The Case for Three Lines of Compliance
Defense at Community Banks- A two part series
Part One –The Three Lines of Defense
framework
In
late 2014, the Office of the Comptroller of the Currency (“OCC”) published its “Guidelines
Establishing Heightened Standards for Certain Large Insured National Banks,
Insured Federal Savings Associations, and Insured Federal Branches”. This
document established the requirement that large banks should establish and
implement a risk management framework. The framework must
cover at a minimum credit, interest rate, liquidity, price, operational,
compliance, reputation, and strategic risk.
The guidance goes on to establish
several other requirements and documents that large banks have to produce and
describes the ongoing expectations for Board members of these banks. The
Federal Reserve and the CFPB have both published similar guidance. All of this guidance is ostensibly directed
at larger banks.
The
guidance details the components and responsibilities of risk and compliance programs,
which includes three lines of defense. All three are specifically defined
in the guidance. The three lines are:
While
one could dismiss this guidance because it applies to large banks, it is clear
that a great deal of the regulatory guidance that is first directed at large
banks is eventually applied to community banks. Moreover,
as one reviews the principles of the guidance there are sound reasons for a
community bank to consider implementing a program similar to the one discussed. We believe that community banks should use
this guidance to rethink the approach to compliance.
The
structure of the risk program described in the guidance is likely more
extensive than a community bank might be able to consider. However, the basic principles described in
this guidance present directions for developing a compliance management system
for 2015 and beyond.
The main
theme of the guidance published by all three agencies is very similar; to develop
a strong and effective compliance management system, a financial institution should
develop a risk governance program that incorporates compliance into the overall
operation of the bank. In other words,
for large banks risk and compliance are simultaneous and seamless. There is no reason that this should not be the
same for community banks. Unfortunately,
for most community banks, the compliance officer has been the first, middle and last line of defense when it comes
to compliance. Among the traditional tasks
for a compliance officer are writing policies and procedures, attending to
training and preparing compliance reports such as the HMDA LAR. In many community banks, the sheer volume of
regulatory changes has made the multiple roles for the compliance officer
untenable. Often the practice is to try
to address the perceived highest levels of risk and to put the rest of the tasks
off until later. We have seen cases of
policies and procedures that are past due, compliance reviews that have been
left uncompleted or audit findings that have not been addressed. These conditions are generally the result of
insufficient resources in the compliance unit.
Using
the three lines of defense approach to compliance and risk management at a
community bank may present the opportunity to redeploy staff to higher levels
of efficiency. For example, consider
the possibility that business unit heads are charged with maintaining day-to
day compliance. This would necessitate
working with the compliance officer to develop procedures, checklists and
quality control testing. Simultaneously,
the compliance officer would be asked to work directly with business heads to
monitor and measure the level of risk within the business units. These roles may be non-traditional at a community
bank, but they are essential to a “state of the art” compliance management
system.
The
2005 paper by the Basal Committee on Bank Supervision entitled “Compliance and the compliance function in
banks” discusses ten principles that comprise a comprehensive
compliance management system. These ten
principles can be loosely divided into four general areas:
1.
Compliance-related responsibilities of the board of directors
2.
Compliance-related responsibilities of senior management
3.
Organizing and governing principles of the compliance function, including its
independence, the adequacy and qualifications of its resources, its
responsibilities for both guidance and monitoring, and its relationship with
Internal Audit
4.
Other matters, including cross-border or jurisdictional questions and the
appropriate use of outsourcing in carrying out compliance-related functions[4]
The
risk appetite of the bank should be a function of the size and depth of the
CMS. As risk changes, so should the
routines of the compliance group. To
make this work, the business lines of the Bank have to be more involved in
compliance while the CO has to be more involved in the risk profile. This may be initially uncomfortable, but in
the end, it is the best way to get the biggest bang for the buck out of
compliance
We
believe that embracing the philosophy of three lines of defense will allow
community banks to gain greater engagement of overall staff in the compliance effort,
which will help to attain greater efficiency and reduce the overall cost of
compliance.
In part two, we will
discuss some of the specifics of the three lines of defense for community banks
[1]
a front line unit means, except as otherwise provided, any organizational unit
or function thereof in a covered bank that is accountable for one of several
enumerated risks and that either: (i)
engages in activities designed to generate revenue or reduce expenses for the
parent company or covered bank; (ii) provides operational support or servicing
to any organizational unit or function within the covered bank in the delivery
of products or services to customers; or (iii) provides technology services to
any organizational unit or function covered by these Guidelines.
[2]
independent risk management should oversee the bank’s risk-taking activities
and assess risks and issues independent of the CEO and front line units.
[3]
internal audit should ensure that a bank’s Framework complies with the
Guidelines and is appropriate for the bank’s size, complexity, and risk profile
[4]
“Regulators expect to see
lines of defense” Eric Durham, and Justin Van Beek, Crowe Horwath LLP Banking Exchange July 3, 2014
No comments:
Post a Comment