The Case for Three Lines of Compliance Defense at Community Banks – Part 1
A two part series
In late 2014, the Office of the Comptroller of the Currency (“OCC”) published its “Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”. This document established the requirement that large banks should establish and implement a risk management framework. The framework must cover at a minimum credit, interest rate, liquidity, price, operational, compliance, reputation, and strategic risk. The guidance goes on to establish several other requirements and documents that large banks have to produce and describes the ongoing expectations for Board members of these banks. The Federal Reserve and the CFPB have both published similar guidance. All of this guidance is ostensibly directed at larger banks.
The guidance details the components and responsibilities of risk and compliance programs, which includes three lines of defense. All three are specifically defined in the guidance. The three lines are:
- The heads of the business units
- Independent risk monitoring
- Independent auditing
While one could dismiss this guidance because it applies to large banks, it is clear that a great deal of the regulatory guidance that is first directed at large banks is eventually applied to community banks. Moreover, as one reviews the principles of the guidance there are sound reasons for a community bank to consider implementing a program similar to the one discussed. We believe that community banks should use this guidance to rethink the approach to compliance.
The structure of the risk program described in the guidance is likely more extensive than a community bank might be able to consider. However, the basic principles described in this guidance present directions for developing a compliance management system for 2015 and beyond.
The main theme of the guidance published by all three agencies is very similar; to develop a strong and effective compliance management system, a financial institution should develop a risk governance program that incorporates compliance into the overall operation of the bank. In other words, for large banks risk and compliance are simultaneous and seamless. There is no reason that this should not be the same for community banks. Unfortunately, for most community banks, the compliance officer has been the first, middle and last line of defense when it comes to compliance. Among the traditional tasks for a compliance officer are writing policies and procedures, attending to training and preparing compliance reports such as the HMDA LAR. In many community banks, the sheer volume of regulatory changes has made the multiple roles for the compliance officer untenable. Often the practice is to try to address the perceived highest levels of risk and to put the rest of the tasks off until later. We have seen cases of policies and procedures that are past due, compliance reviews that have been left uncompleted or audit findings that have not been addressed. These conditions are generally the result of insufficient resources in the compliance unit.
Using the three lines of defense approach to compliance and risk management at a community bank may present the opportunity to redeploy staff to higher levels of efficiency. For example, consider the possibility that business unit heads are charged with maintaining day-to day compliance. This would necessitate working with the compliance officer to develop procedures, checklists and quality control testing. Simultaneously, the compliance officer would be asked to work directly with business heads to monitor and measure the level of risk within the business units. These roles may be non-traditional at a community bank, but they are essential to a “state of the art” compliance management system.
The 2005 paper by the Basal Committee on Bank Supervision entitled “Compliance and the compliance function in banks” discusses ten principles that comprise a comprehensive compliance management system. These ten principles can be loosely divided into four general areas:
Compliance-related responsibilities of the board of directors
- Compliance-related responsibilities of senior management
- Organizing and governing principles of the compliance function, including its independence, the adequacy and qualifications of its resources, its responsibilities for both guidance and monitoring, and its relationship with Internal Audit
- Other matters, including cross-border or jurisdictional questions and the appropriate use of outsourcing in carrying out compliance-related functions
The risk appetite of the bank should be a function of the size and depth of the CMS. As risk changes, so should the routines of the compliance group. To make this work, the business lines of the Bank have to be more involved in compliance while the CO has to be more involved in the risk profile. This may be initially uncomfortable, but in the end, it is the best way to get the biggest bang for the buck out of compliance.
We believe that embracing the philosophy of three lines of defense will allow community banks to gain greater engagement of overall staff in the compliance effort, which will help to attain greater efficiency and reduce the overall cost of compliance.
In part two, we will discuss some of the specifics of the three lines of defense for community banks.
James DeFrantz is a Partner in Atlanta-based financial services industry consulting firm Bank Solutions Group. [email protected]