Three Lines of Defense at a Community Bank- Part Two   

In our first blog in this series we describe the compliance guidance that has been issued by the prudential regulators.   This guidance describes an approach to compliance that is summed up by the phrase “three lines of defense”.   We argued that despite the fact that the guidance only directly impacted large banks, it is likely that similar guidance will be issued or at a minimum,  similar expectations will be raised for community banks.  Further, we argued that the three lines of defense can be a more effective and economically efficient means to administrate a compliance management system (“CMS”).     

Of course it is obvious that at most community banks there are limited resources.  The idea of trying to develop a risk and compliance framework that includes the three lines of defense may seem impossible or impractical.   However, when one considers the philosophy at the heart of the three lines of defense, the structure appears more plausible.  

 

The First Line of Defense – The Business Unit  

Under the three lines of defense approach to compliance and risk, the business  units  in a bank that take the actions to produce income or reduce expenses are the ones that create risk.    This also means that these same business  units should be the ones that understand and appreciate the risks being taken as well as the controls that should be employed to reduce risk.   These dynamics are also true at a community bank.  

 

Lending officers, operations officers and their staffs are the ones that have the closest and most impactful customer contact.  The information obtained through customer contact can be an invaluable asset for the compliance officer.  For example, the loan officer who completes a credit write up is the person most intimate with the business operation of the customer. It is this officer who is in the best position to complete an enhanced due diligence review.    Operations staff who contact customers to discuss unusual transactions are the ones who have the most up to the minute information of the operations of those clients.  

 

In the same manner the lending and operations staff has the best information about the optimum ways to ensure disclosures are being properly and timely completed.    Unfortunately, at many community banks, the compliance officer is the one who develops policies and procedures.  In many cases, the procedures in particular are ignored or objected to by staff members who are supposed to use them.   The business units are the group that  are best suited to design and implement procedures with input from the compliance officer.   

 

One approach that has been effective for many community banks is to develop and implement a compliance committee.  Typically this committee is comprised of the business unit heads at the bank, the compliance officer, the auditor (if there is one) and various members of operations and lending staff.   This committee can become a central place for compliance issues of the day, review of updated policies and procedures and follow up on outstanding items.  It is also a forum for the business  units heads to develop risk assessments and get input form compliance and various others who may have a valuable information.  

 The Second Line of Defense – The Compliance Officer  

In our previous blog we referred to four categories from the larger discussion of the categories of compliance in the 2005 paper by the Basal Committee on Bank Supervision entitled “Compliance and the compliance function in banks.  We noted that there are ten categories.  One of these directly addresses the compliance department at a bank.      

“Organizing and governing principles of the compliance function, including its independence, the adequacy and qualifications of its resources, its responsibilities for both guidance and monitoring, and its relationship with Internal Audit”    

This is the basic principle underlying the compliance officer as the second line of defense.    The compliance officer should be independent, have sufficient resources  and authority to affect change.    Unfortunately this is currently not the case for many community banks.  The Compliance Officer rarely reports to the Board or a Committee of the Board.  In addition, in many of the banks we visit, the compliance officer is saddled with a great number of operations tasks and reporting requirements that tend to dominate their time.   Little if any compliance testing is performed policies and procedures are also left to the compliance officer to revise.    

As a true second line of defense the compliance officer should have sufficient resources and talent to conduct ongoing compliance testing based upon a schedule that is reviewed and approved by the compliance committee.  The results of the compliance reviews should be reported to the Board or a committee of the Board.  In this manner the importance of the overall compliance program is evaluated to its proper level and a compliance culture can flourish.  This is not to say that community banks should hire large numbers of compliance staff without regard to the bottom line.  There are several opportunities to outsource a portion of the compliance function that will allow the compliance officer to have sufficient time and resources to most effective.  

 

Internal Audit- the Third Line  

The line of defense is the internal audit function.  For most community bank’s the internal audit function is outsourced and the Audit Committee or the full Board hire an independent firm to all or most of the audits scheduled in a year.   For many community banks  the audit decision has become a matter of costs and the winner of the contract goes to the lowest bidder.  

However, the more efficient approach is to view the internal audit function as a partner in the overall compliance and risk management program.  The audit firm should review and analyze the overall risk and compliance framework at the bank.  In addition, audit findings should address root causes and determine whether those root causes are indicative of a departmental or bank wide concern.   

 

The Board must be willing to receive findings and discuss changes that should be implemented to reduce risk.    We believe that any bank including a  community bank can adopt the three lines of defense philosophy.  Moreover, we believe that in doing so, a bank can enjoy increased efficiency  while improving the effectiveness of the compliance management system.