Institutional Theory and Evolution of ‘A Legitimate’ Compliance Culture: The Case of the UK Financial Service Sector


Over the last decade, scandals within the UK Financial Service sector have impacted their legitimacy and raised questions whether a compliance culture exists or not. Several institutional changes at the regulatory and normative levels have targeted stakeholders’ concerns regarding compliance culture and led to changes in the legitimation process. This paper attempts to address a gap in the literature by asking the following question: How is the UK financial institutions’ compliance culture shaped by the institutional environment and changing legitimacy claims? Towards achieving this objective, the paper draws on the institutional theory and pays attention to the various configurations of the legitimacy notion (property vs process Suddaby et al. Acad Manag Ann 11(1):451–478; 2017). The paper utilises a longitudinal interpretive design and undertakes a qualitative content analysis of fines issued by the UK regulator and the communicated response of violating firms as well as non-sanctioned firms. Our findings indicate that there is a cyclical ‘evolutionary compliance’ rather than the more widely recognised state of ‘compliance culture’. This culture is fuelled by interchangeable isomorphic forces where the majority of violating firms are seen to issue similar responses to the regulators sanction to maintain their reputation and legitimacy in the market. Notably, legitimacy is now defined within an interactive process between the regulator and firms rather than being static and achieved by ticking the box.


The UK regulator, the Financial Conduct Authority (FCA),Footnote 1 has issued discussion papers on compliance culture pre and post the global financial crisis (FSA 2007; FCA 2013, 2016b; PRA 2014), in an attempt to encourage financial institutions to adhere with norms of compliance culture. However, and despite these efforts, compliance violations are still evident within the UK financial sector. This phenomenon could not only undermine the effectiveness of the regulatory efforts but would also question the existence of a compliance culture within the sector as indicated by the FCA director of enforcement and Financial Crime following comment:

The misconduct in relation to LIBOR has cast a shadow over the financial service industry. The findings we publish today illustrate, once again, individuals within the industry acting with a cavalier disregard both for regulatory obligation and the interests of the markets. IEL’s significant failings in CULTURE and controls allowed that misconduct to flourish and fell far short of our expectations (FCA 2013, emphasis added).

Compliance can be defined as “conscious obedience to or incorporation of values norms or institutional requirements” (Oliver 1991, p. 152),Footnote 2 while culture deals with ‘intra-organizational processes’ (Kondra and Hurst 2009, p. 39), as such the concept of compliance culture is usually seen as embedded within the firm (Newton 2001) in response to institutional requirements (e.g. codes of conduct) which are communicated through senior management, and then layered down throughout organisations. In the extant literature, however, this internalisation of cultural norms imposed by the immediate environment (industry) raised questions regarding the organisational orientation towards such compliance culture (i.e. what does a company do about complying with such culture?) rather than whether it exists or not. An example for this can be seen in Jenkinson (1996). Clearly, organisational compliance with such culture is an expectation from the Financial Conduct Authority as indicated in the following quote “Where we believe cultural measures expose the firm to a high level of risk in the context of our objectives, we will expect the firm to take account of it” (FCA 2013, p. 1). Furthermore, examining the extant literature shows that the concept of culture has been studied from the perspective of the regulator (O’Brien et al. 2014; Ring et al. 2016). However, this has been criticised on the grounds that culture is presented in a ‘diffuse, inconsistent, and often simplistic ways’ (Meidinger 1987). There are similar concerns with regard to the over simplification of the construct of legitimacy, and its widespread application resulting in misuse of the construct (Suddaby et al. 2017). Compounding the matter further, less has been said from the perspective of the compliance functions, within the firms where the continued dysfunctional cultural issues exist. Thus, an evident gap in the literature is to explore firms’ compliance culture and how it is formulated vis-à-vis the institutional environment in fulfilment of legitimacy claims from various stakeholders. Clearly, this is increasingly important given recent media speculation about the shift in regulatory direction of the FCA, where it will no longer be viewed as ‘enforcement-led’, or following the ‘shoot first, ask questions later’ approach after the appointment of Andrew Bailey in 2016.

Essentially, this shift not only marks a significant change in the institutional environment, but also a change in the notion of legitimation. Drawing on Suddaby et al. (2017), this could be interpreted as a shift from perceiving legitimacy as a property (which is simply achieved (or lost) by firms’ compliance (or non-compliance) with law and regulations i.e. through coercion), to perceiving legitimacy as a process which socially constructs the terms of reference of legitimacy, as a process that is based on collaboration rather than enforcement. This led to formulation of our research question of: How is the UK financial institutions’ compliance culture shaped by the institutional environment and changing legitimacy claims?

Against this background, this paper uses an institutional theory lens to investigate the concept of compliance culture within the UK financial sector. Here, the aim of this paper is to understand how financial institutions (both the offending and non-offending companies) internalise the institutional pressures from their immediate external environment in their quest to maintain legitimacy (Suchman 1995). Inevitably, the paper will also discuss the how this internalisation has been influenced by the change in the regulatory approach and the implications on legitimacy notion, if any.

Following a pragmatic research design, this paper undertakes a longitudinal in-depth website analysis of the press releases of 23 non-compliant firms, alongside those of the regulator, during the period of 2013–2016. This captures the public responses of those firms fined by the regulator (the FCA) for compliance culture failings. Essentially, this analysis is underpinned by institutional theory, where organisations follow an isomorphic pattern in responding to particular institutional pressures in order to maintain their legitimacy (DiMaggio and Powell 1983; Scott 2014). The resulting model of evolutionary compliance culture evidences the impact of pressures, and the nature of regulatory flux which has advanced the pursuit of legitimacy from a ‘property’ (measurable) to a ‘interactive process’ (Suddaby et al. 2017) in the contemporary banking industry in the UK.

The paper is structured as follows: the next section explores the concept of compliance culture as presented within the academic and industry extant literatures. This is followed by the methods and methodology section. Then, the results and discussion of findings is presented. Finally, the conclusion, recommendations and areas of future research are highlighted in the last section.

Literature Review

Undoubtedly, there has been a general movement by both academic researchers and practitioners to identify and improve corporate governance structures within firms, since earlier crises of Enron, WorldCom, and Arthur Anderson at the start of the millennium, shortly followed thereafter by the Global Financial Crisis of 2007–2008. A common underlying reason for these failure is what Zyglidopoulos et al. (2009) called a borderline and ‘delusional’ corporate culture caused by an over confidence in ability and importance. Of note that the extant literature focused on explaining the motivation behind practitioners’ actions to improve corporate governance compliance, here, a number of academics have correlated the implementation of effective corporate governance and control structures with an improved firms’ value (Hendricks and Singhal 1996; Akhigbe and Martin 2006; Henry 2008). However, with the cost of compliance argued to be so high (Garcia 2004; Bamberger 2010; English and Hammond 2012, 2015), the fundamental question over why management comply remains ambiguous. Another line of research has focused on the role of media in setting the public agenda, and how this would be reflected within the publics’ perception of risk (McCarthy and Dolfsma 2014). Here, some researchers focused and argued that governance reforms and enhanced compliance is just an attempt by firms to improve their reputation and gain legitimacy (Arora and Gangopadhyay 1995) or just a reaction to enforcement by regulators (Yeung 2002; Zubic and Sims 2011). Although each of the previous justifications of corporate governance reforms and enhanced compliance is plausible, we argue that it captures one facet of a complex multi-faceted phenomenon that is being institutionalised, as compliance function is now viewed in practice as ‘core within organisations’ (Perezts and Picard 2015). Here, firms may be seen to structure their compliance function in response to institutional pressures as indicated by DiMaggio and Powell (1983). These pressures are coercive (formal and informal pressures exerted by law and regulation), mimetic (firms modelling themselves on other organisations) and normative (resulting primarily from professionalisation). In support of this view, Fashola (2014, p. 2) indicated that “Organizations are prone to yielding to coercive and normative pressures arising from their institutional context (for example banks adhering to capital base requirements or to corporate governance code) as these are likely to confer social privileges from their stakeholders”. Additionally, DiMaggio and Powell (1983) and Aldrich (1979) agreed that the most crucial factors that organisation must consider are other organisations, as competition between organisations is not limited only to customers and resources but for “political power, institutional legitimacy... as well as economic fitness” (DiMaggio and Powell 1983, p. 150). Thus, companies can model their internal changes on other organisations in the field. The following sections will discuss in further detail the evolution of compliance function as co-created by organisations in response to external institutional pressures namely: regulatory, normative and cultural.

Understanding Compliance Culture—Approaches Adopted by Firms

Organisational compliance culture reflects the individual firm’s approach to regulation (Alfon 1996, p. 20). It could also be linked to the firm’s attempt to adopt best practices or simply managing regulatory risk, which could obviously endanger its legitimacy and existence. Additionally, it can be affected by the leadership style within the organisation (Jenkinson 1996, p. 42) and whether the company is more interested in complying with the letter of law “while evading engagement with its substance spirit and soul” (Parker 2000, p. 342). The literature also highlights that the modification of compliance culture within organisations requires alignment of organisational ‘values, attitudes and beliefs’ to the principles of financial regulation (Newton 2001, p. 16). Dynamics of corruption and rationalisation can influence the organisational compliance culture (Zyglidopoulos et al. 2009) as a “shared set of values and standards” (Barry 2002, p. 39).

Moreover, compliance culture cannot be bought or ‘taught by a high priced management consultant’ (Morton 2005, p. 60), which further highlights the complexity of the concept as a socially constructed phenomenon. Subsequently, measuring compliance culture against set criteria can be problematic and simplistic. However, issues within culture cannot be ignored. Indeed, this has recently been re-emphasised by the regulator whereby “culture may not be measurable, but it is manageable” (FCA 2017). Evidently, previous attempts to measure companies’ compliance culture have failed. Here, one example to demonstrate this, is that despite the assertion of the US regulator of a ‘formal approach to assessing … culture of compliance’ (SEC 2003), the adoption of this model clearly failed in the global financial crisis 2008. Similarly, the complexity of embedding compliance culture is clear in the ongoing scandals within the UK financial service sector following the global financial crisis (for example the Libor scandal 2012). Thus, understanding companies’ compliance culture requires a holistic approach, which consider the compliance culture within the wider institutional environment. This holistic approach to understanding and embedding compliance culture may apply both internally within the firm by compliance officers’ communicating the spirit of regulation; but also externally through their relationship with the regulator and communicating and acknowledging the rapid pace of change within the wider financial services market place. The holistic approach embraces the cooperation of all actors towards regulatory compliance. Noting that, companies may not necessarily maintain the same compliance culture across the sector, with compliance approaches ranging from a state of non-compliance to over compliance (Jenkinson 1996, p. 42), whereby some organisations are extremely proactive and choose to ‘over comply’, and other organisations choosing a strategy of minimal efforts to achieve compliance, or indeed those that do not meet regulatory compliance standards.Footnote 3

Acknowledging the complex nature of the compliance culture, previous studies have indicated that good compliance involves engagement and persuasion within the organisation so that the “ethically and legally responsible action is consistent with business goals” (Parker 2000, p. 345). Moreover, it is about the culture and a commitment to partnership with the regulators (Edwards 2003). Still, to others “the concept of culture of compliance lacks definition, theoretical explication and empirical support for the proposed link with improved compliance outcome” (Interligi 2010, p. 237). As such, better understanding of compliance culture would require reviewing the actual practice, which imposes the regulatory, normative and cultural pressures on the UK financial institutions and their related legitimacy basis. This will be discussed in the following sections.

Regulatory Pillar, Legitimacy and Compliance

There is extensive literature on the role of regulation, and the various regulatory approaches across sectors and jurisdictions. Responsive regulation and the enforcement pyramid (Ayres and Braithwaite 1992) is widely cited in the literature (Ayres 2013) and offers a framework for regulatory response ranging from a hands off ‘self-regulatory’ approach to a more coercive ‘sanctioning’ role. Of note, the latter approach is more aligned with the regulatory pillar of institutions and the use of coercion to bring about compliance (Scott 2014).

