As published in ABA Bank Compliance (now ABA Risk and Compliance), October 2016
The first line of defense includes the sales force, customer service, and all operational functions that support the sales and servicing of an institution’s products and services. Since the first line is executing the institution’s strategies and business objectives on a day-to-day basis, it is primarily responsible for effectively managing and monitoring compliance risks associated with those activities.
In a perfect world, the first line may have it covered and there may not be a need for a second line of defense. This scenario would require the first line to have detailed knowledge of all regulatory requirements, well-documented and implemented procedures to help guide activities, effective monitoring systems to detect instances of non-compliance, training programs at the ready to address areas requiring improvement, a change management process for systems and compliance procedures, and the ability to manage the onslaught of regulatory changes and their impact on day-t0-day activities. However, things are rarely “perfect,” least of all in dealing with today’s regulatory environment, technological developments, and the pressure to sell and expand the customer base. In this imperfect world, the second line serves a very important role and purpose – supporting the first line of defense.
The second line is a risk management function reporting to the president or CEO, or in larger institutions, the chief risk officer. It is generally comprised of operational risk, third party risk, model risk, and compliance risk management programs. Each risk management program has a specific mandate, but they are also highly interrelated. The second line compliance function is responsible for oversight of the institution’s compliance risk-taking activities by providing educational and interpretive guidance and by objectively assessing and monitoring first line compliance performance. It also reviews and reacts to issues that arise from the operational and third party risk management programs especially those that result in non-compliance with regulations or potential consumer harm.
Roles and Responsibilities of the Second Line Compliance Function
The OCC’s September 2014 Guidance, Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches describes the role and responsibilities of the second line, interpreted for the compliance function, as follows:
- Primary responsibility and accountability for designing a comprehensive written compliance management program tailored to the compliance risk profile of the institution. Responsibilities for compliance activities, monitoring, and reporting of issues must be clearly defined within the program and effectively operationalized within the compliance management system. This includes responsibilities for the first, second, and third lines of defense.
- Perform ongoing compliance monitoring to identify and assess the institution’s compliance risk and to determine corrective actions needed to strengthen compliance management. In addition to the monitoring activities expected within the first line of defense, the compliance function is also expected to conduct periodic enterprise-wide compliance monitoring. Results of second line monitoring will provide an independent view of compliance performance of the first line and will inform management of changes required to optimize the program. Significant issues identified by second line monitoring should be formally reported to executive management and the Board of Directors (or its risk or audit committee) to allow these stakeholders to fulfill their mandate within the compliance management system.
- Establish and adhere to the institution’s compliance policies, procedures, and risk appetite statement. The compliance function should work with senior management to develop and implement a comprehensive written policy that articulates its compliance risk appetite and is the basis for its compliance governance framework. The institution’s compliance risk tolerances should be integrated into its overall risk appetite statement that addresses all major risk categories including credit, interest rate, liquidity, pricing, operational, strategic, reputation, and compliance risk. The statement should address qualitative components that describe a compliance risk culture and how the institution will assess and accept risks including risks that are difficult to quantify. For example, a qualitative statement related to training may state, “We provide our personnel with the tools and training needed to ensure the products and services we offer our customers comply with consumer financial regulations.” It should also address quantitative limits. A corresponding quantitative limit may be, “All personnel are assigned compliance training applicable to their job and are required to complete 100% of the assigned training on an annual basis.”
- Provide periodic reports of compliance performance to the CEO and Board of Directors or its designated committee. Reports should include material risks of non-compliance, instances where the compliance function’s assessment of risk differs from the first line, significant instances where the first line is not adhering to the compliance program.
- Direct access to the Board of Directors or its designated committee. Compliance management, either through the chief compliance officer of the chief risk officer, has a responsibility to report instances where its assessment of compliance risk differs from that of the CEO, or where the CEO is not adhering to the compliance management program. Carrying out this responsibility would be extremely rare in a compliance conscious and transparent institution where management is committed to the compliance program.
- Develop, attract, and retain compliance talent. In an environment where the competition for compliance talent is stronger than ever, it is imperative for management to work with human resources to management compliance talent within all three lines of defense. The second line compliance function is relied upon by the institution to provide the requisite expertise and knowledge to support the enterprise wide program. To fulfill its role and responsibilities effectively, it must foster a culture that attracts and retains compliance professionals. At the top of most all compliance professionals’ list is management’s full support for the compliance program. A robust training and education program including participation in industry seminars and conferences is also expected. In addition to providing technical regulatory training, soft skills including effective communication, presentation, and change management skills will help to make sure the messages do not get lost in translation or worse, ignored.
At its core an effective and efficient compliance management system operates in a culture where compliance is “build into” processes and it is understood that it is a part of everyone’s job. While there is no one regulatory definition of risk culture, the OCC Heightened Standards guidelines state that “risk culture can be considered the shared values, attitudes, competences, and behaviors present throughout the covered bank that shape and influence governance practices and risk decisions.”
The industry has come a long way since the sole compliance officer who was responsible for all compliance. Over the years, and certainly since the 2008 crisis and with help from the regulatory agencies, institutions have recognized the necessity of strong risk management throughout an institution. While much has been done to implement the three lines of defense, there is more to do.
Structure and Approach
Institutions, both small and large, are still working on the best structure and approach for compliance management. In smaller institutions, the compliance function is naturally more integrated with the various departments in the first line. In many larger institutions, the first line is structured with its own mini-compliance function to help manage day-to-day compliance. Structured properly and with responsibilities clearly outlined, this latter approach can be effective. Without some guardrails, however, the activities may overlap or may be at odds with each other leading to confusion and unnecessary risk. Considerations for an effective relationship between the first and second line compliance structures include the following:
- Senior management must establish and communicate expectations for a relationship that is collaborative and respectful. Everyone is in this for the same purpose, to protect the institution and ensure its customers are treated well and fairly.
- Ensure responsibilities between the first and second lines are clear and create a partnership by completing a responsibility matrix. In its simplest form the matrix would include compliance responsibilities down the y-axis and the various first line functions and departments and the second line compliance function across the x-axis. For the compliance program and perhaps for larger projects, the matrix should identify who is responsible, accountable, consulted, or informed (RACI) for each responsibility within the first and second lines. This approach is outlined by Mike Jacka and Paulette Keller in their book, Business Process Mapping: Improving Customer Satisfaction, and will help identify overlaps and gaps in responsibilities allowing for a more collaborative working relationship.
- Define who makes the final decision in situations when disagreements occur between the first and second lines of defense. A clearly outlined escalation process is necessary.
- Oftentimes, first line “compliance personnel” report solely to the business line executive. Consider adding an indirect reporting line to the second line compliance function to help ensure consistency in carrying out the compliance mandate.
- Schedule periodic meetings between first and second line compliance personnel, including first line management to facilitate communication and sharing.
- Conduct joint training sessions on regulatory topics, non-regulatory topics such as change management, and teamwork sessions.
The saying about the stars becoming aligned doesn’t actually refer to stars, but to planets – which, without a telescope, appear to be stars, but they move in orbits. Sometimes the orbits put two or more planets in alignment, one behind the other. It doesn’t happen very often that the planets come together, thus it is considered fortuitous, perhaps portending something that was meant to be. Working together to align the plants and stars, the first and second lines of defense will establish a well-coordinated compliance program that effectively and efficiently identifies and mitigates compliance risk. Compliance with regulatory requirements should not be an afterthought; the ultimate goal is for the compliance function to be inherent in an institution’s cultural fabric. Only then, will everything be aligned.
