April Breslaw is a Regulatory Advisor with Treliant. She has held multiple leadership positions at federal financial regulatory agencies, including Deputy Assistant Director, Office of Supervision Policy, at the Consumer Financial Protection Bureau (CFPB), which she joined as it was being built in 2010. Her other roles have included Chair…
To provide insight into how financial services companies can meet growing supervisory and risk management expectations, Treliant will periodically publish leading practices in the core Compliance Management System (CMS) competencies that all financial services companies should develop, consistent with their risk profiles and the complexity of their operations. This article commences the series by providing a practical understanding of the true role and functioning of the first line of defense, since implementing it has often proved challenging. Such is particularly true for small and medium-sized companies; however, even large companies can have a hard time making the first line of defense function fully, efficiently, and effectively.
CMS and the Three Lines of Defense
A CMS encompasses a financial services company’s ability to understand its compliance responsibilities, ensure that its employees understand these responsibilities, integrate regulatory requirements into business processes, review operations for compliance, take corrective action, and update its practices as needed. More broadly, an effective CMS operationalizes a company’s commitment to compliance, mitigates risk, and helps avoid consumer harm. It provides a framework through which a financial services company can establish the principle that compliance is everybody’s responsibility.
In recent years, federal financial regulators have intensified their focus on CMS, making it the cornerstone of the current compliance rating system used by the Consumer Financial Protection Bureau, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency, as well as some states. As a result, the quality of a company’s CMS has taken on heightened importance in the supervisory process. It also factors into agency determinations about whether enforcement action is necessary and how these matters should be resolved.
To meet both supervisory expectations and effectively manage risk, many companies recognize the need for a CMS model that encompasses three lines of defense: business units (first line); risk and compliance functions (second line); and internal audit (third line). But as we usher in the 2020s, the CMS at many financial services companies falls short in the business operations that implement the first line of defense.
The line-of-defense model is most effective when all three lines work in sync. Such a coordinated approach allows banks to identify, measure, monitor, and control risk effectively, in the following ways:
- Establishing risk accountability and ownership;
- Promoting efficiency/quality: reducing cost, shortening lookback periods when errors are discovered, and allowing for prompt remediation;
- Fostering communication among the lines of defense to ensure that everyone understands their role; and
- Meeting regulatory expectations that banks establish a governance framework to manage/control risk-taking.
The hallmarks of a fully functioning three-line-of-defense program include active board and senior management oversight and a written risk governance framework, including a board-approved line-of-defense program document that confirms roles and responsibilities across all three lines. At a high level, duties are divided as follows:
- The first line is accountable for identifying, monitoring, and managing risk. It “owns” risk and the controls to manage it.
- The second line operates from a reporting chain that is separate from the first line. It provides guidance and tools to facilitate the first line’s risk management—testing first-line controls separately from first-line monitoring while also escalating trends/issues to senior risk management and the board of directors.
- The third line audits the first and second lines to provide independent assurance to the board and management that the overall risk governance framework is operating effectively.
Across the three lines, consistent controls should be instituted to identify, measure, and mitigate risk. By “controls,” we mean processes and procedures within business activity to ensure adherence to internal policies, industry best practices, and external requirements. Controls can occur anywhere in a process and should be mapped and inventoried. Moreover, controls may be automated, manual, or a combination, but must be tested and monitored to ensure they are successfully mitigating risk. Examples of controls include policies, procedures, processes (e.g., change management and third-party oversight), training, monitoring (e.g., both quality assurance and quality control), testing, management reporting, and both board and senior management oversight.
The First Line of Defense
The activities that the business units manage on behalf of the company offer both the opportunity for reward and pose the greatest risk. Consequently, the first line must also own the controls to manage their risks and subject them to periodic risk assessments, in line with the bank’s overall risk appetite. Examples of automated first-line controls include calculations, date and timing checks, compliance checks, and system stops. Examples of manual first-line controls include second-level reviews, approvals, checklists, report reviews, and analyses. A system flag requiring manual intervention is an example of a combination of the two.
A critical responsibility of the first line of defense is to monitor controls to evaluate whether they are working effectively, track identified issues to ensure that remediation is timely and effective, and analyze monitoring trends to identify and escalate root causes and systemic issues. Consequently, “monitoring” is the ongoing review of key business performance and risk indicators to proactively identify potential risk management gaps and compliance violations. The monitoring can be either automated or manual, as long as it is repeatable.
Monitoring comes in the form of quality assurance (QA) and quality control (QC). QA is proactive first-line monitoring to ensure that business processes are executed consistent with legal requirements and internal expectations. The monitoring takes place after transactions have been completed to drive process improvement and is intended to answer the question, did the processes, policies, and procedures produce the desired outcome?
On the other hand, QC involves monitoring “in progress” work product to identify and correct potential errors before the work product is completed. QC validates QA by assessing the quality of output as it happens. Monitoring is intended to answer the question, were defects found during the execution of the process?
Where to start? The following steps can help to initiate a first-line monitoring program in an orderly way:
- Create a control library;
- Map controls to business processes to determine what to monitor; and
- Consider risks, controls, and trends to determine how often monitoring should be carried out.
Once a preliminary monitoring schedule has been drafted, it should be reviewed by the compliance team and other second-line risk management functions, as needed. This process should occur annually and be updated quarterly.
Next, the first line must develop standard monitoring procedures for each area to be reviewed, and determine and document the sample selected. The sample should be consistent with the level of risk posed by a failure of the control being reviewed and of sufficient size to reach conclusions through the review. Often, the second line of defense can provide advice about whether a sample is appropriate.
Once the review is completed, results, root causes, corrective actions and remediation, and dates for completing these items should be discussed with the responsible line-of-business manager. A note of importance is that the manager should commit to remediating by a clear deadline. The monitoring team should track whether remediation is occurring as planned and escalate situations where it is not. Finally, the first line should analyze information from issue tracking on an ongoing basis to identify trends and systemic concerns.
In addition to the practical steps described above, the following tactics can often help establish and mature a first line of defense.
- Create a collaborative environment to work with the first line of defense;
- Begin by launching a pilot program with a few business lines;
- Create a line-of-defense working group;
- Develop a risk rating framework;
- Compile, aggregate, and trend line-of-defense results; and
- Continuously enhance the program as needed.
The unfinished business of building a first line of defense cannot be allowed to remain so for long. Risk can mount quickly in the modern banking environment of digital innovation and fast-changing products and services. At the same time, supervisory CMS expectations are increasing. Establishing a solid three-line-of-defense CMS program can help manage risk, avoid supervisory scrutiny, and ensure that a company establishes a customer service-oriented culture. A strong first line of defense is an important component of this process.