In the UK, we would argue that the regulatory approach has witnessed a number of changes over time, perhaps in response to a dynamic financial sector landscape. We argue that the modifications in the regulatory approach have not only influenced the compliance culture, but also rendered having a stable compliance culture rather unachievable. Prior to the global financial crisis, the UK adopted an allegedly ‘light touch’ regulation approach relying on industry self-regulation (Buller and Lindstrom 2013). During this period (i.e. before the global financial crisis 2007), a framework for compliance culture was also proposed by the UK regulator (the Financial Services Authority (FSA) to ensure fair customer treatment. Towards this end, and recognising the importance of compliance culture, a tool was designed to measure compliance culture within individual firms, thus enforcing firms to ‘deliver fair consumer outcomes’ (FSA 2007, p. 3). The model (see Fig. 1) presented by the FSA includes key drivers of leadership, strategy, decision making, controls, recruitment and reward (FSA 2007, p. 21) which sets out a clear expectation of best practice and expectations of the regulators. However, in a more recent policy statement, a broader model with the specific inclusion of culture was discussed as “the PRA consider a variety of factors to identify failings in culture, including governance, incentives, risk awareness and the ability to challenge senior management” (PRA 2014, p. 4). This indicates an ongoing evolution to identifying specific measures for culture by the regulator, perhaps indicating that ‘one size’ does not fit all. More recently, the regulator has communicated that they will work more within individual firms to review culture (FCA Annual report, 2015/2016) rather than undertaking industry-wide thematic reviews. Perhaps then, it is necessary for supervisors to avoid models and guidance, which may encourage a ‘tick the box’ approach to compliance (and compliance culture). In contrast, Carretta et al. (2010) contend that the new relationship models between supervisors and banks need to be supported by organisational tools, which enable sharing of information between parties; to promote both the advisory function of supervisors and a partnership model, premised on cooperation between the supervisory bodies and banks. This was considered necessary given the risks regarding ‘perfunctory cosmetic’ compliance (Calcott 2010). However, it is worthwhile mentioning that the advantages of firms choosing their own approach are also recognised, whereby they can draw on their own experience and reflect on individual circumstances to approach compliance (Rossi 2010). More recently, culture issues were revisited by the FCA whereby the regulator intends to impact compliance decisions within firms, and culture in the sector using mechanisms such as ‘publicising examples of good behaviour’ (FCA 2016b). These ongoing changes to the regulatory approach highlight the compliance culture co-creation idea.

Fig. 1

Culture framework (FSA 2007, p. 21)

Furthermore, following the appointment of Andrew Bailey as the FCA’s chief executive in 2016, media speculated another significant shift in the regulatory direction of the FCA. A shift in the regulatory approach that would will no longer be viewed as ‘enforcement-led’, or be based on ‘shoot first, ask questions later’.Footnote 4 This marks a significant shift in defining compliance and hence legitimacy. Here, legitimacy is changing from being a static property, achieved by complying with law/regulations to a more dynamic process socially constructed by the regulator and firms (Suddaby et al. 2017).

Alternatively, the approach is based on ‘credible deterrence’ (FCA 2016b), whereby the regulator, the FCA, can adopt wider regulatory actions and become more proactive rather than reactive. This includes the following: taking away firms/individuals operating authorisation; issuing fines; issuing public/messages warnings; and bringing cases to court,Footnote 5 and indeed continue to hold senior managers to account (FCA 2013).Footnote 6 This change within the regulatory stance may in turn bring about isomorphic changes within the sectors’ ‘compliance culture’ through the said coercive measures (which links back to Ayres and Brathwaite’s Enforcement Pyramid). Yet, given the high costs of compliance to the financial service sector in the UK, the problem of cosmetic/minimal compliance presented in the literature (Jackson, 2001; Crump 2007; Calcott 2010) are still relevant, and can hinder the isomorphic effect on the overall compliance culture within the sector. As such it might be the case that some firms’ have different response from the majority of firms within the sector. As noted by Lamin and Zaheer (2012), these responses can include denial (dismissal of allegation in the form of denial that the problem exist, or it was related to factors such as labour practices or contractors or denying responsibility as indicated by Sutton and Callahan 1987) or defiance (contesting accusation and challenging accuser).

Normative and Cultural Pressures, Legitimacy and Compliance

There are significant normative forces affecting professionals working within the financial industry and as such the compliance culture. This includes adherence to relevant professional bodies’ codes of conduct/ethics (such as accounting and legal professional bodies), with threats of dismissal from professional membership for cases of non-adherence by affiliated individuals.Footnote 7 Individual banking organisations usually also apply their own codes of conduct for employees, which reflects banks’ attempt to conform with industrial norms including recent expectation of boards and leadership taking ownership for company culture (FRC 2016). Within UK financial services, professionalisation and creation of compliance norm are facilitated through institutes such as the British Bankers Association (BBA) which has recently been superseded by the UK Finance group in July 2017. One way such bodies promote best practice is through mechanism such as continuous professional development (CPD), and also facilitating discussion and communication of issues between forum members. Previously, the BBA have also called for “license to trade” qualifications (and associated profession requirements/codes of conduct).Footnote 8 Moreover, BASEL committee on banking supervision issued a framework of principles in 2005, on which they followed up through the Accounting Task Force in 2008 to assess the degree of implementation within the industry.Footnote 9 Individual firms such as Barclays have set up ‘Compliance Academies’ (Compliance Exchange 2014), in an attempt to force changes in culture through mechanisms of CPD. Bussman and Niemeczek (2017) provide empirical evidence to support the importance of ‘transfer in knowledge of norms’, when reviewing compliance through culture. Zaal et al. (2017) also highlight the importance of CPD and training within organisations, to ensure that employees understand ‘rules’ (clarity) and what is acceptable and thus ‘sanctionability’ within an organisational structure, to improve overall integrity.

Most recently, there are directives to ‘audit’ culture, although guidance on this is in a developing stage (UK Finance 2017). This seems counter intuitive to the comments by the FCA, whereby they consider that ‘culture may not be measurable’ (FCA 2017). However, despite this they have described various ‘levers’ that they consider to manageable including; ‘clearly communicated sense of purpose’, ‘tone at the top’, ‘formal governance processes’, and ‘people related practice’ (FCA 2017). These measures (or levers, as described most recently by the FCA) have all emphasised and created an industry wide norm of compliance culture on both organisations (through codes of conduct) as well as through individuals (banking professionals). These individuals internalise a compliance culture to the organisations they work for and through their personal conduct, which should be compliant with professional bodies and educational institutions.

To shed further light on the complexity of the compliance culture, it would be useful to note that companies may comply with regulations through ‘getting by’ and ‘keeping the regulators happy’ (Jackman 2001). Clearly, this cannot only occur through coercive pressures alone, but with normative pressures, promoted by the regulators in the form of ‘manageable levers’ give a more meaningful reason to comply (FCA 2017). This could happen through developing a partnership between the ‘regulator and the regulated’ (Edwards and Wolfe 2005, p. 52). This link to a normative ethical framework was called for earlier in practitioner literature, with the need to prioritise an ethical motive within compliance culture (Newton 2001, p. 3). Highlighting the role of normative pressures, Duska (2011) contends that being ethical and following the law are not the same, as “It is not an adequate ethical standard to aspire to get through the day without being indicted” (Duska 2011, p. 22). In effect, normative pressures play an active role in the social construction of the legitimation process (Suddaby et al. 2017), which affects the professional conduct of individuals and hence the existence of a compliance culture within firms. Here, as Human and Provan (2000) shows, the process of legitimation is “not a monolithic or universal construct but, rather, varied as the field matured and emphasized different aspects of the organizational network over time.” (Suddaby et al. 2017, p. 25).

Malloy (2003) identified two attitudes of firms to normative ethical pressures. The first, which adopts a consequentialist normative ethical model, represents one of the rational egoist profit maximisers, obeying laws and regulations only when it is in the firm’s best economic interest, which serves particular stakeholders who are critical to the existence of the firm such as regulators and shareholders. This essentialist stance is more congruent with conceiving legitimacy as a property rather than a process. The second adopts a non-consequentialist normative model, where the firm abides with laws and beyond as matter of being duty bound and in good faith despite struggling with increasingly complicated and contradictory laws and regulation. Clearly, this attitude does not take into account any consequences regarding the firm or its affected stakeholder. Realistically, and paying attention that compliance can only happen at a cost (Malloy 2003), the model of the firm behaviour as a rational profit maximiser would have prevalence in reality, as managers analyse ‘regulation via a prism of costs and gains’ whilst appreciating the “commercial and reputational gains that can be extracted from effective compliance systems” (Gilad 2011, p. 310). However, the complexity of real world could make it difficult to make a compliance decision purely on cost vs ethical basis. Nielsen and Parker (2012) argue that compliance can be driven by three different motives: Economic (maximising economic utility), Social (earning approval and respect from stakeholders) and Normative (doing the right thing). Nielson and Parker (2012) suggest that each business would be holding a ‘plural of motives’ along this basis. Finally, the extant literature identifies that compliant behaviour might face certain barriers: perceived incentives to comply (incentives and sanctions, monitoring problems, and enforcement problems); willingness to comply (information and cognition problems, attitude and belief problems and peer effects); and capacity to comply (including resource and autonomy problems) (Weaver 2014). These views are consistent with considering that compliance could be based on a multiple dimension legitimacy notion, which is socially constructed by stakeholders including firms and regulators (Suddaby et al. 2017).

For other academics such as Harvey and Bosworth-Davies (2013, p. 5), compliance is a matter of culture, which stands as ‘taken for granted’ and unquestioned values that become embedded within organisations to an extent when procedures/guidelines are no longer necessary. These models can be linked clearly to the literature around compliance culture, with the underlying commitment to compliance through improved organisational culture. Although the responsibility for compliance ultimately remains with the board, compliance occurs naturally through the engagement of staff through normative ethical adoption of compliance culture. This is in direct contrast to ‘passive compliance’ whereby minimal compliance is sought at minimal expense in a ‘reactive’ fashion, with no improvement of conduct of business (Crump 2007). This is also discussed by Zaal et al. (2017), who highlight that there is a distinction between integrity and compliance, but that both approaches are relevant and complementary within organisations. Thus, if only ‘passive compliance’ is in place, and no integrity or normative ethical adoption of compliance culture, then compliance frameworks will break down.

Here, as the literature review shows, compliance culture is a complicated concept, which is socially constructed by the interaction of financial institutions and the environment where they are operating. Thus, understanding such concept requires devising an analytical approach that pays attention to its dynamic and context-specific nature which determines how it is diffused in the field (Meidinger 1987). This research fills the gap in the extant literature by investigating compliance culture from the financial institutions perspective rather than regulator’s perspective only (O’Brien et al. 2014; Ring et al. 2016). The analysis here is underpinned by the institutional theory (DiMaggio and Powell 1983; Perezts and; Picard 2015; Fashola 2014) and varying notions of legitimacy (Suddaby et al. 2017). We pay attention to the isomorphic processes of coercion, mimetic and normative actions (DiMaggio and Powell 1983) and their legitimating effect. More specifically, this paper investigates, first, the role of coercion by the regulators (in the UK, the FCA) through issue of fines, and the resulting impact on the violators. Second, it investigates the resulting response from the violators and the impact on role of other financial institutions (mimetic processes). Finally, the impact of normative responses are considered, by analysing the communication to stakeholders using messages about compliance culture. Inevitably, the paper demonstrates how this dynamic environment impacts the very notion of what legitimacy is. This development and alignment to isomorphic processes have been summarised in Fig. 2.

