Lending Compliance: Building Up the Three Lines of Defense
When it comes to compliant lending, there is a good reason for three lines of defense. They ensure that a financial institution’s lending compliance management system is effectively guarding the FI against unnecessary risk.
What are the three lines of defense and how do they work?
Read on to find out.
The First Line of Defense: Employees
The first line of defense is the business. More specifically, it is the employees who provide consumers, small businesses, and others with credit. From the back office to the front line, employees must be trained on and be responsible for carrying out the institution’s lending policies and procedures. They need to know their roles and responsibilities, follow risk and compliance processes, apply internal controls, and recognize risk.
Financial institutions with a culture of compliance have the most effective first lines of defense. A good culture is defined by:
- Leadership that visibly and proactively supports compliance efforts
- Compliance function empowered with sufficient authority
- Shared information and open communication
- Adequate resources
- Independent audits
- Regular and transparent reporting
Where Does the First Line Fall Short?
The first line of defense is most likely to fail when there isn’t adequate training. Compliance training isn’t just a quick check-the-box activity—especially when it comes to areas where enforcement actions are most common like deceptive advertising practices, redlining, and fair lending.
Training must be robust to be effective. The financial institution needs to review audit results (see the Third Line of Defense) to uncover weaknesses in the first line and repeat and improve training as needed.
Why does training fall short? In many cases, there are mixed signals from the top. If management or the board are saying compliance training is necessary but isn’t doing anything to ensure employees have the time or resources they need to train effectively, training won’t accomplish its goals. If management is telling lenders to follow compliance training (wink, wink, nudge, nudge) but really just cares about making as many loans as possible or incentivizes lending staff to break rules, the first line of defense will fail.
It goes back to that culture of compliance.
This also applies to vendors acting on behalf of the financial institution. If there isn’t sufficient vendor management and oversight to ensure a culture of compliance, a non-compliant third-party vendor can easily cause a fair lending or other compliance violation.
The Second Line of Defense: Compliance and Risk Management
The second line of defense is made up of the financial institution's compliance and risk related functions. These areas are responsible for creating and executing the policies, procedures, and systems that oversee and guide the first line of defense.
Risk management is responsible for assessing the risk of all business activities—including their lending compliance risk. If a business activity doesn’t fall within the FI’s risk tolerance, internal controls need to be added or adjusted—or the activity may need to be discontinued. For instance, many FIs exited the mortgage market when increasingly complex mortgage regulation made the risk of doing business too high to be worth the potential award.
This is where data is extremely valuable. It helps measure risk in an easily quantifiable way. For example, fair ending analytics can uncover potential fair lending compliance issues stemming from flawed policies or procedures, inconsistent waivers, or human error. Knowing there is risk gives your FI the opportunity to investigate its source and remediate it.
Risk management also identifies high-risk areas that require increased scrutiny in the form of testing and monitoring to ensure the first line is working as intended to comply with rules and regulations.
Compliance is responsible for identifying applicable laws and regulations, interpreting them, and then developing and enforcing policies and procedures to support them through a compliance management system (CMS). It should work hand-in-hand with risk management to ensure risk assessments are thorough and up-to-date.
Risk management and compliance are also responsible, in most institutions, for fostering relations between the first and third line of defense and providing some reporting to the board and senior management.
While different FIs will divvy up these responsibilities in different ways and to different areas, the bottom line is that risk management and compliance play an essential role in ensuring effective lending compliance.
The Third Line of Defense: Audit
The third line of defense is the external and internal auditors who independently evaluate lending compliance risks and controls. They are also responsible for reporting on risk to the board, senior management, and other stakeholders. A good audit program allows an FI one last chance to uncover internal flaws that are hindering lending compliance.
The third line of defense includes ensuring that findings are addressed promptly and consistently. Auditing provides no value if you don’t do anything with the information. Being able to visualize and remediate problems is an essential step in assuring that risks are appropriately mitigated and the organization is ready for external regulatory exams and reviews. It makes sure that an FI identifies and corrects problems itself, rather than waiting for an examiner to uncover an issue.
The third line should focus its efforts on the areas where risk exposure is the greatest. For instance, auditors may take an extra close look at HMDA data accuracy if regulatory agencies issue additional consent orders in that area.
Two Out of Three Is Bad
With apologies to Meat Loaf and his 1977 power ballad, having just two of the three lines of defense isn’t good.
If only one line of defense is working well, it can present risks to the other lines as well as the institution. Three strong lines of defense support a lending compliance management system that guards against fair lending, redlining, HMDA and CRA issues, among others,—and keeps an eye on regulatory change such as the CFPB’s recent efforts to move towards implementing Section 1071 of the Dodd-Frank Act (DFA), which amends the Equal Credit Opportunity Act (ECOA) to require new data collection requirements on loan applications for women-owned, minority-owned, and small businesses.
A financial institution must always be looking forward, ahead, and at the present when it comes to lending compliance. The three lines of defense make that possible.
For more insights into the third line of defense, download our whitepaper, Best Practices for Tracking Audit & Exam Findings.