<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Managing Complaints: The Role of the Three Lines of Defense

3 min read
Jan 14, 2021

Complaint management requires direct communication, but that’s easier said than done.

Most financial institutions are siloed. Departments are named after the specific set of tasks they focus on (compliance, risk, vendor management, lending, or customer service). These departments all collect information that other departments need. The situation is made even more complex with the addition of more products, services, delivery channels, and partnerships. Any one of these areas may be the source of a complaint—or need to be involved in its resolution or tracking.

Ensuring relevant information is communicated to the correct department in a seamless and uniform way is of the utmost importance—especially when it comes to managing complaints. An effective complaint program should leverage all three lines of defense to effectively manage this important customer contact.

The First Line: Operational Functions

The first line of defense is made up of the managers and process owners responsible for the institution’s day-to-day activities. These operational managers should ensure all customer-facing employees and employees who receive customer correspondence are aware of the institution’s complaint management policies and procedures. Employees should also be trained to identify consumer complaints and ensure complaints are reported and resolved in a timely manner.

Without the first line of defense actively working to ensure complaints are identified and logged, complaint data would be less comprehensive, thus less useful, and institutions will have a harder time identifying deficiencies early on. This prevents institutions from engaging in self-identification and corrective action— key pillars of an effective Compliance Management System. When customers’ complaints go unresolved their trust and satisfaction diminish, leading them to find different channels to express their dissatisfaction, including regulators or social media. This can harm the institution’s reputation and create additional examination issues.

The Second Line: Risk & Compliance

An institution’s compliance department knows it’s required to establish an effective compliance management system (CMS), which includes the creation of a complaint management program. The compliance department should assist management in creating a complaint program that ensures complaints are collected and captured throughout the institution. Compliance folks may also want to review and test the training program to prevent complaints from going underreported or unresolved.

Risk management ensures risk is identified, measured, mitigated, and monitored throughout the institution. When a control proves ineffective, a product or a service is identified as a high risk, or a third-party relationship brings heightened risk to the institution, risk managers assist the first line of defense in strengthening controls and communicating the institution’s risk exposure to management.

Complaints represent valuable data to be leveraged by risk management because they identify potential instances of heightened risk and ineffective controls. Risk management has a vested interest in the efficient and expedient reporting of complaint data and should be aware when it’s not receiving this information.

The Third Line: The Auditors

Auditors ensure the complaint and risk programs are effective so that no complaint is overlooked or swept under the rug. Institutions have finite resources to conduct testing and auditing so they must maximize efforts to be effective and uncover compliance issues. Complaints sometimes highlight areas where an institution may need to focus their testing efforts, making the audit department a key component of an effective CMS.

All Three Lines of Defense Working Together

Every department has a role to play to convert complaints into opportunities to identify and promptly correct issues before they harm consumers.

Imagine a consumer who complains that they never received their overdraft opt-in disclosure. The institution has contracted with a third party to provide these required disclosures. However, no one at the institution is checking to see when and if the disclosures are actually given to consumers.

When the institution receives the complaint, it grabs the attention of the risk department, which identifies a control deficiency. The risk team then works with the vendor management team to implement a process to ensure required disclosures are sent. The compliance team tests the process through a reconcilement report, comparing the volume of notices that should be mailed versus actually mailed. The compliance department then reports that the issue seems to be corrected. The audit department verifies that the required disclosures are sent as part of their Overdraft Program audit.

In this scenario, the institution effectively analyzed its complaints and learned that customers were not receiving a required disclosure. The institution also realized that it did not have a control in place to ensure that its third-party provider was meeting the mandated timeliness requirement. Prompt action was taken to remedy the deficiency in the institution’s controls. In addition, the financial institution can now demonstrate to examiners that the violation was self-identified and that it has implemented policies and procedures for monitoring third-party provider compliance.


Make sure your compliance program and procedures identify the different roles your three lines of defense must play. Without the three lines working together, your complaint management program won’t be the risk management tool you need to help mitigate risk and initiate self-corrective action that can save you from hefty penaltiesexamination issues, and reputational concerns.

To learn more, download our white paper: Why Complaint Management Matters (and How to Get It Right)

Related: Creating Reliable Risk Assessments

Subscribe to the Nsight Blog