Fig. 2

Linking isomorphic processes to research questions and analysis of data


This paper undertakes a two-stage longitudinal in-depth website analysis of press releases of 23 non-compliant firms as well as the regulators’ in the period between 2013 and 2016. Our data collection and analysis are consistent with Snider et al. (2003) and Schreier (2012), whereby websites were selected based on the publicly available responses by firms fined (more than £0.5 million) by the FCA for compliance culture failing, and also in contrast firms which have been praised by the regulator for their approach. Appendices 1 and 2 list the extracts from FCA press releases and extracts from the respective company websites. The sample was selected from sanctioned firms in 2013/2014 (Appendix 1) and sanctioned firms in 2014 to 2016 (Appendix 2) relating to sanctions greater than £0.5 million and identifying issues with compliance and culture. Table 1 summarises and justifies the sample coverage of sanctioned firms within our analysis. Appendices 3–5 have been included to identify a contrasting analysis of positive compliance culture highlighted by the FCA during the period within the ‘Best of British’ Speech (FCA 2014d). The sample here is a smaller number of firms as identified specifically by the FCA.Footnote 10

Table 1 Sample coverage of sanctions

As suggested by Snider et al. (2003) and Schreier (2012), analysis included the following steps: first, the contents of the press release headlines were reviewed and all cases with sanctions against firms or individuals were identified. Second, the information was sorted and categorised resulting in the emergence of the following themes Coercive isomorphism—actions of the regulator pressuring violating banks; Mimetic isomorphism: violators’ regret statements; Normative isomorphism—learning, adapting, and collaborating in response to sanction; Normative isomorphism in endorsed firms. Our themes are indeed, driven from data analysis, based on constant comparison of one case to another (Snider et al. 2003; Strauss and Corbin 1990), but also guided by an existing theory i.e. institutional theory (Scott 2014). Stemler (2001) call these priori coding method, where categories/themes are established based on some theory. This serves here as an additional measure of rigorousness as indicated by Harris (2001). It must be mentioned here that it was not the discovery of new theory but to explore the response of violators and investigate whether the institutional pressures, namely, coercive, normative and mimetic isomorphism notion, could explain these responses. Thus, answering the research question: How is the UK financial institutions’ compliance culture shaped by the institutional environment and changing legitimacy claims?

This is consistent with the objective of QCA as a widely used approached in analysing discursive data such webpages and press releases with the aim of “interpret meaning from the content of text data” (Hsieh and Shannon 2005, p. 1277). QCA is also widely used in mainstream management journals (for examples please see Hite et al. (1988); Harris (2001); Jose et al. (2007); Bodolica and Spraggon (2015)). Within QCA, the quality aspects of reliability and validity are carefully observed, which are qualities borrowed from quantitative research (Schreier 2012). To account for inter-coder reliability, the researchers have followed Schreier’s (2012) advice regarding achieving consistency and reliability by verifying the coding scheme by the first author revisiting the data and coding at three points of time as well as discussions between the two authors to see if there is difference in understanding that would affect the coding scheme. In addition, the authors have worked closely on the project as such have established shared meaning of the coding. In the case of any differences, each coder was asked to revisit the coding, then a discussion took place to reach final agreement, as such, the categories included are those agreed by the two coders. According to Stemler (2001), there can be an element of agreement by a chance between the two coders; however, this risk was mitigated by (1) revisiting the themes by the coders at different points of time, (2) using theory aligned themes i.e. institutional theory driven, and (3) discussing any differences between the two coders, with the reported themes fully based on the shared understanding of the two coders.

Moreover, Schreier (2012) indicates that the coding scheme would be valid “to the extent that your categories adequately represent the concepts in your research question” (p. 7). Here, the main themes of Coercive isomorphism—actions of the regulator pressuring violating banks; Mimetic isomorphism: violators’ regret statements; Normative isomorphism—learning, adapting, and collaborating in response to sanction; Normative isomorphism in endorsed firms are all valid in addressing the papers’ main question above. This paper expands and extends on Ring et al. (2016) qualitative study, which focussed on 1 year of regulatory sanction notices during 2012 (from a regulatory perspective), to an extended longitudinal review of institutional responses, incorporating institutional theory. This compares the public message of firms relating to compliance culture, compared to violations (and resulting fines) that have been reported recently by the FCA.

This is an alternate qualitative methodology to an earlier study by Carretta et al. (2005). Of note, this earlier study adopted a quantitative textual analysis on a sample of Italian banking groups to explore culture. However, the focus on language is in line with prior studies. Here, we follow Schein (1985) and DiMaggio (1997) whose work support the analysis of culture through expressed vocabulary and analysis of written text (Carretta et al. 2005, p. 19). Analysis has been focused on extracts from each of the company’s website, which were found using keywords such as ‘compliance culture’, ‘culture’ and ‘risk management culture’.Footnote 11 To contrast this review of sanctioned firms’ responses to the regulator, a small sample of ‘non-sanctioned’ firms was also performed, alongside an analysis of the regulator’s message of good ‘culture’ within their annual report (see appendix 5) and publications.

Findings and Discussion

This section presents the findings, which are discussed in light of the institutional theory. The emphasis here is on exploring how the UK financial institutions’ compliance culture could be influenced by their interaction with the external institutional environment and in particular, the coercive, normative and mimetic isomorphism processes, and how the legitimation process accompanying the shift in the institutional landscape has been impacted, as discussed in the following sections. Table 2 summarises key quotes which have been aligned to institutional forces. The table presents sub-themes which are discussed in the following sections in turn.

Table 2 Alignment of key quotes from document review to institutional theory, highlighting emphasis of issues within both sanctioned and non-sanctioned firms

Coercive Isomorphism—Actions of the Regulator Pressuring Violating Banks

Analyses show that the FCA has issued significant amount of fines against non-complying firms in the period from 2013 to 2016, in an attempt to coerce compliance and eventually create the so-called ‘compliance culture’. In fact, the FCA was highly critical of the compliance culture of the violating firms. Coding shows that there were four themes of commentary from the FCA within the press releases. In the first theme, the FCA commented specifically on the deficiencies in the culture of the violating firms, while, in the second theme, the FCA commented on shortfalls in firms’ behaviour against their expectations. In addition, it was observed that the tone of FCA’s message changed to messages of cooperation in more recent releases (theme three). A final worrying trend was noticed in a minority of cases reviewed, whereby the violating firms appeared to have disregarded the regulator’s pressures or attempted to blame others (theme four). The four themes are further discussed in the following subsections.

Table 3 summarises the data collected in this research, listing institutions highlighted in FCA press releases, and sanctioned in excess of £0.5 million, which demonstrates coercion by the regulator in the forms of fines/sanctions issued.

Table 3 List of significant fines during period of analysis

Theme 1: Culture Deficiencies

Whilst discussing culture issues, the FCA commented on the misdirection of firms focus on profits, revenues, transaction quantity, and remuneration rather than measures relating to customer protection. Table 2 provides examples of quotes 1–4 as evidence of this theme in the press releases.

The regulator’s criticisms of culture align also to Malloy’s (2003) vision of the firm whereby firms act as rational profit maximisers, obeying laws and regulations, only when it is in the firm’s best economic interest (or in these cases, do not comply). It should also be acknowledged that in these instances, the coercive force of fines issued by the regulator is limited due to the ‘dysfunctional’ culture motivated by economic interests of revenue and profit generation.

Theme 2: Shortfall in Behaviours

The FCA also expressed ‘disappointment’ in their observations of these firms, and signal that the fines are as a result, and firms will “be held to account” if the FCA’s expectations are not met. Table 2 summarises quotes 5–10, which capture the regulator’s comments on behaviours and their disappointment thereon.

These quotes evidence the regulator’s coercive force, by communicating a regulatory stance which does not allow for shortcomings in firms’ performance against regulators expectations. There is an implicit tone that these behaviours are not tolerated, and action (sanction) and accountability must be taken within the violating firms.

Theme 3: Cooperative ‘Working Together’

In 2015, Martin Wheatley stepped down as CEO of the FCA and was replaced by Andrew Bailey early in 2016, indicative of a change in approach by the FCA. Therefore, the second round of analysis during the 2015/16 coincided with a change in attitude and leadership within the FCA. This was evident in the tone of some of the press releases reviewed for this period (as discussed within the literature review). Whilst criticism was still apparent in certain cases, the FCA highlighted the positive relationships fostered with the firms to move past the issues. Table 2 summarises quotes 11–14 which evidence this change in tone to more ‘proactive’ relationships and recognises the progress and action by firms.

The analysis of quotes 11–14 indicates that the FCA coercive stance has moved from a highly critical rhetoric, towards a movement of relationship building and collaboration to encourage firms to modify their regulatory compliance behaviours. This stance aligns also to the concept of legitimacy moving from an emphasis on legitimacy as property to a process through complementary involvement of all actors (Suddaby et al. 2017). Of note, legitimacy as a property or outcome will always remain core to policy objectives; however, the shift in emphasis on the process demonstrates a more and pragmatic approach that the regulator has adopted as a means to an end i.e. state of legitimacy.

During our analysis, we found difficulty in identifying praise of specific firm’s good culture/compliance by the FCA i.e. non-sanctioned firms used as exemplars. Usually we would expect to sees highlights of ‘good practice’ in thematic reviews. However, within the 2015/16 annual report it was announced that:

we considered that a thematic review would not be the most effective and efficient way to continue to support and drive continued culture change across the sector […] we will continue our work with individual firms (FCA 2015/16 Annual Report).

This extract does not detract from the ‘working together’ element. However, the lack of exemplars inhibits the impact of the regulators to coerce firms into adopting ‘good practice’ other than by use of sanction. More recently, FCA (2017) specifically calls for changes in culture and compliance by ‘publicising good behaviours’. However, this does not seem observable in practice during this review, which also will inhibit the impact of mimetic and normative isomorphism within the sector (which we will discuss in following sections).

Theme 4: Disregard for the Regulatory Response

Interestingly, the issue of fines by the regulator, and resulting communication seems does not seem to be completely effective, as still some individual firms have not responded to coercion by the regulator. Worryingly, in three instances (out of selection of ten for 2013/14 review), the website search did not find a press release in response to the regulators fine. This may be the deliberate intention of the organisations not to advertise failings of the past and to focus on the future. However, it may also indicate an ongoing disregard of linkage of compliance culture and duty to stakeholder communication. In addition, Quote 15 in Table 2 is noted to be deliberately concise. In this instance, the organisation does not follow the pattern of expressing regret (see later discussion of mimetic responses), and states only confirmation of ‘appropriate’ updates. This does not indicate a buy in by management of change in compliance culture within the organisation. Inherently, barriers to compliance may exist within these types of organisation through either an unwillingness to engage (Weaver 2014) or a lack of partnership with the regulators (Jackman 2001; Carretta et al. 2010). Notably, this is another instance where regulatory actions (sanctions) have not resulted in adjusted public face by the firms in respect to their dysfunctional compliance culture. This supports Parker (2006) who suggested that there are inherent pitfalls faced by regulators in the form of the ‘deterrence trap’ and the ‘compliance trap’. The deterrence trap (where penalties are not sufficient to deter misconduct) is considered manageable through ‘skilful’ use of responsive regulation (Parker 2006, p. 593). The deterrence trap appears to apply in these cases where penalties have not deterred misconduct (or any apparent changes to behaviour). Despite significant fines and sanction from regulators, the high profitably nature of the financial service industry may result in inappropriate behaviours for short-term gains. As exemplified within Quote 16, the message within the press release seemed to indicate an attitude that ‘it’s not our fault’.

The tone of this press release would indicate that the firm had taken all necessary measures to avoid the issue; however, this conflicts with the imposed fine and the message from the regulator (see quote 17).

Therefore, this is not particularly transparent from the publics’ perspective. The size of the fine and the tone adopted by the regulator would indicate serious issues in this case. However, the firm portrays the message that the issue was outside of their control, and that they did all they could. This is confusing for the public when trying to interpret this event, depending on whose viewpoint (the regulator or the firm) that they consider. This may indicate that this minority of firms have chosen to respond differently and follow a denial or defiance strategies (Lamin and Zaheer 2012) that dismisses the need to follow suit by issuing regret statements, or to relate the incident to factors beyond the firms’ control.

Overall, the review of the responses to regulatory action does indicate that coercive isomorphism has impacted the sector in the reviewed period. The press releases demonstrate the coercive pressure applied on violators, in the form of messages of culture deficiencies and shortfalls in expectations. There are also clear messages in the change of tone in both the regulatory response and the violators’ responses, in terms of cooperation. Positive movements indicating collaboration in working relationship become apparent in press releases that are more recent. More worrying is the attitude by a minority of the violators to apparently disregard the coercive forces. Still, the analysis shows that there is an isomorphic behaviour in response to this coercive pressure.

