporating ESG and sustainability risks into their risk assessment processes. This should include the risks specific to the banking sector (some examples of which are given above) as well as the more general risks around ESG. It is important to understand what is happening in the market, in your organization, and among stakeholders to effectively assess these risks. As discussed earlier, given the importance of regulatory requirements in driving ESG risk management, it is vital to understand the current and future regulatory landscape. Horizon scanning should also take into account the existing and emerging concerns of other stakeholders, which can be gleaned from within the business, across sector networks, and throughout traditional and social media.
Alongside this, we should also consider and map what we already do. Internal auditors have been auditing ESG risks for much longer than the term “ESG” has been widely recognized – consider, for example, audits of customer service (complaints, compliance with regulations, sales practices) and of governance issues such as tax transparency and conflicts of interest. More recently, many internal audit departments in the sector have developed programs around climate change, covering topics such as stress testing, evaluation of climate risk in commercial loan products, and alignment with publicly stated commitments.
Most audits will not be unique to banks but, for the reasons already discussed, some risks are heightened due to regulations, scale and complexity. Some topics are also likely to be more important due to the stakeholders involved. Below I have highlighted a few potential audits which are either specific to or may have greater impact in banks. In several cases, this involves adding ESG considerations into existing audits, which will often be the best way to efficiently provide added assurance.
- Lending – As one of a bank’s core activities, internal audit will perform various audits of lending processes and related support and risk management activities, whether for commercial lending, mortgage loans, or other consumer lending. These audits could include ESG topics such as:
- Climate change – For example, whether property on which the loan is secured is vulnerable to changing weather patterns, or whether the risks from decarbonization strategies make the asset less valuable.
- Other environmental risks such as pollution and uncontrolled waste.
- Risks of funds being used in activities involving labor violations.
- Transparency of corporate structures and tax arrangement.
- New product design and approval – Are there processes to ensure consumers are protected in line with regulators’ and public expectations?
- Complaints handling – Are processes in place to ensure customers are treated fairly, again in line with regulators’ and public expectations?
- Anti Money Laundering and “Know Your Customer” processes – Ensuring good governance to prevent money laundering and protection of consumers and small businesses by providing products which are suitable and can be understood.
- Executive pay – With frequent negative publicity about “bankers’ bonuses”, internal audit can provide assurance that pay strategies and bonus schemes are designed with appropriate incentives, appropriately approved, and applied fairly. While this won’t deflect some of the negative sentiment, it will provide a more robust decision-making framework for Boards.
- ESG data – Given its complexity in banks, internal audit is well-placed to provide assurance over integrity, governance, and controls.
- Reporting – Most large and many mid-sized banks have reported under Task Force on Climate-related Financial Disclosures (TCFD) and will be required to report under ISSB and in many cases ESRS. This is an area of regulatory focus for banks and there are a range of roles internal audit can play as described here.
- Sales practices – There are many past cases of banks paying insufficient attention to the needs and interests of customers, primarily (but not only) consumers and small businesses. Most regulators now have clear expectations, and so internal audit can provide assurance over processes to ensure these regulations are met and, more broadly, that appropriate controls are in place to mitigate the risk of mis-selling.
- Data protection – Internal audit will typically audit controls over the collection, processing, and storage of sensitive and confidential automated and manual data.
These are just a few examples, and most are part of the audits we already routinely conduct. Most also lend themselves to both assurance and advisory work by internal audit. Whilst banks clearly have direct impacts from offices, employment, and other standard corporate activities, the key risks and the key opportunities for internal audit action is in the core banking activities.