Interested in learning more about how to define a strong compliance management system, and details on those three lines of defense? This post is for you. It's one of the hottest topics in compliance, and yet, one of the more challenging: how to implement three lines of defense in your compliance management system.
In this post, we'll cover the basics: what is a CMS, what are the lines of defense generally, and what are the three lines of defense.
This post is designed to provide helpful details for people with both introductory and moderate experience in building three lines of defense in a compliance management system. If you believe that we overlooked something significant, please let us know!
Let's get started.
1. What is a Compliance Management System?
In simple terms, a compliance management system, or CMS, is the interconnected system that helps manage your compliance.
According to the regulators, a strong CMS must include these two key parts:
Board of Directors and Management Oversight: Communicate clear expectations, adopt clear policies, and define an appropriately staffed compliance function.
A Compliance Program: A formal, written compliance program. This should include:
Consumer complaint response.
A CMS that doesn't include these items (oversight and program, including the four pieces of a compliance program) will likely be considered deficient.
The FDIC provides even more detail in the compliance exam manual. They note that a compliance management system is how a financial institution:
- "Learns about its consumer compliance responsibilities;
- Ensures that employees understand these responsibilities;
- Ensures that requirements are incorporated into business processes;
- Reviews operations to ensure responsibilities are carried out and requirements are met; and
- Takes corrective action and updates materials as necessary."
Every CMS is different, because it's customized to the unique needs of each institution. Your compliance management system should be crafted to fit your financial institutions size, branches, employees, history, existing risk, business structure, and strategy, among other factors.
2. What are the Lines of Defense?
In a compliance management system, the lines of defense are related to the areas (departments) of the financial institution responsible for different aspects of risk management.
Broadly speaking, a line of defense includes the employees, their policies, procedures, and practices, and the lines of reporting and escalation.
In the past, the compliance and management were considered the two key lines of defense, but for the last decade, that has been changing. We'll talk more about that next.
Remember, CMS technology does exist to help support everyone involved in compliance and risk management.
3. What are the Three Lines of Defense?
As compliance management systems have evolved, having three lines of defense has become more important.
Here is an overview of the three lines of defense:
- First Line: The first line of defense is the employees of the financial institution who are involved in the creation and selling of products and services, or operationally supporting customers, products, and services. It includes both sales roles and operational roles, like Wire Transfers and Customer Service. It is their responsibility to understand their roles and responsibilities, create and apply internal controls, and respond to risks that their work, sales, and interactions may present.
- Second Line: The second line of defense is the financial institution's compliance- and risk-related functions. They are responsible for providing guidance and oversight of the first line of defense. Additionally, they are responsible for proactively testing and monitoring high risk areas to ensure policy, procedures and processes implemented by the first line are working as intended to comply with rules and regulations. They are also responsible, in most institutions, for fostering relations between the first and third line of defense, and providing some reporting to the Board and Senior Management.
- Third Line: The third line of defense is the external and internal auditors who independently evaluate the compliance risks and controls. They are also responsible for reporting to the Board and Senior Management's oversight functions.
If only one line of defense is working well, it can present risks to the other lines as well as the institution.
It's clear that many institutions are still working towards building three strong lines of defense in their CMS.
That said, regulators have been talking about the three lines of defense since 2008. It's important that you prioritize the evolution toward three strong lines of defense in your compliance management system.
There are distinct challenges, but the rewards are more efficient compliance risk management and a stronger culture of compliance overall.
The best compliance management systems evolve to accommodate changing risk factors and exposure. As you work to improve yours, keep in mind that it will probably need to change over time, and consider how such change is managed.
Taking the Next Step in Building a Strong CMS
Tips for how to implement three lines of defense from a real-world expert will be coming in a later post, so keep your eyes peeled.
In the meantime, you might appreciate this free mini Fair Lending Risk Assessment! Monitoring is important part of your compliance program, and are integral to a strong CMS. Hopefully this abbreviated version of a risk assessment will help you as you move forward.