Mimetic Isomorphism: Violators’ Regret Statements

The idea of mimetic isomorphism was emphasised by Aldrich (1979) who considered that the most important factor that organisations must consider is other organisations, especially that competition between organisations is not only limited to customers and resources but also for “political power, institutional legitimacy... as well as economic fitness” (DiMaggio and Powell 1983, p. 150). In this case, the study findings show that offending companies follow suit in terms of issuing statements, which would safeguard their reputation in the market place. The violating firms are seen to issue similar responses to the regulator’s sanction in the form of regret statements, in order to meet the expectations of their stakeholders, and to maintain their reputation and legitimacy in the market.

National and multinational companies install codes of conduct and internal policies in accordance with corporate governance ‘best practice’ guidance, depending on jurisdiction. The expectation is that the majority of employees and management conform to these expectations; however, there will be a minority of offenders who seek ‘profitability through illegal means or outright fraud which they ‘regret’ when getting caught’ (Verhezen 2010, p. 188). The fined organisations websites were reviewed for press releases in response to the regulators actions. It is therefore interesting to analyse the content of press releases under this viewpoint of regret within quotes 18–22 in Table 2.

As the level of these fines was significant in value, it attracted media attention and impacts the public agenda (McCarthy and Dolfsma 2014). Therefore, stakeholders will have an expectation of an apology or regret from the violators. Hence, the regret statements issued by violators in response to mimetic pressures are an approach to gain legitimacy following transgression (Kondra and Hurst 2009, p. 40). This trend continued when further data were analysed for the period 2015/16. In the review of violators’ websites, the majority had released press statements in response to the regulators action. The expressions of regret and personal apology continued in some cases within the firm which corresponds to the earlier data from 2013/14, as illustrated in quotes 23–26.

The review performed on the later 2015/16 fines also indicated a lack of emphasis on compliance culture within the firms outward facing publications (website and press release). However, it must be acknowledged that firms perhaps view this as embedded within their ‘corporate governance’ publications. Moreover, there were some exceptions (see quotes 27–29 in Table 2) which comment specifically on compliance culture which may be viewed as a positive movement.

These messages are all positive towards culture. However, as highlighted by the former head of FSA (Hector Sants) it is nearly impossible for the regulator to ‘judge culture’ and indeed ‘enforce culture’ (O’Brien et al. 2014, p. 124). Instead, the focus of the regulator should be on the behaviours and outcomes demonstrated by the firms, and how culture delivers within these firms (FCA 2016b). This also aligns to the concept of legitimacy formed in a complementary fashion (Suddaby et al. 2017), whereby both ‘product’ in the form of observable behaviours and ‘process’ in the form of continued collaboration between the parties are an element of moving compliance culture towards a more legitimate form. Whilst these messages in press releases are all position firms as fostering good culture, the evidence of continued misdemeanour within the firms indicates worrying trends for the regulator.

This review of the responses of the violators indicates mimetic isomorphism has impacted the sector in the reviewed period. Overall, there is a theme of ‘regret’ statements being released by violating firms following sanctions, in an attempt to regain legitimacy within the market place, and amongst their stakeholders.

Normative Isomorphism—Learning, Adapting and Collaborating in Response to Sanction

Normative isomorphism leads to the adoption of similar practices amongst organisations within the same organisational field as a response to normative pressures. It highlights the impact of normative rules (values and norms) that lead to convergence through socialisation. Here the violators’ press releases and webpages have been interrogated for evidence of responses to these pressures to conform to expectations of professional norms and concepts of best practice from the industry. In the majority of cases, there is indication of ‘learning’ and ‘process change’ within the organisation which would align to the concepts of re-education and re-professionalisation, in line with normative pressure. An alternative approach is adopted in some press releases whereby the organisations argue that change in organisation supersedes these events. The statements continue to reflect conformity with expectations and norms of stakeholders, as exemplified within quotes 30–33 in Table 2.

Although not evidenced specifically, there would be an expectation of improved controls/processes/codes of conduct in line with industry expectations (set out by BBA during period of review, and more recently UK Finance 2017). Given the statements above from the violating firms’ press releases, we argue that the overall message of learning and improvement, communicated in the above quotes, is indeed reflective of changes in companies’ policies and systems and would result in re-professionalisation through further internal training and education.

Direct actions have also been demonstrated in the resignation of the Chairman as in the case of Rabobank, for instance. Moreover, other organisations have demonstrated change via appointment of a new Risk Officer, as in the case of Sesame. These publicised events could be linked to the social aspects motivating compliance to earn approval and respect (Nielson and Parker 2012) via direct action to enhance compliance. The publicised events are a direct attempt by violating firms to ‘restore’ reputation and legitimacy in the industry. On a related note, Barclays Bank has also recently publicised improvements to compliance training following issue of fines by both the UK and US regulator. This again gives an example of direct publicised action as an attempt to improve the bank’s track record in adhering to professional norms (Compliance Exchange 2014).

Normative Isomorphism Evidenced in Endorsed (Legitimate) Firms

The results of these actions have been compared to firms, which have not been sanctioned during the period, and in contrast have been ‘endorsed’ by the regulators. Within the review of non-sanctioned firms, there was also evidence of signalling by the entities to the FCA and wider stakeholders, of their continued conformity with normative expectations. Several of these firms were praised by the FCA in the ‘Best of British’ speech (FCA 2014d), for initiatives within the sector promoting trust, fairness and integrity. Despite these endorsements, it was acknowledged that several of these institutes have come under scrutiny from the regulator in the past (Cooperative Bank, 2012 Capital structure issuesFootnote 12; RBS, during the financial crisisFootnote 13; with Virgin Money stepping in to take over the troubled Northern Rock during the financial crisis).Footnote 14

In the press release, there is clear signalling of updates to ‘normative’ levers such as announcement of codes of conduct/ethical policy updates, and strengthening of governance oversight. Specifically, in the case of Cooperative Bank, there are numerous updates within press release of strengthening of the board, with a new Chief Executive and Deputy announced in 2013. Virgin Money also signals the strengthening of the board as seen in Table 2, quotes 34–35.

This meets normative aspects of presenting as strong board and governance structure; however, this differs from the direct (and reactive) actions required by the sanctioned, or troubled firms. The emphasis is on the word ‘continue’ whereby they signal that there is continuous improvement within the company. This press release indicates a strengthening of the internal senior management, unaffected by external forces/events to trigger change as evidenced in the use of word ‘continue’.

Whilst reviewing the press statements of RBS, there was acknowledgement of previous failings which evidences mimetic ‘regret statements’, which echo the response of sanctioned banks.

However, RBS also align to normative signalling of ‘learning’ and improvements to controls and structures, which is comparable to the response of sanctioned banks.

Alongside these signals within the sanctioned and non-sanctioned firms of alignment with normative expectations, there has also been clearer expectations set out by the FCA. During the period under review, the regulators have jointly issued the ‘Senior Managers Regime’ (Ernst and Young 2014), which promotes accountability of senior management (at the top of organisation) for regulatory compliance (replacing the Approved Persons Regime). This requires firms to have ‘Responsibility Maps’ in allocating governance and management responsibilities. In addition, any employee within organisations with responsibilities relating to regulated activities, must also engage in the ‘Certification Regime’. The purpose of these requirements is to change the norm of good practices and hence impact compliance culture (Ernst and Young 2014). Despite the changes to the regulator and the ‘changing set of rule books’, the  desired changes for accountability may not be realised if the regulator continue to have ‘little appetite’ to ensure responsibility within the banks (Haynes 2014). There were also positive messages of collaborative working relationships with the regulator to adopt the normative best practices as set by the regulator to underpin regulatory reforms. As Scott (2014) suggests, establishing these norms is effective in enhancing compliance, as it creates a logic of ‘appropriateness’ which complements the logic of ‘instrumentality’ of regulations. This can be demonstrated within quotes 38–40 by financial institutions in response to the normative regulator’s perspective.

Moreover, these quotes indicate a healthy movement of collaboration within the working relationship between the regulators and the banks supporting Edward and Wolfe’s (2004) partnership model. Indeed, this is also an example of complying with the pressure of adopting ‘best practice’ approach to regulatory relationship, as endorsed by the regulator and industry working groups (UK Finance 2017). Normative pressures would also include adoption of best practice codes of conduct endorsing culture across the firm (FRC 2016). Here, analysis has shown that several organisations did allow open access to the code of conduct.

To summarise, normative pressures facing violators do appear to result in isomorphism, as evidenced through acknowledgement of learning and change required within the violating firms. However, these actions will result in long-term strategic initiatives (such as new training program adopted by Barclays) rather than purely short-term responses. Therefore, whilst there are some instances of direct action to evidence re-professionalisation through new leadership, or new processes, these will result in longer-term impact within the organisations (in comparison to the earlier discussed pressures and responses from a coercive and mimetic perspective). There are similarities evident in both sanctioned and non-sanctioned firms in how they signal their alignment to normative expectations of the regulator and wider sector. All actors may attribute this signalling to the pursuit of legitimacy.

Table 4 summarises the coercive, mimetic and normative pressures and associated organisational responses discussed in this section and earlier within the literature review.

Table 4 Mechanisms of change within compliance culture and pursuit of legitimacy—expectations and findings aligned to Institutional Theory.

A State of ‘Evolutionary Compliance’?

Underpinned by institutional theory (Scott 2014), the overall finding of this study can be summarised in Fig. 3 as a state of evolutionary compliance. Here, the public face of the majority of violators’ websites did not reconcile fully with the concept of compliance culture indicated in Fig. 1, issued by the FSA/FCA as an earlier attempt to promote clearer vision, transparency, and communication as essential attributes driving compliance culture within the firm. The compliance culture messages of the organisations selected within this review did not appear to be transparent or easily searchable within the companies’ public face—the companies’ webpages. As presented in the findings, the majority of the firms have expressed regret statements, following regulatory sanctions, which is in line with stakeholder expectations. However, it may be arguable what they do regret—the original misdemeanours, or getting caught?

Fig. 3

The interplay of coercive, mimetic and normative forces impacting evolutionary compliance, offset by dysfunctional culture in offending firms

It is difficult to gauge the compliance models adopted within the violating firms as the transparency of the compliance culture message is weak in all cases, as evident from the extensive website review and analysis. However, given the regulators stance and fines imposed it may be assumed that the firms are all demonstrating negative attributes of compliance culture within their selected compliance function models. The actions of the selected violators are also argued to align more towards the coercive aspect of institutional theory, under the formal pressures exerted by the regulators. Thus, they have acted reactively, issuing regret statements in response to the fine, rather than proactively as a measure of self-regulatory controls.

As shown in Fig. 3, the violating firms in the sector are in a state of cyclical ‘evolutionary compliance’ rather than the more widely recognised state of ‘compliance culture’. All firms within the sector are subject to institutional pressures, with coercive forces set by the tone of the regulator, and the wider media which represents public voice. Indeed, there are similarities noted in the press releases of non-sanctioned firms to the sanctioned firms to align to normative pressure. Evolutionary compliance is heavily influenced by normative forces and the underlying theoretical literature base on compliance approach, which drives education and CPD within the profession. Finally, and most specifically identified in cases of non-compliance, mimetic forces are evident in the form of regret statements and structural reform, to restore legitimacy in the sector. Underpinning the model is an assumption that there is a dysfunctional culture within the industry due to competing economic motivations, which weakens evolutionary compliance through isomorphic change.

In addition, the perceived actions of violators cannot be linked to any one model of compliance behaviour which indicates a divide between the academic literature and the world of practice. Discrete and polar actions are often described in academic models which were discussed in the earlier literature review on anti and pro compliance (Jenkinson 1996); partnership with the regulator (or lack of partnership?) (Edwards and Wolfe 2004); two visions of ‘rational profit maximisers’ and ‘law abiding actors (Malloy 2003); and economic, social and normative’ models (Nielson and Parker, 2012). This leads to a complexity in normative forces and consequent firm responses, due to regulatory uncertainty and thus definition of what is the compliance ‘best practice’ and education. Moreover, there is a complexity created by regulatory flux, whereby the regulatory landscape is constantly evolving and as such this can lead to weakness of mimetic forces, as firms are uncertain who and what to follow in terms of ‘compliance culture’.

