Two years ago, the Office of the Comptroller of the Currency (OCC) set guidelines establishing “heightened standards” for large financial institutions. The guidelines outline minimum standards for designing and implementing a risk governance framework, commonly called the “three lines of defense.” Both the Federal Reserve and the Consumer Financial Protection Bureau have issued similar directions.
Although the guidelines apply only to large institutions, many community banks are feeling a trickle-down effect, as regulators pressure them to adopt more robust risk management and compliance practices. While it’s tempting to view this development as an unwelcome burden, a closer look shows that the three-lines-of-defense model offers substantial benefits for community banks.
A brief overview
Football teams have long recognized the effectiveness of three lines of defense: the defensive line, the linebackers, and the secondary. The OCC’s framework employs a similar strategy to plug holes in a bank’s risk management systems. The three lines of defense for banks are:
- First line: Business units
As the “creators” of compliance risks, your bank’s business units should take ownership of these risks and ensure that your bank’s compliance standards reflect its board-approved risk appetite. Business units understand your bank’s products and services better than anyone, so they’re in the best position to develop processes, procedures, and controls (with input from risk management) designed to mitigate the risks associated with their activities. - Second line: Risk management
Your bank’s compliance officer or other independent risk management executive is responsible for overseeing the bank’s risk-taking activities and working with business units to create a compliance management system. That involves developing policies and procedures, providing training, monitoring business unit activities, and reporting to management and the board. - Third line: Internal audit
Internal audit ensures that your bank’s compliance framework and internal controls are appropriate and effective. The function also evaluates compliance standards within the business units and reports findings to the board or audit committee.
Benefits of a team approach
It’s not unusual for community banks to employ a “one line of defense” approach to compliance. In other words, the entire responsibility for developing, implementing, and monitoring the bank’s compliance program rests on the shoulders of the compliance officer. Inevitably, that employee is stretched too thin, and compliance tasks fall through the cracks.
Getting business units involved in compliance can free up the compliance officer’s time, allowing him or her to focus on higher-level compliance activities. But even more importantly, a team approach can enhance communications; clarify roles, responsibilities, and accountability; and make your bank’s risk management efforts more effective and efficient.
All too often at community banks, compliance officers develop risk management systems and impose them on business units. But without an intimate understanding of a business unit’s activities, compliance officers are likely to design policies and procedures that are inefficient, redundant, or incompatible with existing processes. If that happens, there’s a good chance the business unit’s staff will complain about or disregard these policies and procedures, creating an adversarial relationship.
Suppose, for example, that a business unit is responsible for mortgage loans. These loans are subject to detailed regulations that govern the content and timing of disclosures to consumers. If a compliance officer mandates procedures for generating these disclosures that are too onerous or time-consuming, it’s likely that the staff will take shortcuts that increase the bank’s risk exposure.
A better approach is for the business unit’s staff — typically in the best position to design and implement procedures that are both efficient and effective — to assume responsibility for these tasks and seek the compliance officer’s input. For example, perhaps there’s a way to automate the generation of certain disclosures using the business unit’s existing systems.
Shoring up your defenses
Moving to a three-lines-of-defense model can be challenging for community banks. It requires careful planning to coordinate the parties’ responsibilities without redundancies and inefficiencies. But many banks will find that this approach significantly improves their risk governance and provides greater assurances to regulators.