QA and blurring the Lines of Defence – when 3 becomes 1?

You have to be very new to Financial Services and the regulatory regime to not have become acquainted with the concept of the Three/3 Lines of Defence (3LoD).  The 3LoD model for maintaining effective risk and compliance arrangements is something the regulators have been advocating for many years.   

And you are probably familiar with Quality Assurance and Quality Control. Many are quite comfortable with their Quality Assurance – QA – and Quality Control – QC – arrangements. No disrespect, but you and those close to you may even use those terms interchangeably.

So you’d think we would all have a good handle on it by now? You’d be wrong.

Having worked with many firms it has become clear to us at TCF that effectively implementing the 3LoD model for firms (especially for small to medium firms) can be a real challenge.   And the role of Quality Assurance and Quality Control can be a significant complicator.

This can leave business far more exposed to potential compliance issues than they think and potentially create significant problems with the regulators. We are going to explore some of the reasons why this is the case and suggest some solutions.

Now if we leave aside willful neglect, a failure to exercise reasonable care and a lack of availabe resources as unreasonable excuses not to implement an effective 3LoD model – what are the specific issues faced by firms who do want to try and implement the model effectively?  To understand that we probably ought to take a moment to remind ourselves of the key aspects of the 3LoD model. 

The lines of defence

  • First Line of Defence (1LoD) – The ‘business ‘is a firm’s first line of defence or 1LoD. That can be made up of the staff who directly deal with the customer such as the sales and marketing staff and the customer services staff. But it’s also product designers and developers, the IT service provision staff and many more who have an impact on the customer.  It is the 1LoD’s responsibility to deliver compliance, to spot risks and to manage them.
  • Second Line of Defence (2LoD) – The ‘second line’ or 2LoD  are the staff responsible for monitoring the performance of the 1LoD against the regulations and the firm’s own policy standards.  They may set standards and policies as part of the overall control framework of the business. Their role is to carry out regular assessments of the firm’s operations and report their general findings and recommendations for improvement back to both the 1LoD, senior management and to the Board.  Normally this would include the staff in such departments as Compliance, Risk, Financial Crime, Data Protection, Health & Safety etc.  

  • Third Line of Defence (3LoD) – A firm’s third line of defence or 3LoD are the staff (or sometimes external people) who are asked by the Board to take a broader or deeper systemic review of an area of the firm’s operations or indeed a review of the firm’s 2LoD arrangements.   They provide indepdendent – or more independent assurance. The 3LoD will report their findings to the Board.  In large firms this is often a role that will be undertaken by internal and external audit.  Smaller firms will often rely on external auditors to undertake such a review.  

How lines of defence and quality assurance and control get mixed up

So where do the problems lie?  Funnily enough almost all of them lie with understanding the real purpose of the second line of defence and even more specifically with what it means to “monitor” the performance of the firm and where quality control and assurance fit in.

As firms grow they can often receive feedback from customers and/or regulators that there are issues with their products or services.   If, for example, the problems are quality related (either service or product) then a standard response from a firm is to put in place a process and/or team to monitor quality – either before a product or service is released to a customer (Quality Control [QC]) or after products and services have been released to a customer (Quality Assurance [QA]) or sometimes both.   

Now here’s the problem – many firms mistakenly believe that these QC and QA processes and teams are part of the 2LoD and are carrying out “monitoring”.     And whilst they may indeed be monitoring individual agents or departments performance through direct observation and/or “call monitoring” or “case monitoring” they are not undertaking 2LoD responsibilities.   

They are in effect acting as a 1LoD Plus.   

As 1LoD Plus staff they are effectively working to ensure that the 1LoD is doing what they should be doing at the standard they should be doing it at as defined by the business.   It is a valuable and important job but it is not a 2LoD.  The QA and QC teams are usually not independent of the 1LoD; often being rewarded sharing the same performance metrics as the 1LoD.  In addition, most QA and QC teams are not regulatory experts, do not have direct access to the Board to report their findings and do not carry out what we would recognise as a classic 2LoD monitoring process.

The role of quality assurance and control is blurring with compliance

At TCF we see side effects of this growth in QA, QC and call monitoring teams. It can lead to this group of professionals becoming called the ‘compliance team’.   Other 1LoD Plus teams (such as client on-boarding teams carrying out ID & Verification checks and financial crime transaction monitoring teams) can also start to be identified as compliance teams.  

We once worked with a client who told us they had 20 staff deployed on compliance activities – we were initially seriously impressed. And then taken aback.  What they actually meant was that they had 20 staff in 1LoD or 1LoD Plus type roles. These staff were all doing quality control and client checks. They actually had no-one in the 2LoD and nooperational 3LoD arrangements.  They also – when some problems emerged – had some serious expectation management to do with their Board and investors who honestly believed this was a business with a heavyweight compliance team.

And they are not alone – this is a common state of affairs.

Whilst all these professionals do an excellent and meaningful job they are not a 2LoD or 3LoD.   The lines have become blurred.  And that can lead to trouble.  

