Realigning the Three Lines of Defence…defending from the front
The ongoing challenge facing many organisations is the need to improve profitability and reduce costs. As the branch networks continue to reduce and banks launch digital initiatives to lower the cost to serve, the focus is again turning to head offices and central functions, and the proportionate cost that is carried there. Risk areas are not immune to this renewed focus and will be impacted, coming under scrutiny due to the number and cost of the resource added over the last decade. This means there is an increasing pressure for companies to ensure their lines of defence takes on a unified approach through the design, implementation and effectiveness of their three lines of defence model, particularly as this model has evolved in parallel with increased regulatory change and legislation.
Concept of Three Lines of Defence (pre financial crisis)
The authors have personal experience of the takeover of NatWest by RBS in 2000 and were involved in the integration of the organisations and alignment of two significantly different models at play in relation to how risk strategy, policy and operations were run and in developing the operating model for the merged organisation. At the heart of many of the integration initiatives was the Three Lines of Defence (3LOD) given this model is an invaluable framework when closely linked to organisational strategy, risk appetite and risk capacity.
Although the model has evolved, the objectives of an effective risk and governance framework have remained consistent:
- enabling safe business growth and achieving desirable and demonstrable customer outcomes; and
- preventing losses and preserving long term business performance and shareholder value
The first line of defence includes the people at the front line operations of the business and they are normally based in client facing or near client facing roles like Sales or Operations. These functions and roles own and manage the risks that the organisation faces. The second line comprises the functions that oversee the risks, set risk tolerances, manage scorecards and policy and usually own any risk systems and models. The third line – the line of defence where the role is clearest in the model - is the internal audit function, who provide independent assurance to governance bodies and senior management that the risk management controls are adequate and effective.
Evolution of the Model post financial crisis
With some isolated tests of the 3LOD model in the industry there was a general assumption that the model was performing as expected. However, the dark days of Northern Rock and the government bail-out of RBS and Lloyds Banking Group dispelled this assumption and led to a fundamental revamp of our regulatory system. In the immediate aftermath the Financial Services Authority increased regulation and sought greater scrutiny than before, which resulted in the creation of the Prudential Regulatory Authority and the Financial Conduct Authority in April 2013.
The significant regulation introduced in the years immediately following the financial crisis aimed to (i) preserve and strengthen market integrity, such as the Banking Act in 2009 and the European Market Infrastructure Regulation in 2012 to regulate over-the-counter derivatives, and (ii) improve transparency and protection for investors and consumers, such as the Retail Distribution Review (2012) and the Mortgage Market Review (2014).
Also, following the numerous reviews and investigations into the crisis and associated internal governance and controls, all the big 5 banks have paid extensive penalties for breaches in their culture and / or controls. For example:
- RBS – fines in 2014 included £14.5m for provision of unsuitable mortgage advice and £390m for rigging foreign exchange markets, and just recently a $4.9bn settlement with the US Department of Justice to end an investigation into sales of financial products in the run up to the financial crisis;
- LBG – received a £105m fine for manipulating submissions in relation to the Repo Rate and LIBOR in order to manipulate those rates; and a £117m fine in 2015 for failings in relation to how they treated their customers when handling Payment Protection Insurance;
- HSBC - $628m penalty paid to US and UK regulators for foreign exchange rate-rigging scandal and in 2018 £73m was paid to settle a criminal investigation in the UK into currency rigging;
- Barclays - £26m fine for failing to monitor conflicts of interest between itself and customers and £284.4m for currency rigging; and
- Santander – £12.4m fine for widespread investment advice failings.
Additionally all have experienced fines for Financial Crime detection shortcomings such as money laundering or sanction checking.
To be clear though, these failings were not just the preserve of the big banks, with fines and remediation experienced by organisations across sectors. For example, fines have been imposed for failures of control in the life insurance sector (e.g. Aviva Group were fined for breaches related to client money / assets and culture / governance), the oil and gas sector, (BP and the Deepwater Horizon oil spill disaster), and the tech sector increasingly being hit with fines for data breaches (e.g. Equifax and Yahoo).
Within the financial services industry, there has been an increasing amount of regulation designed to make the banking system more stable and to strengthen market integrity. These regulations have introduced rules on governance, supervision and resolution regimes, such as the Banking Reform Act (2013), the Bank Recovery and Resolution Directive (2015), the Senior Manager & Certification Regime (2016) and MiFID II (2018); and to strengthen capital of market participants, through Capital Requirements Directives.
Regulation has also been increased to extend oversight to all systemically important financial institutions, instruments and markets by improving transparency and monitoring on non-bank credit activities, such as the Alternative Investment Fund Managers Directive (2013), Securities Financing Transactions Regulations (2017) and the Money Market Funds Regulations (2018) to name a few.
As organisations faced off to this increasing amount of change, (‘incentivised’ by the refreshed regulators) they assessed their existing three lines of defence frameworks to address any deficiencies. However, in parallel with this evolution and ‘beefing up’ of the 3LOD model the second line in particular has grown in size and complexity causing some concerns to resurface about roles and responsibilities and also about the associated costs of the risk infrastructure.
Drivers for Change
The re-assessment and evolution of the 3LOD model in the last decade has certainly improved the general standard of risk management across the financial services industry however enough failures still occur, e.g. multiple conduct breaches, payments failures and systems migration issues, to say that there is room for further improvement and this is driving a further review of how the model has been implemented, specifically to take account of recent opportunities that are becoming available:
- the Approved Persons Regime, which had not been sufficient to stop many of the control breaches seen, has now been replaced by the Senior Manager Regime and the Certification Regime (SM & CR), and is being extended to all regulated firms. Designed to improve governance and accountability in financial services, the aim is to make individuals more accountable for their conduct and competence, and enshrines the Latin principle that many banking students will recognise of ‘Delegatus non potest delegare’ which translates to ‘no delegated powers can be further delegated’. The Responsibility Maps, identifying how key accountabilities have been apportioned, align very closely with the 3 Lines of Defence model.
- notwithstanding the increased focus on the availability and use of data within organisations, there is a perception that core data is still not being used to its full potential. With data analytics tools now available to manage significantly larger volumes of structured and unstructured data, this is an increasing area of focus for organisations looking to reduce cost whilst still increasing the effectiveness of particularly the first and second lines;
- in addition to the data perspective, technology alternatives are now being developed to manage the introduction of multiple, sometimes aligned, regulatory requirements and to automate checking and control activities. This technology can also contribute to reducing the costs and layers of people built into risk functions over the last ten years, although experience confirms that the best way is to look at technology to complement a well thought through risk model as opposed to viewing this a “silver bullet”;
- the wider availability of customer feedback data including Net Promoter Scores, both at a business and an industry level, can be used to highlight areas requiring attention or prioritisation, and be included in the MI provided within the lines of defence model. Mistakes lead to client and customer dissatisfaction and also drive additional costs. Failure demand is a scourge and every organisation should seek to drive it out.
In the second part of this article we will review the industry wide changes and challenges that organisations face when reviewing their 3LOD model and offer simple steps you can take to evolve the framework in your organisation.