The significant theoretical contribution of this paper is to present the model for evolutionary compliance. This interlinks to underpinnings of institutional theory by highlighting the alignment of the regulatory pendulum, and thus the cyclical emphasis of isomorphic forces. Thus, it can be observed in the case of the regulator, even in the period under review there has been a changeover from emphasis on coercive style of regulator (with significant fines issued following the financial crisis), to an emphasis on normative pressures on firms in recent years. The regulator themselves highlight the point in their annual report 2015/16 whereby:

Regulatory arbitrage, at least in the conduct arena, is a game no longer worth playing […] to give credit where it is due, much of this is the result of firms’ efforts to improve their business models and culture to meet our expectations FCA Annual Report, 2015/16, p. 6.

We must mention here that the change in the regulatory approach has marked a change in the legitimation process from mainly being driven by legitimacy achieved through the coercive pressures of legally sanctioned rules to a more collaborative dynamic legitimation process (Suddaby et al. 2017). Here, legitimacy is more process oriented and outcome focused, in comparison to being outcome focused only under the older regulatory approach. This means that the definition of legitimacy and the process to achieve is now more dynamic and interactive. This interactive process of collaboration between the regulator and both non-complying and complying firms is evident in the data analysed in this paper (and directly in the quote above from the FCA’s annual report). The current regulatory and firm approach to compliance culture is reliant on an agenda of transparent communication between the multiple actors within the sector. As evidenced in the evolutionary compliance model, the balance of the isomorphic forces has changed over time, and this interlinks directly with the resulting flux in the concept of legitimacy within the sector. Thus, out of the three institutional pressures discussed, normative and mimetic pressures are gaining higher prominence in the evolutionary compliance culture, while the coercion is relegated. Of note, here the change in the legitimation process has an important implication on enhancing a substantive change in the policies and practices of financial institutions. As Zajac and Westphal (1995) indicated that firms can take “an action that is partly or even largely symbolic, representing a possible decoupling of actual... practices from formal arrangements” (P. 367). In the context of this paper, this would simply mean that regret statements do not constitute any real changes in practices, but only represent a symbolic statement that attempts to manipulate the reader. This could be possible if legitimacy is regulatory driven and firms can issue statements with the aim to ‘tick-the-box’, however, with a more process orientated, dynamic, and outcome orientated legitimation, decoupling becomes tougher than ever.

Next Steps–Embracing a ‘Holistic’ Approach to Compliance

The paper argues for a holistic approach for compliance, defining holistic whereby key actors have to work together cooperatively to achieve progress regarding compliance. More specifically, compliance officers have to work closely with regulators, internally within the firm and also externally with other firms within the sectors to make this happen. The need for this holistic approach links to the change in the legitimation process, which is now outcome focussed and requires collaboration between firms and the regulator. It is also holistic, as the identification of the objectives of compliance is related to a wide range of stakeholders’ interests, which should be considered and embedded. As such, the model of evolutionary compliance implicitly implies that within the real-world financial services the concept of a holistic approach towards regulatory compliance is adopted by all relevant actors in order to move towards compliance culture. Those that fail to adopt the spirit of regulation, and fail to understand the wider implication of their compliance approach on the wider sector will inevitably fail within the evolutionary cycle.

Conclusion, Limitations and Future Research

This study shows that there is a state of evolutionary compliance culture fuelled by three institutional pressures. Firstly, the study shows that coercive isomorphism has impacted the sector in the reviewed period. Whereby the regulator has issued fines as well as messages of culture deficiencies and shortfalls in expectations. This has coerced the violating companies to respond by issuing similar messages of regret and structural changes regarding moving towards a complain culture promoted by the regulator. On a related note, in some cases, we have observed that the issue of fines by the regulator, and resulting communication seems to be not completely effective, as still some individual firms have not responded to coercion by the regulator. This could be attributed to firms acting in a profit maximising capacity, with economic motivations outperforming the coercive, mimetic and normative pressures. This could be linked in this study, to the concept of the deterrence trap introduced by Parker (2006), or simply that this minority of firms have chosen to respond differently and follow a defiance or denial strategy (Lamin and Zaheer 2012), that dismisses the need to follow suit by issuing regret statements or relate transgression to factors beyond the firm’s control, respectively.

The study shows that the regulator and financial institutions interact in what can best be described as an ongoing evolution of a compliance culture. Here, there is a change of tone in both the regulatory and the violators’ responses, in terms of cooperation. Positive movements indicating collaboration in working relationship become apparent in more recent press releases. Secondly, the study shows that the regulatory pressures are underpinned by a concurrent normative pressure leading to violators’ acknowledgement of learning and change required. In effect, these actions will result in long-term strategic initiatives (such as new training program adopted by Barclays) rather than purely short-term responses. Therefore, whilst there are some instances of direct action to evidence re-professionalisation through new leadership, or new processes, these will result in longer-term impact within the organisations (in comparison to the earlier discussed pressures and responses from a coercive and mimetic perspective). Thirdly, the study shows that there is a mimetic isomorphic pressure, which entice violators to follow suit in terms of issuing statements that would safeguard their reputation in the market place. The violating firms are seen to issue similar responses to the regulators sanction in the form of regret statements, to meet the expectations of their stakeholders, and to maintain their reputation and legitimacy in the market. However, legitimacy is now defined within an interactive process mainly between the regulator and firms. This could be useful in avoiding ticking the box compliance culture and could mean that the regulatory approach is more pragmatic, and hence, could be more responsive to the dynamic business environment, where the compliance culture continues to evolve.

This study has shown the interplay between the regulators and violating firms to address the overall research question; How is the UK financial institutions’ compliance culture shaped by the institutional environment and changing legitimacy claims? Compliance culture remains an area of concern for the regulator, on which they have clearly reacted in the form of sanctions, and issue of policy guidelines, practitioners continue to flaunt the rules despite continued public and media attention (Yeung 2002; Zubic and; Sims 2011). It has been observed that public awareness of these fines is largely controlled by media interest, which is then seen to impact public agenda and risk perceptions (McCarthy and Dolfsma 2014). Based on above discussion, the main conclusion here is that the violating firms in the sector are in a state of cyclical ‘evolutionary compliance’ rather than the more widely recognised state of ‘compliance culture’.

This paper is not without limitations. As acknowledged within the introduction a pragmatic approach was adopted, with an exploratory in-depth review of both the regulator and a longitudinal sample of violating firms’ websites to carry out an initial study around the issue of compliance culture. The longitudinal nature of this review has spanned a change in the approach by the regulator from the ‘shoot first, ask questions later approach’. Further empirical evidence will need to be gathered in order to present conceptual models to the academic community. Some of the themes identified within our qualitative review may be complimented by future quantitative analysis. One such area, would be to explore the FCA’s criticism of the focus on profits and revenues within violating firms, and whether such measures are indeed an indicator of compliance breakdown. Another potential area to complement this paper would be to review data on other specific governance indicators (such as ownership structures, appointment of independent directors) in order to measure the changes that influence compliance culture. Therefore, this paper calls for future research into this area, including contribution from practitioners, in order to address the gap between academic literature and practice. As this is a particularly sensitive area, alongside the quantitative data collection suggested above, this area would also benefit from data collected within a qualitative interview setting with practitioners. In addition, the focus of this paper has been on the UK regulator/banking sector relationship. Although many of the institutions are multinational in nature, their ‘public face’ may vary between jurisdictions. There are also ongoing scandals across different regulatory regimes indicating that the compliance culture problem is an ongoing issue. For example, the breadth of non-compliance evidenced in the recent case in Wells Fargo (which resulted in $185 million fine, and termination of employment of 5,300 employees) would indicate an interesting avenue for case study research in this area of compliance culture.Footnote 15 In addition, given recent calls for the audit of culture in the sector (UK Finance 2017), this is an interesting avenue for future research, when the industry will be required to report directly to the regulator in future.


  1. 1.

    However, this would not account for instance of non-compliant behaviours which may be ‘under the radar’ and unidentified by the regulator.

  2. 2.

    Whereas, compliance risk addresses the risk of legal or regulatory sanctions, material financial loss, or loss to reputation that a bank may suffer as a result of failure to comply with applicable laws, regulations, rules, related self-regulatory organisation standards, and codes of conducts (BASEL 2005).

  3. 3.

    This is explored within following literature review, including authors such as Jackman (2001), and Calcott (2010) who discuss the extremes of compliance approaches.

  4. 4.

    A range of media articles discuss the appointment of Andrew Bailey including: accessed February 2016.

  5. 5.

    See enforcement actions at

  6. 6.


  7. 7.

    For example, strict adherence to codes of conduct and ethics apply from legal and accounting professions. See

  8. 8.

    See press release for details,

  9. 9.


  10. 10.

    As highlighted with Appendix 5 during our analysis, we found difficulty in identifying praise of specific firm’s culture/compliance by FCA. Usually we would expect to see highlights of ‘good practice’ in thematic reviews. However, within the 2015/16 annual report it was announced that “we considered that a thematic review would not be the most effective and efficient way to continue to support and drive continued culture change across the sector. Instead, we decided that the most effective way to achieve this was to continue to engage individually with firms, as well as supporting other initiatives outside the FCA. We have not changed our views about the importance of firm culture and we will continue our work with individual firms” (2015/2016 Annual Report). As an alternative method of analysis the annual reports were searched to review the emphasis on culture by the FCA year on year in Appendix 5. In order to identify examples of good practice (highlighted in Appendix 4) we have used firms identified within the ‘Best of British’ speech by Tracey McDermott (FCA 2014d), these organisations were included as exemplars of good ‘culture’ and ‘trust’ messages within the sector. Therefore, the press releases of Cooperative Bank, Nationwide, RBS and Virgin Money were selected as a sample. However, also to note that RBS was fined during 2014 as part of the wider, systemic LIBOR issues in 2014.

  11. 11.

    Risk management and compliance are often seen as inextricably interlinked within the professional landscape in the UK, whereby compliance officer and risk manager are used for the role. However within the literature Haynes (2005) is critical of the overlaps of roles in some organisations, whereby roles of “risk management” and “risk based compliance” (and other control functions) should not be blurred.

  12. 12.

    See discussion of the capital shortfall issues in the bank, and the regulators criticism of the institute without official sanction.

  13. 13.

    There are ongoing criticism of both the role of management of RBS and the then regulator the FSA within media coverage. and further background to this case.

  14. 14.


  15. 15.



  1. Akhigbe, A., & Martin, A. D. (2006). Valuation impact of Sarbanes-Oxley: Evidence from disclosure and governance within the financial services industry. Journal of Banking and Finance, 30, 989–1006.

    Article  Google Scholar 

  2. Aldrich, H. (1979). Organizations and Environments. Englewood Cliffs, NJ: Prentice-Hall.

    Google Scholar 

  3. Alfon, I. (1996). Cost benefit analysis and compliance culture. Journal of Financial Regulation and Compliance, 5(1), 16–22.

    Article  Google Scholar 

  4. Arora, S., & Gangopadhyay, S. (1995). Towards a theoretical model of voluntary over compliance. Journal of Economic Behaviour and Organisation, 28, 289–309.

    Article  Google Scholar 

  5. Ayres, I. (2013). Responsive regulation: A co author’s appreciation. Regulation & Governance, 7, 145–151.

    Article  Google Scholar 

  6. Ayres, I., & Braithwaite, J. (1992). Responsive Regulation: Transcending the Deregulation Debate. Oxford: Oxford University Press.

    Google Scholar 

  7. Bamberger, K. A. (2010). Technologies of compliance: Risk and regulation in a digital age. Texas Law Review, 88(4), 669–739.

    Google Scholar 

  8. Barry, M. (2002). Why ethics and compliance programs can fail. Journal of Business Strategy, 23(6), 37–40.

    Article  Google Scholar 

  9. Basel Committee on Banking Supervision (2005). Compliance and the compliance function in banks. Retrieved July 28, 2012, from

  10. Bodolica, V., & Spraggon, M. (2015). An examination into the disclosure, structure, and contents of ethical codes in publicly listed acquiring firms. Journal of Business Ethics, 126(3), 459–472.

    Article  Google Scholar 

  11. Buller, J., & Lindstrom, N. (2013). Hedging its bets: the UK and the politics of European financial service regulation. New Political Economy, 18(3), 391–409.