Now when a firm is relatively small and flying well under the regulators’ radars the problems do not particularly manifest themselves.  However, as a firm thrives and grows, an over reliance on a 1LoD Plus model to maintain compliance is very unwise.  

Where the common issues are

  • An inability to effectively monitor all business functions.  1LoD Plus teams are usually focused on a small area of the business such as the sales process or the advice process. They do not have a remit to monitor across the business and so they don’t.   
    • This can often leave a firm very exposed without regular monitoring or review of key functions such as marketing, IT, organisational governance, training and competency.   Where firms relying on the 1LoD Plus have a Compliance Monitoring Plan (CMP) – and many no longer have CMPs or maintain them – you can almost guarantee that the CMP is going to be almost entirley focused on the areas covered by the 1LoD Plus teams.    
    • As a result significant areas of the business that are potentially compliance and regulatory risks are left unexamined.
  • A narrow compliance focus.  Regulators such as the PRA and FCA require firms to ensure they are covering a wide spread of their business activities in their compliance monitoring plans and they expect there to be a specific 2LoD team in place to carry out reasonable monitoring, reporting and other 2LoD responsibilities.   
    • When we assess a firm’s compliance arrangements we will often look for evidence that a firm is undertaking a minimum of approximately 70 different responsibilities that we would expect to see a firm’s 2LoD carry out.   
    • Where the lines are blurred we are fortunate if we find 20 responsibilities being discharged effectively.  This again leads to potentially significant capabilities not being in place to enable a firm to maintain compliance and reduce risks – for example reviewing whistleblowing arrangements, managing interactions with the regulator, supporting incident and risk management processes, compliance reporting and horizon scanning for new regulation that may affect the business.
  • Conflicts of Interest.  Because 1LoD Plus teams are so focused on a specific area, they spend all day every day helping to improve its performance.  They get involved in problem solving, process redesign, training staff and setting metrics.  After a while they know the process inside out and back to front. They have effectively designed it and trained people to use it. It has become their process.   
    • Unsurprisingly they are not necessarily the best people to impartially assess its effectiveness.   
    • It is for exactly this reason that a 2LoD needs to be in place and capable of assessing all aspects of the business relatively dispassionately.
  • Lack of regulatory knowledge and insight in the firm.  Again the focus of the 1LoD Plus teams forces them to concentrate on the here and now.  
    • Very few 1LoD Plus teams are plugged into sources of new regulatory insights, very few have had to interact with regulators and understand how regulators think.  Very few have done the hard yards of interpreting the FCA’s rules and guidance in the FCA Handbook.  
    • As a result changes in regulation can occur that are just not picked up or noticed by the 1LoD Plus teams.  Now, not all 1LoD Plus teams are dislocated from the regulators – but many are.
  • Inability to efectively report compliance issues to the Board and to maintain effective records for regulators.  A firm’s Board has a regulatory responsibility to ensure it is kept informed of compliance and risk related issues.  
    • One challenge with a blurred 3LoD model is that the direct reporting remit of the 2LoD and 3LoD is missing.  Any MI coming from the 1LoD and the 1LoD Plus teams is likely to go through several layers of management filter before or if it reaches the Board.   
    • Additionally,  the regulators have an expectation that firms keep effective records and this is often overlooked or forgotten about when there is a missing or weakened 2LoD.

What about supercharging the third line?

Finally – it is worth noting that some firms will make up for not putting in place an effective 2LoD by supercharging the 3LoD.  

Some firms will use a combination of an Internal Audit team and/or external consultants to undertake reviews of potential problem areas.   

Now whilst this reduces or negates a number of the challenges outlined above (although the risks of a narrow compliance focus and a likely inability to monitor all business functions remain) it does in our opinion foster a few other risks and challenges. It is also likely to be more costly if it is used as a quasi 2LoD.   

Specifically the 3LoD isn’t undertaking regular monitoring – it is often about one-off reviews.  If you translated it to a school situation it would be like relying on an Ofsted inspection to maintain standards.  Whilst important and useful, these types of review do not often engender a culture of compliance in the same way that an effectively deployed 2LoD does.

So what’s the solution?

We say the way forward is to do four things:

  1. Take a good hard look at how you are organised and what your three lines of defence look like
  2. Be clear about where quality control and quality assurance sit and what they do. Be clear about the distinction between them.
  3. Ask the people involved – which bit do they think they and their colleagues are in?
  4. Take some example issues – not just the ‘big’ ones, but also some slow burn ones – and track them through – how would they be dealt with?

So, to conclude, we therefore believe that firms can significantly reduce potential regulatory challenge and the accompanying issues and fines by ensuring they have taken a good look at their own 3LoD model and ensure that it is set up effectively with clear remits for all those involved ensuring the lines of defence are crystal clear and not blurred.   We think it would really help.

If you would like to talk more about how your firm is dealing with compliance then please do get in touch at or via our website at

Specifically, we’d be delighted to host a “designing an effective compliance structure” workshop with you and your teams to help you think through your future strategy for compliance.  If this appeals then get in touch.

September 2020