You have to be very new to Financial Services and the regulatory regime to not have become acquainted with the concept of the Three/3 Lines of Defence (3LoD). The 3LoD model for maintaining effective risk and compliance arrangements is something the regulators have been advocating for many years.
And you are probably familiar with Quality Assurance and Quality Control. Many are quite comfortable with their Quality Assurance – QA – and Quality Control – QC – arrangements. No disrespect, but you and those close to you may even use those terms interchangeably.
So you’d think we would all have a good handle on it by now? You’d be wrong.
Having worked with many firms it has become clear to us at TCF that effectively implementing the 3LoD model for firms (especially for small to medium firms) can be a real challenge. And the role of Quality Assurance and Quality Control can be a significant complicator.
This can leave business far more exposed to potential compliance issues than they think and potentially create significant problems with the regulators. We are going to explore some of the reasons why this is the case and suggest some solutions.
Now if we leave aside willful neglect, a failure to exercise reasonable care and a lack of availabe resources as unreasonable excuses not to implement an effective 3LoD model – what are the specific issues faced by firms who do want to try and implement the model effectively? To understand that we probably ought to take a moment to remind ourselves of the key aspects of the 3LoD model.
The lines of defence
How lines of defence and quality assurance and control get mixed up
So where do the problems lie? Funnily enough almost all of them lie with understanding the real purpose of the second line of defence and even more specifically with what it means to “monitor” the performance of the firm and where quality control and assurance fit in.
As firms grow they can often receive feedback from customers and/or regulators that there are issues with their products or services. If, for example, the problems are quality related (either service or product) then a standard response from a firm is to put in place a process and/or team to monitor quality – either before a product or service is released to a customer (Quality Control [QC]) or after products and services have been released to a customer (Quality Assurance [QA]) or sometimes both.
Now here’s the problem – many firms mistakenly believe that these QC and QA processes and teams are part of the 2LoD and are carrying out “monitoring”. And whilst they may indeed be monitoring individual agents or departments performance through direct observation and/or “call monitoring” or “case monitoring” they are not undertaking 2LoD responsibilities.
They are in effect acting as a 1LoD Plus.
As 1LoD Plus staff they are effectively working to ensure that the 1LoD is doing what they should be doing at the standard they should be doing it at as defined by the business. It is a valuable and important job but it is not a 2LoD. The QA and QC teams are usually not independent of the 1LoD; often being rewarded sharing the same performance metrics as the 1LoD. In addition, most QA and QC teams are not regulatory experts, do not have direct access to the Board to report their findings and do not carry out what we would recognise as a classic 2LoD monitoring process.
The role of quality assurance and control is blurring with compliance
At TCF we see side effects of this growth in QA, QC and call monitoring teams. It can lead to this group of professionals becoming called the ‘compliance team’. Other 1LoD Plus teams (such as client on-boarding teams carrying out ID & Verification checks and financial crime transaction monitoring teams) can also start to be identified as compliance teams.
We once worked with a client who told us they had 20 staff deployed on compliance activities – we were initially seriously impressed. And then taken aback. What they actually meant was that they had 20 staff in 1LoD or 1LoD Plus type roles. These staff were all doing quality control and client checks. They actually had no-one in the 2LoD and nooperational 3LoD arrangements. They also – when some problems emerged – had some serious expectation management to do with their Board and investors who honestly believed this was a business with a heavyweight compliance team.
And they are not alone – this is a common state of affairs.
Whilst all these professionals do an excellent and meaningful job they are not a 2LoD or 3LoD. The lines have become blurred. And that can lead to trouble.
Now when a firm is relatively small and flying well under the regulators’ radars the problems do not particularly manifest themselves. However, as a firm thrives and grows, an over reliance on a 1LoD Plus model to maintain compliance is very unwise.
Where the common issues are
What about supercharging the third line?
Finally – it is worth noting that some firms will make up for not putting in place an effective 2LoD by supercharging the 3LoD.
Some firms will use a combination of an Internal Audit team and/or external consultants to undertake reviews of potential problem areas.
Now whilst this reduces or negates a number of the challenges outlined above (although the risks of a narrow compliance focus and a likely inability to monitor all business functions remain) it does in our opinion foster a few other risks and challenges. It is also likely to be more costly if it is used as a quasi 2LoD.
Specifically the 3LoD isn’t undertaking regular monitoring – it is often about one-off reviews. If you translated it to a school situation it would be like relying on an Ofsted inspection to maintain standards. Whilst important and useful, these types of review do not often engender a culture of compliance in the same way that an effectively deployed 2LoD does.
So what’s the solution?
We say the way forward is to do four things:
So, to conclude, we therefore believe that firms can significantly reduce potential regulatory challenge and the accompanying issues and fines by ensuring they have taken a good look at their own 3LoD model and ensure that it is set up effectively with clear remits for all those involved ensuring the lines of defence are crystal clear and not blurred. We think it would really help.
If you would like to talk more about how your firm is dealing with compliance then please do get in touch at firstname.lastname@example.org or via our website at http://thecompliancefoundation.co.uk
Specifically, we’d be delighted to host a “designing an effective compliance structure” workshop with you and your teams to help you think through your future strategy for compliance. If this appeals then get in touch.