    Article  Google Scholar 

  12. Bussmann, K. D., & Niemeczek, A. (2017). Compliance through company culture and values: An international study based on the example of corruption prevention. Journal of Business Ethics,

    Article  Google Scholar 

  13. Calcott, P. (2010). Mandated self-regulation: The danger of cosmetic compliance. Journal of Regulatory Economics, 38, 167–179.

    Article  Google Scholar 

  14. Carretta, A., Farina, V., & Schwizer, P. (2005). Banking regulation towards advisory: Theculture complianceof banks and supervisory authorities. MPRA Paper No. 8302, Retrieved August 4, 2014, from

  15. Carretta, A., Farina, V., & Schwizer, P. (2010). The “day after” Basel 2: Do regulators comply with banking culture? Journal of Financial Regulation and Compliance, 18(4), 316–332.

    Article  Google Scholar 

  16. Compliance Exchange (2014). Barclays spending millions on truthfulness training at new compliance academy. Retrieved July 14, 2014, from

  17. Crump, J. (2007). Passive vs. active compliance. Bank Accounting & Finance, 20(2), 45–48.

    Google Scholar 

  18. DiMaggio, P. J. (1997). Culture and cognition. Annual review of Sociology, 23, 263–287.

    Article  Google Scholar 

  19. Dimaggio, P. J., & Powell, W. W. (1983). The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48(2), 147–160.

    Article  Google Scholar 

  20. Duska, R. F. (2011). Those darn compliance rules. Journal of Financial Service Professionals, 65(5), 22–24.

    Google Scholar 

  21. Edwards, J. (2003). Individual and corporate compliance competence: An ethical approach. Journal of Financial Regulation and Compliance, 11(3), 225–235.

    Article  Google Scholar 

  22. Edwards, J., & Wolfe, S. (2004). The compliance function in banks. Journal of Financial Regulation, 12(3), 216–224.

    Article  Google Scholar 

  23. Edwards, J., & Wolfe, S. (2005). Compliance: A review. Journal of Financial Regulation and Compliance, 13(1), 48–59.

    Article  Google Scholar 

  24. English, S., & Hammond, S. (2012). Cost of Compliance, 2012. Thomson Reuters, Retrieved November 12, 2015, from

  25. English, S., & Hammond, S. (2015). Cost of Compliance, 2015. Thomson Reuters, Retrieved November 12, 2015, from

  26. Ernst and Young (2014). Senior Managers on the Hook. Retrieved June 03, 2015, from

  27. Fashola, O. I. (2014). Banking and the Customer: A Neo-Institutional Reconfiguration. Research Journal of Finance and Accounting. Retrieved June 05, 2015, from

  28. FCA (2013). ICAP Europe Limited fined £14 million for significant failings in relation to LIBOR. Dated 25/09/2013, Retrieved June 25, 2014, from

  29. FCA (2013a). The importance of culture in driving behaviours of firms and how the FCA will assess this. Dated 18/07/2013, Retrieved March 1, 2016, from

  30. FCA (2013b). Final Notice Lloyds TSB Bank plc. Dated 10/12/13, Retrieved June 25, 2014, from

  31. FCA (2013c). Firm fined £1.8 million. Dated 19/12/13, Retrieved June 25, 2014, from

  32. FCA (2013d). JPMorgan Chase Bank N.A. fined £137,610,000. Dated 19/10/2013, Retrieved June 25, 2014, from

  33. FCA (2013e). Final Notice Sesame. Dated 05/06/2013, Retrieved June 25, 2014, from

  34. FCA (2013f). FCA fines Rabobank £105 million for serious LIBOR-related misconduct. Dated 29/10/2013, Retrieved June 25, 2014, from

  35. FCA (2014). Wonga to pay redress for unfair debt collection practices. Dated 25/06/2014, Retrieved March 22, 2017, from

  36. FCA (2014a). Martin Brokers (UK) Ltd fined £630,000 for significant failings in relation to LIBOR. Dated 20/05/2014, Retrieved June 25, 2014, from

  37. FCA (2014b). Final Notice State Street. Dated 30/01/2014, Retrieved March 22, 2014, from

  38. FCA (2014c). HomeServe fined £30 million for widespread failings. Dated 13/02/14, Retrieved March 22, 2014, from

  39. FCA (2014d). Best of British Conference. Retrieved January 31, 2018, from

  40. FCA (2015a). FCA fines Threadneedle Asset Management Limited £6 m. Dated 15/12/15, Retrieved March 22, 2017, from

  41. FCA (2015b). FCA fines Barclays £72 million for poor handling of financial crime risks. Dated 26/11/2015, Retrieved March 22, 2017, from

  42. FCA (2015c). Lloyds Banking Group fined £117 m. Dated 05/06/2015, Retrieved March 22,, from

  43. FCA (2015d). FCA fines Barclays £284,432,000 for forex failings. Dated 20/5/2015, Retrieved March 22, 2017, from

  44. FCA (2015e). Deutsche Bank fined £227 million. Dated 23/04/2015, Retrieved March 22, 2017, from

  45. FCA (2015f). FCA fines Merrill Lynch International £13.2 million for transaction reporting failures. Dated 22/4/2015, Retrieved March 22, 2017, from

  46. FCA (2015g). FCA fines The Bank of New York Mellon London branch. Dated 15/4/2015, Retrieved March 22, 2017, from

  47. FCA (2015h). Clydesdale Bank fined £20,678,300 for serious failings. Dated 14/4/2015, Retrieved Retrieved March 22, 2017, from

  48. FCA (2015i). The Financial Conduct Authority imposes £2.1 m fine and places restriction on Bank of Beirut after it misled the regulator. Dated 5/3/2015, Retrieved March 22, 2017, from

  49. FCA (2015j). FCA fines Aviva Investors £17.6 m for systems and controls failings. Dated 24/2/2015, Retrieved March 22, 2017, from

  50. FCA (2015k). Almost 4,000 customers due redress totalling £1.7 million from payday firm CashEuroNet. Dated 4/11/2015, Retrieved March 22, 2017, from

  51. FCA (2015l). Payday lender Dollar to provide £15.4 million redress to over 147,000 customers. Dated 26/10/2015, Retrieved March 22, 2017, from

  52. FCA (2015m). Payday lender Cash Genie to provide £20 million redress to over 92,000 customers. Dated 27/7/2015, Retrieved March 22, 2017, from

  53. FCA (2016). Behaviours and Compliance in Organisations: Occasional Paper 24. Retrieved January 31, 2018, from

  54. FCA (2017). Culture and conduct—extending the accountability regime. Retrieved January 31, 2018, from

  55. FRC (2016). Corporate Culture and the role of Boards. Retrieved July 20, 2017, from

  56. FSA (2007). Treating customers fairly—culture. Retrieved June 25, 2014, from

  57. Garcia, V. (2004). Seven points financial services institutions should know about IT spending for compliance. Journal of Financial Regulation and Compliance, 12(4), 330–339.

    Article  Google Scholar 

  58. Gilad, S. (2011). Institutionalizing fairness in financial markets: Mission impossible? Regulation and Governance, 5, 309–332.

    Article  Google Scholar 

  59. Harris, H. (2001). Content analysis of secondary data: A study of courage in managerial decision making. Journal of Business Ethics, 34(3–4), 191–208.

    Article  Google Scholar 

  60. Harvey, J., & Bosworth-Davies, R. (2013). Drawing the line in the sand: Trust, integrity and regulatory misdemeanour. Security Journal, 29, 1–18.

  61. Haynes, A. (2005). The effective articulation of risk-based compliance in banks. Journal of Banking Regulation, 6(2), 146–162.

    Article  Google Scholar 

  62. Haynes, A. (2014). Financial services: All change or new cosmetics? Company Lawyer, 35(5), 129.

    Google Scholar 

  63. Hendricks, K., & Singhal, V. (1996). Quality Awards and the market value of the firm: An empirical investigation. Georgia Tech. Management Science, 42(3), 415–436.

    Article  Google Scholar 

  64. Henry, D. (2008). Corporate Governance structure and the valuation of australian firms: Is there value in ticking the boxes. Journal of Business & Accounting, 35, 912–942.

    Article  Google Scholar 

  65. Hite, R. E., Bellizzi, J. A., & Fraser, C. (1988). A content analysis of ethical policy statements regarding marketing activities. Journal of Business Ethics, 7(10), 771–776.

    Article  Google Scholar 

  66. Hsieh, H. F., & Shannon, S. E. (2005). Three approaches to qualitative content analysis. Qualitative Health Research, 15(9), 1277–1288.

    Article  Google Scholar 

  67. Human, S. E., & Provan, K. G. (2000). Legitimacy building in the evolution of small-firm multilateral networks: A comparative study of success and demise. Administrative Science Quarterly, 45(2), 327–365.

    Article  Google Scholar 

  68. Interligi, L. (2010). Compliance culture: A conceptual framework. Journal of Management and Organization, 16, 235–249.

    Article  Google Scholar 

  69. Jackman, D. (2001). Why comply? Journal of Financial Regulation and Compliance, 9(3), 211–217.

    Article  Google Scholar 

  70. Jenkinson, D. (1996). Compliance culture. Journal of Financial Regulation and Compliance, 4(1), 41–46.

    Article  Google Scholar 

  71. Jose, A., & Lee, S. M. (2007). Environmental reporting of global corporations: A content analysis based on website disclosures. Journal of Business Ethics, 72(4), 307–321.

    Article  Google Scholar 

  72. Kondra, A. Z., & Hurst, D. C. (2009). Institutional processes of organizational culture. Culture and Organization, 15(1), 39–58.

    Article  Google Scholar 

  73. Lamin, A., & Zaheer, S. (2012). Wall Street vs. Main Street: Firm strategies for defending legitimacy and their impact on different stakeholders. Organization Science, 23(1), 47–66.

    Article  Google Scholar 

  74. Malloy, T. F. (2003). Regulation, compliance and the firm. Temple Law Review, 76(3), 451–531.

    Google Scholar 

  75. McCarthy, K. J., & Dolfsma, W. (2014). Neutral media? Evidence of media bias and its economic impact. Review of Social Economy, 72(1), 42–54.

    Article  Google Scholar 

  76. Meidinger, E. (1987). Regulatory culture: A theoretical outline. Law & Policy, 9(4), 355–386.

    Article  Google Scholar 

  77. Morton, J. C. (2005). The development of a compliance culture. Journal of Investment Compliance, 6(4), 59–66.

    Article  Google Scholar 

  78. Newton, A. (2001). Compliance is not enough: getting the ethical culture right in your firm. Retrieved July 2, 2014, from

  79. Nielsen, V. L., & Parker, C. (2012). Mixed motives: Economic, Social and normative motivations in business compliance. Law and Policy, 34(4), 428–462.

    Article  Google Scholar 

  80. O’Brien, J., Gilligan, G., & Miller, S. (2014). Culture and the future of financial regulation: how to embed restraint in the interests of systemic stability. Law and Financial Markets Review, 8(2), 115–133.

    Article  Google Scholar 

  81. Oliver, C. (1991). Strategic responses to institutional processes. Academy of Management Review, 16(1), 145–179.

    Article  Google Scholar 

  82. Parker, C. (2000). The ethics of advising on regulatory compliance: autonomy or interdependence? Journal of Business Ethics, 28, 339–351.

    Article  Google Scholar 

  83. Parker, C. (2006). The ‘Compliance Trap’: The moral message in responsive regulatory enforcement. Law and Society Review, 40(3), 591–622.

    Article  Google Scholar 

  84. Pérezts, M., & Picard, S. (2015). Compliance or comfort zone? The work of embedded ethics in performing regulation. Journal of Business Ethics, 31(4), 1–20.

    Google Scholar 

  85. PRA (2014). The use of PRA powers to address serious failings in the culture of firms. Retrieved June 25, 2014, from

  86. Ring, P. J., Bryce, C., McKinney, R., & Webb, R. (2016). Taking notice of risk culture—The regulators approach. Journal of Risk Research, 19(3), 364–387.

    Article  Google Scholar 

  87. Rossi, C. L. (2010). Compliance: An over-looked business strategy. International Journal of Social Economics, 37(10), 816–831.

