cogs 3 lines of defense

Three Lines of Defence: A Chief Compliance Officers Dinner Debate

Following the FT Report  that a major UK Bank's board has declared that the Bank still has more work to do to improve its controls and compliance, we rejoin Richard Pike, CEO, Governor Software as he relays back the salient points from a Chief Compliance Officer Round Table Dinner Debate he took part in earlier this year.


Dinner Debate: 3 Lines of Defence for Mains

I recently hosted a roundtable dinner attended by a diverse range of chief compliance officers and, as you might imagine, the discussion centred around compliance, data governance and the shake-up that is ongoing in the field. While the dinner was held under Chatham House Rules I wanted to share some of the themes that were discussed and  reflect on the wide-ranging conversation we had. Following my blog on compliance oversight, this week I’ll be looking at the three lines of defence and how compliance officers fit in.


As dinner continued, the discussion of numerous ongoing regulatory projects such as GDPR, PSD2 and SMCR and their impacts led to a conversation regarding defense. One senior banker raised the three lines of defence that financial institutions should employ and how it is changing. Put simply, these three lines are the business, risk and compliance officers and finally the internal auditing team. A considered and detailed oversight regime should ensure that nothing will slip through all three lines, which could in turn expose the company to a wealth of fines or imprisonments.


Everyone is responsible for overall compliance, but it became apparent that some banks have not been placing reliance on the first line, with many opting to place more emphasis on the second line. This is changing now with increasing numbers of banks enhancing first line assurance functions. This is re-focussing compliance departments on the tasks of regulatory guidance, regulator relationships and compliance assurance. Regarding assurance, there are a number of emerging models of what assurance is given by what team. Internal audit are under a lot of pressure from regulators to carry out assurance activities for them. Businesses are also finding that they are subject to multiple control reviews from teams in each line of defence. Whichever control assurance model is employed, it is key to ensure that each line has a very clear set of responsibilities to achieve all the obligations of compliance, it was agreed.


We continued to discuss the broad topic of responsibility, moving on to the role of the Senior Managers and Certification Regime and the capabilities and training of all staff. One benefit of the regime seen by compliance teams is that business owners are now focused on the functions they are responsible for and there are less ‘grey’ areas where responsibility isn’t clear. The importance of understanding individual roles has increased dramatically, as has the requirement for stronger and more rigorous training.


A number of senior figures raised the issue of people risk that can occur in large banks that employ tens of thousands of staff and operates on a global level. Banks are facing a mammoth task to internally communicate the importance of compliance obligations across numerous teams and countries, and even more so through language and cultural barriers. Further, this is not simply a one off task, but one that will need constantly repeating as staff churn.


Banks ensuring that their staff are ready for change sounds like common sense and good practice, but it is evident that senior industry figures believe that this is still not the case. Clear accountability from every member of staff, coupled with innovative regtech solutions, will form the best line of defence for compliance officers in ever-changing regulatory environments. 


Want to learn more, download the Governor Software, A Guide Compliance Oversight here


 Guide to Compliance Oversight