Three distinct ‘buffers’
As regulators worldwide continue to focus heavily on the importance of ethical conduct by employees in regulated financial services businesses, one of the ways of building and sustaining an appropriate Compliance culture is through having a robust and effective Three Lines of Defence (3LoD) operating model. The 3LoD model has, at its core, the concept that all financial services businesses carry operational (including Compliance) risk and there are three distinct ‘buffers’ mitigating the likelihood of those risks materialising into a major issue. The ‘buffers’ are provided by employees within the business who perform different, but interlocking, activities. The controls that provide the infrastructure for the ‘buffers’ lie in a firm’s procedures – that’s why regulators focus on employee behaviours, since the infrastructure lacks substance if employees don’t follow procedures and remuneration packages are not reconcilable to good compliance behaviours.
The first ‘buffer’ is typically those employees in the business who are client facing (the ‘First Line of Defence or 1LoD) – they have an extremely important role to play as they deal with clients (who are a major source of operational risk, particularly in respect of financial crime), usually daily. These employees are best placed to be the ‘eyes and ears’ in managing the operational risks that arise from dealings with client. The second ‘buffer’ are the employees within the supporting risk management functions (i.e. Compliance, Risk teams, Finance department, in-house lawyers – the Second Line of Defence or 2LoD) who advise and support 1LoD on the adequacy and effectiveness of the 1LoD controls (the firm’s procedures) in mitigating the occurrence and impact of operational risks. The last ‘buffer’ is the employees within any internal audit or quality assurance team, who should be fully independent of, and overseeing, the 1LoD and 2LoD. They provide the Third line of Defence (or 3LoD). To be properly effective within a 3LoD model, whilst the 2LoD and 3LoD should have accountability to the board/senior management team for their work, they should also have separate reporting lines out of 1LoD to ensure the appropriate independence of thought and action that their activities require in the model. This is often an area where the 3LoD model starts the ‘blur’ when 2LOD or 3LoD employees report into 1LoD management or a 1L0D employee is being required to carry out 2LoD or 3LoD work. Keeping an appropriate segregation can be difficult in a smaller business where separate reporting lines may not be achievable. In this scenario, it is advisable to have a second pair of eyes (possibly an external regulatory consultancy firm) to review that individuals work where he/she is performing a 2LoD activity but sits within the 1LoD.
If you look at many of the financial services scandals over the last few years, one of the more common failings is a lack of strong corporate governance e.g. the Danske Bank scandal, where the 3LoD model in its small Estonian branch failed completely. Most of these scandals (Wells Fargo, 2017 – $185mn fine and 5,300 staff sacked for unethical sales practices, Citibank 2021 – $400mn fine for control deficiencies) typically involves a board of directors or senior management team focussing more on revenue generation and profitability than the identification and careful management of risk within the business and where the 2LoD is ineffective in challenging the 1LoD. A common theme through these scandals has been a view that Compliance issues are matters that only the Compliance team in 2LoD need to think/worry about. That view would not meet with regulatory expectations today.
The regulatory expectation today is that the members of the board (or senior management team) understand that they own, and are responsible ultimately for managing, operational (including Compliance) risk within the business. With ownership comes the accountability for making sure that operational (including Compliance) risks are identified and managed carefully. Whilst the board/senior management team can delegate the responsibility for managing Compliance issues to others (i.e. sub committees or 2LOD risk management teams), they cannot abrogate responsibility for the careful management of those risks – i.e. they can never transfer the ownership of the risks, it still resides with them ultimately. Regulators have been very explicit on this point – see the recent Lutea public statement by the JFSC. Teams within 2LoD are responsible for advising, supporting, and overseeing/providing constructive challenge to 1LoD, but crucially do not own those risks. However, they do have an important role to play in helping 1LoD navigate through the increasing regulatory rules and are accountable to 1LoD in that respect. That aspect of the 2LoD activities which requires oversight includes the testing of the adequacy and effectiveness of 1LoD controls with regular reporting deficiencies to the board or senior management team.
Clear role descriptions
The key to the effective operation of the 3LoD model is that it is implemented and embedded fully and articulated clearly to all employees. That requires clear role descriptions for employees in each of the 3LoD, which clearly delineates the scope and boundaries of their role together with a carefully choreographed communications exercise, together with constant reminders of where in the 3LoD activities lie. Some large banks have only got to the fully effective 3LoD model by going through an expensive and deep reaching effectiveness review where all activities were assessed and allocated to one of the lines of defence– ie 1LoD or 2LoD. That has also meant hard decisions in respect of resourcing employees being moved between the lines of defence to be with the activity. However, on completion of that exercise, the board can be more comfortable that a clearly delineated and articulated 3LoD operating model is in place and should be working. It’s where confusion between the demarcation between the different lines or, more likely, a blurring of the demarcation lines, starts that a business can start getting into regulatory difficulties. An example of this is where the Compliance in 2LoD is required to ‘approve’ the take on of all new business/clients. Typically, that is an activity that should sit within 1LoD with Compliance providing advice only (note: not approval) to support the 1LoD decision making process. If Compliance is approving all new business, how does the 1LoD own the financial crime risk associated with such new business? And how does 2LoD test the controls on new business/clients independently, if it is intimately involved in the decision making? Effectively marking your own home is never a good place to be.
Identifying early warning signs
One of the early warning signs that the 1LoD and the 2LoD have merged is an overburdened compliance function resulting in resignations and the risk that such individuals may share their frustrations with a regulator during a regulatory exit interview where the individual is obliged to share their true reasons for moving on. In recognising the importance of such interviews some regulators now interview all senior compliance staff upon receiving a ceasing to act notification.
If implemented and operated effectively, a clearly delineated and articulated 3LoD model can go a long way to providing the framework for the right Compliance culture and behaviours in a regulated financial services business and avoiding the obvious risks associated with exit interviews
Source: 3LoD Model Exlained, CIAA website