    Article  Google Scholar 

  88. Schein, E. H. (1985). Organizational Culture And Leadership. San Francisco: Jossey-Bass.

    Google Scholar 

  89. Schreier, M. (2012). Qualitative Content Analysis in Practice. Thousand Oaks: Sage Publications.

    Google Scholar 

  90. Scott, W. S. (2014). Institutes and Organizations: Volume 4. Thousand Oaks: Sage Publishing.

    Google Scholar 

  91. SEC (2003). The Culture of Compliance. Speech by Lori Richards, Director, Office of Compliance Inspections and Examinations, US Securities and Exchange Commission, April 23, 2003, Retrieved July 9, 2014, from

  92. Snider, J., Hill, R. P., & Martin, D. (2003). Corporate social responsibility in the 21st century: A view from the world’s most successful firms. Journal of Business Ethics, 48(2), 175–187.

    Article  Google Scholar 

  93. Stemler, S. (2001). An overview of content analysis. Practical Assessment, Research & Evaluation, 7(17), 137–146.

    Google Scholar 

  94. Strauss, A., & Corbin, J. M. (1990). Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Thousand Oaks: Sage Publications, Inc.

    Google Scholar 

  95. Suchman, M. C. (1995). Managing legitimacy: Strategic and institutional approaches. Academy of Management Review, 20(3), 571–610.

    Article  Google Scholar 

  96. Suddaby, R., Bitektine, A., & Haack, P. (2017). Legitimacy. Academy of Management Annals, 11(1), 451–478.

    Article  Google Scholar 

  97. Sutton, R. I., & Callahan, A. L. (1987). The stigma of bankruptcy: Spoiled organizational image and its management. Academy of Management Journal, 30(3), 405–436.

    Google Scholar 

  98. UK Finance (2017). Auditing your culture: How to exceed the FCA’s expectations. Advertised event September 2017.

  99. Verhezen, P. (2010). Giving voice in a culture of silence. From a culture of compliance to a culture of integrity. Journal of Business Ethics, 96, 187–206.

    Article  Google Scholar 

  100. Weaver, R. K. (2014). Compliance regimes and barriers to behavioral change. Governance, 27(2), 243–265.

    Article  Google Scholar 

  101. Yeung, K. (2002). Is the use of informal adverse publicity a legitimate regulatory compliance technique? Paper presented at the Australian Institute of Criminology Conference on Current Issues in Regulation: Enforcement and Compliance, Melbourne 2–3 September. Retrieved June 20, 2014, from

  102. Zaal, R. O., Jeurissen, R. J., & Groenland, E. A. (2017). Organizational architecture, ethical culture, and perceived unethical behavior towards customers: evidence from wholesale banking. Journal of Business Ethics.

    Article  Google Scholar 

  103. Zajac, E. J., & Westphal, J. D. (1995). Accounting for the explanations of CEO compensation: Substance and symbolism. Administrative Science Quarterly, 40(2), 283–308.

    Article  Google Scholar 

  104. Zubcic, J., & Sims, R. (2011). Examining the link between enforcement activity and corporate compliance by Australian companies and the implications for regulators. International Journal of Law and Management, 53(4), 299–308.

    Article  Google Scholar 

  105. Zyglidopoulos, S. C., Fleming, P. J., & Rothenberg, S. (2009). Rationalization, overcompensation and the escalation of corruption in organizations. Journal of Business Ethics, 84(S1), 65–73.

    Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Wendy Mason Burdon.

Ethics declarations

Conflict of interest

All authors declared that they have no conflict of interest.

Ethical Approval

This article does not contain any studies with human participants or animals performed by any of the authors.


Appendix 1 Review Between 2013 and 2014

See Table 5.

Table 5 Extracts from website search of firms in recent violations/violations under compliance culture search

Appendix 2 2015/2016 Review 2015 Onwards

This review involved interrogation of all FCA press release based on date i.e. 2014/2015/2016. The contents of press release headlines were reviewed and in cases where sanctions against firms or individual were identified, these articles were reviewed further (when quote fines greater than £500K). In 2015 a total of 654 press releases were reviewed. These were further refined to review fines of over £500K related to firms providing financial services. In addition, items relating to redress to customers greater than £0.5m were also noted.

(sourced via FCA press releases > 500K fine)
What the FCA said Firms compliance/culture message Website source
Threadneedle Asset Management Limited (TAML) fined £6.0 m (FCA 2015a) “The FCA considers these failings to be particularly serious because the deficiencies allowed a fund manager to initiate, execute and book a $150 million trade which, had it settled, could have caused a $110 million loss to the relevant client funds.” Press Release: “Threadneedle Asset Management Ltd notes today’s statement and financial penalty issued by the Financial Conduct Authority (FCA). In August 2011 Threadneedle was the intended victim of an attempted fraudulent trade involving collusion between a Threadneedle employee, an external broker and an FSA regulated entity. Threadneedle identified and stopped the trade and reported it to the FSA. There was no loss to Threadneedle or any client of Threadneedle. The employee concerned was dismissed.”
No search functionality exists (at time of review Feb 2016)
No particular messages on compliance culture evident other than a general section on corporate responsibility.
Barclays fined £72.0 m (relating to transaction in 2011/2012)
(FCA 2015b)
“Barclays applied a lower level of due diligence than its policies required for other business relationships of a lower risk profile. Barclays did not follow its standard procedures, preferring instead to take on the clients as quickly as possible and thereby generated £52.3 million in revenue.”
“Barclays ignored its own process designed to safeguard against the risk of financial crime and overlooked obvious red flags to win new business and generate significant revenue. This is wholly unacceptable.
Firms will be held to account if they fail to minimise financial crime risks appropriately and for this reason the FCA has required Barclays to disgorge its revenue from the Transaction."
Press release:
“Barclays has cooperated fully with the FCA throughout and continues to apply significant resources and training to ensure compliance with all legal and regulatory requirements.”
See row below.
FCA fines Barclays £284.4m (forex failings 2008–2013)
FCA (2015a, d)
"This is another example of a firm allowing unacceptable practices to flourish on the trading floor. Instead of addressing the obvious risks associated with its business Barclays allowed a culture to develop which put the firm’s interests ahead of those of its clients and which undermined the reputation and integrity of the UK financial system. Firms should scrutinise their own systems and cultures to ensure that they make good on their promises to deliver change."
“Barclays and other firms are already participating in an industry-wide remediation programme to ensure that they address the root causes of the failings in their FX businesses and that they drive up standards. As part of the remediation programme, senior management at Barclays and the other firms must take responsibility for delivering the necessary changes.”
Press release:
“The misconduct at the core of these investigations is wholly incompatible with Barclays’ purpose and values and we deeply regret that it occurred. This demonstrates again the importance of our continuing work to build a values-based culture and strengthen our control environment. We remain completely committed to that effort.
I share the frustration of shareholders and colleagues that some individuals have once more brought our company and industry into disrepute. Dealing with these issues, including taking the appropriate disciplinary action against the individuals involved, is a necessary and important part of our plan to transform Barclays and remains a key priority.”
Search on “compliance culture” directs you to 2014 Transform site linking strategic direction of improving conduct.
CashEuroNet (trading as QuickQuids and Pounds to Pockets) redress £1.7m (FCA 2015k) “The FCA has been working with the firm since it took over regulation of consumer credit on 1 April 2014. An independent Skilled Person was appointed in September 2014 to review CashEuroNet’s lending decisions which revealed that some customers were able to borrow amounts greater than they could afford to repay.”
“We are pleased that CashEuroNet is working with us to address our concerns.
It is important that firms carry out appropriate affordability checks and pay particular attention to fair treatment of those who have trouble meeting their loan repayments.”
Press release
“We appreciate the opportunity to work with the FCA and the Skilled Person to review our processes, and we are pleased they’ve witnessed how seriously we take our regulatory responsibilities and our constant desire to achieve good outcomes for our customers,” said Nick Drew, UK Managing Director. “We apologise to the 4,000 affected customers, and we are pleased to be able to address this with the announced redress plan.”
Dollar Financial UK (trading as The Money Shop, Payday UK, Payday Express and Ladder Loans) redress £15.4m
(FCA 2015l)
“The review revealed that many customers were lent more than they could afford to repay. The firm has since agreed to make a number of changes to its lending criteria in order to meet the FCA’s requirements for high-cost short-term lenders.”
“The FCA expects all credit providers to carry out proper checks to ensure that borrowers don’t take on more than they can afford to pay back. We are encouraged that Dollar is committed to putting things right for its customers.”
Press release:
“As the new CEO of Dollar Financial UK, I accept the findings of the review and apologise to anyone who may have suffered difficulties as a result. It is proper that we put things right where they have gone wrong and I have gone further than the review in reforming the way our business operates to reflect the company aim of being the most responsible lender in its market place.” said Chief Executive Stuart Howard.
Under corporate governance banner compliance search revealed:
“Our governance arrangements and standards also ensure that our businesses are managed in accordance with the relevant legislative and regulatory requirements and the policies and standards of our group. Compliance with these standards enables us not only to meet the expectations of the regulator, but also those of other key stakeholders such as customers, employees and business partners.”
Cash Genie to provide £20 million redress
(FCA 2015m)
“We have been encouraged that Cash Genie has been working with us proactively and openly to put things right for its customers after these issues were reported.
Although standards in the consumer credit sector are improving, it is disappointing that examples of poor practice in the payday market keep surfacing. We expect all firms to notify us of any unacceptable past or current practices and provide appropriate redress to anyone affected.”
An entire section of the webpage is devoted to information on the redress, demonstrating transparency to customers.
Company in liquidation and no longer trading. No other information on the public website regarding compliance/governance.
Lloyds Banking Group fined £117m (PPI handling)
FCA 2015c)
“Lloyds has made significant progress towards the fairer treatment of customers in its general complaint handling operation and has established an extensive remediation programme to re-review or automatically uphold approximately 1.2 million PPI complaints, including those within the relevant period. Lloyds has set aside a total of £710m to cover any redress due to affected customers. Customers do not need to take any action. Those affected and due redress are being contacted directly. The FCA has appointed an independent skilled person to oversee the remediation process.
Lloyds announced in February 2015 that it had decided to freeze the release of shares in respect of deferred bonus awards from 2012 and 2013 for all members of the Group Executive Committee and for some other senior executives as a result of the FCA’s Enforcement investigation.”
Nothing related to PPI issue found under press release area (despite FCA’s statement regarding Feb 2015 announcement.)
However, there is a dedicated section on updates on customer complaints (including PPI).
Dedicated information on corporate governance and role of boards.
Deutsche Bank fined £227 m (Libor and Euribor)
FCA 2015e)
“This case stands out for the seriousness and duration of the breaches by Deutsche Bank – something reflected in the size of today’s fine. One division at Deutsche Bank had a culture of generating profits without proper regard to the integrity of the market. This wasn’t limited to a few individuals but, on certain desks, it appeared deeply ingrained.”
“This misconduct involved at least 29 Deutsche Bank individuals including managers, traders and submitters, primarily based in London but also in Frankfurt, Tokyo and New York.”
“This misconduct went unchecked because of Deutsche Bank’s inadequate systems and controls. Deutsche Bank did not have any systems and controls specific to IBOR and did not put them in place even after being put on notice that there was a risk of misconduct.”
No press release found on UK site (however, this may be due to the structure of webpage and country level).
Website search indicated 298 matches for compliance culture in the Deutsche Bank corporate web page.
Top match is the appointment of Global head of compliance in 2014 (prior to scandal)
“We welcome Nadine Faruque to Deutsche Bank and look forward to working with her on our vital Compliance agenda. We place the highest value on maintaining strong controls that are based on the values of discipline and integrity. Nadine’s leadership will help to shape our Bank’s future.”
Values and principles specifically highlights compliance culture:
“We place great value on a positive compliance culture: We expect our employees to conduct themselves responsibly, honestly and with integrity. Our code of conduct and ethics describes our values and our minimum requirements for ethical business conduct.”
Merrill Lynch International (MLI) fined £13.2m
(FCA 2015f)
“The size of the fine—the highest imposed for transaction reporting failures to date - reflects the severity of MLI’s misconduct, failure to adequately address the root causes over several years despite substantial FCA guidance to the industry and a poor history of transaction reporting compliance, consisting of a Private Warning issued in 2002 and a fine of £150,000 in 2006.” No results found for press release on topic (via Bank of America pages/Merrill Lynch search). However, this may be as a result of the diluted structure of the webpage between countries.
No documents found under search for “compliance culture”. A search for “compliance” revealed 123 results, however, these appeared to relate to employee roles.
Difficult to find governance messages, as the Merrill Lynch page is devoted to selling services. Codes of Conducts accessed via Bank of America webpage.
Clydesdale Bank fined £20.6m
(FCA 2015h)
"Clydesdale’s failings were unacceptable and fell well below the standard the FCA expects. The fact that Clydesdale misled the Financial Ombudsman by providing false information about the information it held is particularly serious and this is reflected in the size of the fine.
We have been very clear about how firms should treat customers who may have been mis-sold PPI. In ignoring documents it held which were relevant to its customers’ complaints, Clydesdale failed to treat its customers fairly."
No press release to respond to the FCA press release.
“Compliance culture” search directs to corporate responsibility pages including code of conduct.
“our Enterprise Behaviours underpin the culture we aspire to create—with a workplace our employees are proud of and want to contribute to. How we achieve our goals is as important as the goal itself. This makes sure everyone is held accountable for demonstrating the right behaviours”
The Bank of New York Mellon London branch and The Bank of New York Mellon International Limited £126 m
(FCA 2015g)
“The size of the fine today reflects the value of safe custody assets held by the Firms as well as the seriousness of the failings and the fact that these failings were not identified by the Firms’ own compliance monitoring. Other firms with responsibility for client assets should take this as a further warning that there is no excuse for failing to safeguard client assets and to ensure their own processes comply with our rules.
Client assets protection continues to be a priority for the FCA and firms who hold client assets should review their processes in line with these findings to ensure full compliance with the Custody Rules.”
Press release:
"BNY Mellon has worked cooperatively with the FCA to address issues related to our CASS compliance”
"Consistent with our commitment to being a strong and trusted partner to our clients, BNY Mellon launched a broad internal review with the assistance of an independent, third-party accounting firm and external legal advisers immediately upon learning of these issues. As a result, we have engaged in a remediation process and have taken clear steps to put in place a framework of new and improved policies and operational procedures as well as enhance our specialist resources across many functions to reinforce our compliance with CASS rules.”
"BNY Mellon is very mindful of the importance of safeguarding client assets and has been trusted by its clients to do so for 230 years. This trust could not have been earned without robust regulatory compliance in all of our operating jurisdictions, and we regret in this case that we did not meet our standards or those of the FCA. As always, regulatory compliance remains a key area of focus as we maintain our track record of safety and soundness as a financial institution."
Search on “compliance culture” and “compliance” indicated no matches. However statement on Ethics and Compliance found which linked into the code of conduct.
Bank of Beirut fined £2.1m
(FCA 2015i)
“It is essential to consumer protection, market integrity and the prevention of financial crime that we can rely on firms giving us the right information at the right time. Bank of Beirut’s failings impeded us and left it open to the risk that it might be used for financial crime. Equally worrying was the fact that Wills and Allin provided a number of misleading communications to us, which is a serious breach of their responsibilities as approved persons. We are reliant on compliance officers and internal audit to act as an important line of defence, to support effective regulation at firms and to show backbone even when challenged by their colleagues. Concerns about the culture within Bank of Beirut became apparent following supervisory visits to the firm in 2010 and 2011.” No press site found on the UK site.
Dedicated page for compliance setting out major responsibilities:
“Bank of Beirut (UK) Ltd has an independent compliance function to ensure that the bank complies with all relevant laws, regulations, rules, internal policies and procedures applicable to its banking activities.”
Aviva Investors fined £17.6m
(FCA 2015j)
“Ensuring that conflicts of interest are properly managed is central to the relationship of trust that must exist between asset managers and their customers. It is also a fundamental regulatory requirement. This case serves as an important reminder to firms of the importance of managing conflicts of interest effectively by implementing a robust control environment with effective systems to manage the risks. Not doing so risks customers’ interests being overlooked in favour of commercial or personal interests.
While Aviva Investors’ failings were serious, the FCA has recognised that its actions since reporting its failings were exceptional. The level of co-operation during the investigation and commitment to ensuring no customers were adversely impacted meant it qualified for a substantial reduction in the penalty.”
Press release:
“We fully accept the conclusions of this investigation. We have fixed the issues, improved our systems and controls, and ensured no customers have been disadvantaged. We have also made substantial changes to the management team which is leading the turnaround of Aviva Investors.
“We have a clear focus on simple and specific investment outcomes for clients and we are delivering strong levels of investment performance within a robust control environment.”
No results found when searching under “compliance culture”, or “compliance”. In addition it was difficult to find out any information on corporate governance other than the senior management structure.

