Tips for Implementing 3 Lines of Defense in your CMS from a Compliance Pro

Interested in learning how to implement three lines of defense into your compliance management system? If you're like most compliance officers, it can be a real challenge.

That's why we spoke with one accomplished compliance professional, Melissa Komarnitzky, CRCM, CAMS, about her experiences and insights. Read on to learn a few best practices for how to create three strong lines of defense in your CMS.

Lately, we’ve been talking a lot about compliance management systems, and for good reason! They’re one of the hottest areas of compliance. That’s why we’re so glad to be able to talk with an expert about their experiences implementing a CMS with three strong lines of defense.

In this article, we interview Melissa Komarnitzky, CRCM, CAMS, and Director of Compliance at Minnwest Bank about implementing the third line of defense.

In particular, this article will cover:

• The one thing you absolutely need to create three lines of defense.
• Tips for addressing pushback and minimizing conflict when implementing three lines of defense.
• Unique challenges that come with building three lines of defense.

Before we jump in, here is a little context on Melissa and the bank: Melissa is a CRCM- and CAMS-certified compliance professional with decades of experience in banking, and more than 20 years in compliance. She works closely with the bank’s Director of Risk to implement three lines of defense. Minnwest Bank has approximately $2 billion in assets and 32 offices. They’ve acquired three banks in the last year, so the bank is transforming rapidly.

The bank is in the process of implementing a three lines of defense approach to compliance risk management, and experiencing all of the value and challenges that come with that.

If you haven’t really started implementing three lines of defense, now is the perfect time to start. As we wrote last week, even though the concept is fairly established, the process of creating three lines of defense is still somewhat a work-in-progress for the industry. Based on what we heard at the ABA Regulatory Compliance Conference, very few banks are completely finished with implementing three lines of defense. Still, the regulators are expecting a strong CMS.

The One Thing You Absolutely Need to Create Three Lines of Defense

To create three lines of defense, your financial institution needs a strong culture of compliance. Implementing three lines of defense in many ways starts and ends with compliance culture.

“Successfully implementing three lines of defense really has to start with the tone at the top with a strong culture of compliance," Melissa said. "It has to come from management. Management has to commit and say that the bank is going to operate this way, and so you get the buy-in from everyone in the company.”

“Successfully implementing three lines of defense really has to start with the tone at the top with a strong culture of compliance."

- Melissa Komarnitzky, CRCM, CAMS, Director of Compliance - Minnwest Bank

While compliance culture has always been important, it’s generally a little bit stronger today than it once was.

Related: Creating Reliable Risk Assessments

"There has definitely been a change in leadership’s approach to compliance, particularly in the last 5-7 years,” Melissa explained. “When I started, compliance was the ‘necessary evil.’ It wasn’t revenue generating. I’ve really seen a shift in that mentality. They may still cringe a little bit when they have to approve the money, but getting buy-in is much easier. Management now understands that compliance is necessary for their business.”

Melissa illustrated how important compliance culture is with an anecdote. In a recent leadership meeting, a discussion about creating good procedures occurred. In that meeting, a colleague said “Compliance is going to do that for us.”

Melissa’s boss, the Director of Risk, helped this colleague understand that compliance wouldn’t be able to just write everything for the department – and why. According to Melissa, the Director of Risk explained, “we’re your business partner, and we will help guide you, but it’s your responsibility to write the compliance into your policies and processes. You have the deep understanding of your team and the customers.”

Having support from management makes it much easier to implement three lines of defense, as you can see here. However, even with their support, it’s inevitable that there will be pushback. Next, we’ll discuss how to address pushback.

Tips for Addressing Pushback and Potential Conflict

Whenever you’re creating something new, it’s possible that you’ll get a little bit of pushback. That’s especially true when you’re implementing three lines of defense. After all, some people might feel like compliance isn’t their job, at least at first. That said, there are ways to ease the pain.

Melissa recommends focusing on risk and cost when helping her colleagues understand and internalize the value of a strong compliance management system.

"One of the things I try to do when presenting an issue that needs resolution is to define the risk to the bank,” Melissa said.  “What’s the risk if we continue to behave in this way? For example, if it creates Fair Lending risk, it’s important to keep in mind that that’s one of the riskiest regulations.”

After the risk has been highlighted, the issue goes to the risk committee. Is the bank going to continue with a product, policy, procedure, or process that elevates risk, and if so, for how long? Sometimes, Melissa notes, the risk committee decides to accept the risk.

"One of the things I try to do when presenting an issue that needs resolution is to define the risk to the bank.”

- Melissa Komarnitzky, CRCM, CAMS, Director of Compliance - Minnwest Bank

“From my perspective, it’s always the regulatory risk that comes first.” Melissa continued. “That said, there is also monetary risk, reputational risk, credit risk, etc. I also try to help people understand the cost-benefit of doing something a certain way or offering a certain product. Compliance also has to keep the customer experience in mind too. This is not always easy, but it has to figure in to your decision making. ”

After addressing the risk, Melissa identifies the costs as it relates to compliance.

“Compliance cost is not just about the money,” she explained. “Compliance cost could be system or software that could be required, the time spent, additional personnel requirements, or all of the above.”

By focusing on the “why” of compliance, Melissa is able to encourage support and increase engagement with the CMS from all three lines of defense.

Value and Challenges of Implementing Three Lines of Defense

As we wrote about last week, the values of implementing a three lines of defense approach to risk management are manifold.

Here are a few of the most important benefits:

• More proactive risk management.
• More efficient policies and processes to ensure compliance.
• Stronger culture of compliance throughout the organization.

However, there are challenges, too.

Challenge 1: Getting Support from the First Line

One of the most-cited challenges with implementing three lines of defense is getting the engagement of the first line. In some cases, the front line doesn’t understand that compliance is the responsibility of the entire bank, not just the compliance department.

“It’s an uphill battle, because the front line is so dependent on the compliance team to do it for them,” Melissa says.

In fact, this exact situation was discussed multiple times in different sessions on compliance management systems at the recent ABA Regulatory Compliance Conference.

Melissa has a great way of addressing that perception: “I try to explain that the compliance department doesn’t ‘do’ compliance, we manage it. It’s the first line that 'does' the complying by adhering to policies and procedures.”

"The compliance department doesn’t ‘do’ compliance, we manage it. It’s the first line that 'does' the complying by adhering to policies and procedures."

- Melissa Komarnitzky, CRCM, CAMS, Director of Compliance - Minnwest Bank

Challenge 2: Clear Lines of Responsibility

Another challenge is that, while implementing three lines of defense, “the lines of responsibility can start to get blurred,” Melissa says.

Even though it’s not perfect, this is a natural part of the evolution of creating three lines of defense. While your goal is to have all responsibilities clearly defined, you probably won’t get there overnight.

Challenge 3: Staying Motivated

This leads to another challenge associated with implementing three lines of defense: overwhelm.

As a compliance professional, it’s possible to get overwhelmed with trying to implement three lines of defense.

If this sounds like you, take Melissa’s advice: “It’s not an easy for anyone, but you’ve got to start somewhere!”

How We Can Help...

If you're working to create three strong lines of defense, you may be looking for guidance or solutions. Please know that Ncontract provides the consulting and software that can help strengthen your CMS.

Click here to talk to a compliance expert today!

In addition, we hope that you will appreciate this free Fair Lending Compliance Checklist!