Making “Three Lines of Defense” work

The “three lines of defense” model for risk management has been accepted as a best practice by federal banking regulators and the Basel Committee on Banking Supervision. Therefore, it is now “non-optional” for compliance risk management programs in regulated financial institutions.

In short, this model states that, the first line of defense for risks is the line of business unit; the second line is independent risk management (compliance, operations risk, etc.); and the third line is the independent audit function.

This sounds nice and tidy on paper.

But is harder to implement in reality.

The first line of defense has been the least well developed over the years, so building out a strong, functional first line has been a priority in large institutions and is increasingly becoming so in mid-size and smaller ones.

One issue that has surfaced is that the three lines have had difficulty coordinating the required responsibilities without overlapping each other and being inefficient. Here are a few of the challenges that arise in implementing a strong three lines of defense program and some suggestions for overcoming them.

Roles and responsibilities

One response to the requirement to build out a first line of defense has been to recreate a compliance program within each line of business.

Often the business hires former compliance professionals to fulfill these functions. Having a duplicate structure can cause friction in day-to-day operations in terms of the roles and responsibilities between the first and second line.

For example, who has the final say when there are disagreements on how a regulation is interpreted or implemented? 

Although the compliance folks within the line of business are responsible to make sure that the business unit is compliant, it is tempting for them to become co-opted by their colleagues in the business functional roles.

The slang term for this is “going native.”

If this happens, the first line will often clash with the second line on how regulations are interpreted—strictly or more liberally?

Because the business owns its own compliance performance, it is, theoretically, free to follow the advice from the first line while ignoring the second, but this can be a risky move.

The second line is responsible not only to the bank’s board but to the regulatory agencies for compliance risk oversight. So, the second-line compliance function will protect itself. That will be by going on the record regarding its advice to the business unit, further straining relationships.

The real answer is that the first line should consult with the second—and that they should then reach agreement in the interpretation and implementation of all regulations.

The bottom line is this: It is absolutely a good thing for the business to have compliance expertise within its own ranks. However, the first-line advice must be sound, or the institution will end up paying the price.

Remember: The second line is there to provide a check on the advice of the first line.

Compliance policy

If the first line has compliance requirements, should the first line’s compliance people also now own the bank’s compliance policy?

The answer is “no.” Because the compliance risk management function is ultimately responsible for independent oversight, it must own the compliance risk policy for the institution.

However, the first line should have a coordinating policy that directs its employees on the regulatory implementation within the business line, as well as specific procedures that augment that policy.

Monitoring and testing

Each line of defense has a monitoring and/or testing responsibility. This is the area where there is often a great deal of overlap and not as much coordination as would be optimal.

If every line is testing the same process every year, then inefficiencies abound.

The first line owns regulatory quality control of its products, services, and operations. It should have built-in procedures in all of its processes that ensure that regulatory requirements are followed for all of its product lines. Disclosures must be provided, deadlines must be met.

Compliance, as the second line, has the responsibility to monitor and test periodically for every regulation to determine the level of compliance. Compliance testing is conducted on a risk-based priority schedule, because everything cannot be tested every year without a huge staff.

Independent Audit should have an audit schedule that also tests the level of compliance within the business units as well as the compliance program within the first and second lines.

Each line of defense should be independent of the other. So, while the quality control function of the business line should be a daily process, the testing that Compliance and Audit do should be risk-based and conducted on a schedule so that the widest scope is covered in a reasonable time period.

Coordinating these three approaches can do a lot to make the overall compliance performance of the institution comprehensive and efficient.

Issues identification and escalation

How do issues get identified and escalated for correction and remediation? Are separate systems used or are they all on one?  Who is responsible for follow up? 

The most successful compliance program will be the one where the first line finds the most errors. If the first line identifies and corrects itself prior to the monitoring and testing efforts by the second and third line, there will also be very little for regulatory examiners to find.

As long as the issues management and corrective efforts are effective, it does not really matter whether they are on one system.

Indeed, no regulatory guidance suggests that there be a single system. However, a single system that houses all issues and status of corrective action would be an efficient way to maintain the information and for it to be visible to everyone in all of the lines.

So, if there are separate systems used by the line of business, Compliance, and Audit, reports should be available from all systems to all groups. The process of escalating issues should be formalized so that everyone knows the ground rules and there are no surprises.

Corrective action should also be a visible process so that the business lines and the risk and audit members will know what is outstanding and what has completed the corrective process.

“Easiest” step of all: communicate

The three lines of defense will work best if there is open communication and robust discussion among all of the groups. These cultural elements allow for the most efficient and effective coordination of all the lines.

All of the lines have a common goal—that the institution have a successful compliance program with the fewest possible regulatory issues.

Collaboration with this goal in mind should result in each line playing its own independent but cooperative role and allow for the most productive compliance program overall.