Appendix 3 Analysis of Positive ‘Compliance Culture’ highlighted by FCA during period

FCA communication What the FCA said
“culture is not measureable but is manageable” (FCA 2016b)
A number of levers were highlighted to manage culture including:
“communicated sense of purpose and approach […] the what and the how”
“tone from the top”
“formal governance processes and structures”
“people related practices, including incentives and capabilities”
“an ethical culture can be more powerful than on based solely on financial incentives”
“cultural change can take a significant period of time to achieve” (FCA 2014d)
The speech praises a number of initiatives within the sector promoting trust, fairness and integrity.
“142 year old Cooperative Bank kicked off its advertising campaign in the ‘fight back for trust’”
“Nationwide’s campaign uses the tagline ‘they say money goes round we think it’s people’”
Quoting CEO of RBS “’in banking trust is not a nice to have—it is a commercial essential”
Behaviours and compliance in organisations (FCA 2017)
“regulators can also influence perceptions of the prevailing culture by identifying and publicising examples of good behaviour” p. 36
“the FCA publicises good behaviour when it undertakes thematic reviews” p. 36

Appendix 4 Analysis of Retail Banks Who were not Sanctioned/or Praised During the Period

During the ‘Best of British’ speech by Tracey McDermott (FCA 2014d), these organisations were included as exemplars of good ‘culture’ and ‘trust’ messages within the sector. Therefore, the press releases of Cooperative Bank, Nationwide, RBS and Virgin Money were selected as a sample. However, also to note that RBS was fined during 2014 as part of the wider, systemic LIBOR issues in 2014.

Organisation and website reference What they said/did
Cooperative Bank 2013 News 27/5/2013 The Co-operative Group appoints Niall Booker as Bank Chief Executive and Group Deputy Chief Executive Officer
Prior to this announcement there was major unrest within the Bank, with a complaint from the FSA about handling of PPI complaints. There were also issues with balance sheet stability (capital shortfall) and profit impacts. A number of new appointments were evident around this time in press releases.
2014 News 30/04/2014 The Co-operative Bank’s response to publication of independent review by Sir Christopher Kelly
“The Bank’s Board looks very different today and is now managed and governed independently to the Group. There is an entirely new Executive team with the depth of financial services expertise needed to turn the Bank around and we have also been reforming and improving the Bank’s systems, processes and culture which Sir Christopher Kelly refers to in the report”
2015 News 20/01/2015 The Co-operative Bank re-launches Ethical Policy
“the re-launch of this policy is an important step in rebuilding The Co-operative Bank as we listen to our customers and rebuild trust”
Nationwide Website reviewed - only contained news items back to 2017 at point of research.
23/5/2017 UK’s most trusted financial brand
“The Society remains number one for customer satisfaction among its high-street peer group, currently leading by a margin of 5% over the next best financial provider and has been rated as the most trusted financial brand” (Financial Research Survey results)
RBS The RBS press release site is difficult to search effectively for historic items. One item is noted to span the period of the review of other banks in 2017 release.
23 October 2017 RBS welcomes the publication of the Financial Conduct Authority’s (FCA) summary report, consistent with the summary findings announced by the FCA in November 2016
“As a result of these historical issues identified, it put in place two steps—a complaints process overseen by retired High Court Judge, Sir William Blackburne, and an automatic refund of complex fees—for SMEs in the UK and ROI that were customers in GRG during the period 2008–2013.”
Ross McEwan, CEO of RBS said:
“I am pleased that the regulator has confirmed the findings from last November and that the most serious allegations made against the bank have not been upheld.
“We have acknowledged for some time that mistakes were made and have apologised that we did not always provide the level of service and understanding we should have done for these customers in the aftermath of the financial crisis.
“The culture, structure and way RBS operates today have all changed fundamentally since the period under review. We have made significant changes to deal with the issues of the past, so that the bank can better support SME customers in financial difficulty whilst also protecting the bank’s capital.”
Virgin money 04/11/2015 Virgin Money welcomes interim report into the credit card market from the FCA
“Virgin Money fully agrees with the conclusions of the interim report into the credit card market published by the FCA today [….] Virgin Money already offers simple, transparent credit card products. Based on the potential remedies set out in today’s report, Virgin Money will fully implement any changes necessary to meet the final requirements in due course and looks forward to supporting the FCA in their final report.”
12/01/2016 Virgin Money announces two new appointments to senior executive team
Jayne-Anne Gadhia, Chief Executive Officer said: "I am delighted to announce that Peter and Hugh will be joining the Virgin Money Executive Team. Their broad experience and knowledge of the financial services industry, including a strong customer focus in retail banking, will be invaluable to us as we continue to deliver on our strategy of delivering growth, quality and returns to all of our stakeholders. I am looking forward to working with them both.”
This press release indicates a strengthening of the internal senior management, un affected by external forces/events to trigger change as evidenced I the use of word ‘continue’.

Appendix 5

During our analysis, we found difficulty in identifying praise of specific firm’s culture/compliance by FCA. Usually we would expect to sees highlights of ‘good practice’ in thematic reviews. However, within the 2015/16 annual report it was announced that “we considered that a thematic review would not be the most effective and efficient way to continue to support and drive continued culture change across the sector. Instead, we decided that the most effective way to achieve this was to continue to engage individually with firms, as well as supporting other initiatives outside the FCA. We have not changed our views about the importance of firm culture and we will continue our work with individual firms” (2015/16 Annual Report). As an alternative method of analysis the annual reports were searched to review the emphasis on culture by the FCA year on year.

Year reviewed and weblink Number of references to ‘culture’ Key quotations
27 “Regulatory arbitrage, at least in the conduct arena, is a game no longer worth playing […] to give credit where it is due, much of this is the result of firms’ efforts to improve their business models and culture to meet our expectations” p.6
“Our annual review of the remuneration policies and practices of ‘Level 1 firms’ (deposit takers and investment firms with total balance sheets over £50bn) found they had undertaken significant work to embed conduct and culture in their remuneration policies and practices this year” p. 43
27 “Changing culture: We rolled out a supervisory approach in wholesale banking designed to raise the overall standards of conduct risk management in the industry, ensuring that the industry itself takes responsibility for, and ownership of, the management of conduct risk” P.12
“At the start of 2015/16 we identified a number of risks that informed our work for the year. We highlighted that firms’ culture, structures, processes and incentives still required improvements” P.30
“Firms were required to consider the culture, governance arrangements, policies, procedures, systems and controls within their UK businesses, as well as how much their overseas activities might impact upon their conduct in the UK.” P. 33
“FCA introduced new rules on whistleblowing. These rules aim to encourage a culture in firms where individuals feel able to raise concerns and challenge poor practice and behaviour.” P.34
19 “We assess firms’ business models, key personnel, control environment, and increasingly culture and its impact on conduct” P.31
“Compliance controls and culture, where we found robust controls and an improved cultural message being distributed across a global group” p.34
8 The risk committee “noted the risks associated with the pace of change around firms’ business models and the culture in the financial sector; risks that the FCA sought to address in its 2013 Risk Outlook. It discussed these ongoing concerns with the FCA’s executive and has asked for further information on the progress made in implementing a programme of positive culture change amongst firm” P.75

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Burdon, W.M., Sorour, M.K. Institutional Theory and Evolution of ‘A Legitimate’ Compliance Culture: The Case of the UK Financial Service Sector. J Bus Ethics 162, 47–80 (2020).

Download citation


  • Compliance
  • Culture
  • Financial services
  • Regulation
  • Legitimacy