3 Lines of Defence Duties and Compliance Reporting: How to Talk about Breaches and Gaps?

You heard it right - our Annual Compliance Reporting Workshop is coming up on February 27th 2025 and is already becoming a total HIT!

One important question just came in: "Will you cover what to do and how to report instances where we know we are not compliant or did not do what we planned to do"?

I would like to highlight why Compliance Reporting should never be weaponized or used by compliance to score any "wins" against the management.

What is really sad and devastating for the FinTech industry is to see how some creators of outdated guidelines?and narrow-thinking extremely conservative professionals use recent fallouts of Credit Suisse, Railsbank, Silvergate, SVB and other incidents to argue that these incidents could have been prevented by more reporting and additional disclosures.

Compliance reporting is NOT a hedging strategy and it is NOT an insurance policy.? Compliance reporting, in my opinion,?should never be used for any of the following:

• Trying to make Boards fearful and suspicious of possible internal and external audits discoveries, which makes audit scoping and calibration completely dysfunctional.
• Hijacking audit processes to make audit findings look scarier, riskier and more serious than they really are to secure additional resources, budgets and headcount for compliance or risk functions.
• Claiming that “the business and its first line of defense must own their risks”.

All of the above leads to complete erosion of trust in the company, makes it impossible to take reasonable risks and slows down innovation.

In a way, these ill-intended strategies are a total abuse and misuse of the 3 Lines of Defense concept.

Most FinTech founders and the majority of non-banking professionals have never heard of the 3 Lines of Defense principles, but once they start hearing about it, their first (and lasting) reaction that it's one of the most useless theoretical constructs ever designed in the ivory tower by people who have never run a company (which may or may not be the case, but this is entirely beside the point).

3 Lines of Defense

Now – let’s break it down and see, what this concept is really all about.

Essentially, 3 lines of defense is a risk management concept, that was formalized and brought into many national legislations in Europe after the financial crisis of 2008-2010.

The ultimate goal of the policy-makers?was to clarify the decision-making responsibilities in the banking sector with respect to risks and risk acceptance. To put it simple, the concept suggests that there are 3 levels where organizations make decisions about risks.

• The first level (1st line)?covers decisions done by people doing their jobs: engineers writing codes, customer support agents resolving customer tickets, marketing managers writing marketing campaigns, sales managers negotiating with clients. These actors must be capable and empowered to do their jobs but they also need to know where are how they need to involve other teams or get additional approvals. Actually, many tasks of the 1at line can be automated and performed by various tools and technology.
• The 2nd line of defense?is essentially a layer where organizational frameworks and policies and rules are being created and enforced. For example, sales people would have rate cards stipulating how they can negotiate prices or grant discounts.?Customer onboarding agents?have guidelines from which countries they can accept customers and which documents they need to request and review. Engineers would have a process around code reviews, testing and quality assurance controls before the code is deployed into production. Procurement team must know when they need approval of finance to spend money or make purchasing commitments. Those guidelines and frameworks must normally provide clarity and speed up processes, and eliminate the need to ask for permissions on a case-by-case basis.
• The 3rd line of defense?is supposed to provide assurance that teams and departments are actually doing what they are supposed to be doing and offer objective and independent feedback for the company, management and the teams on where they have weaknesses or inefficiencies, but also where they are being too slow, too costly or not competitive.

This is unfortunately not what happens on the ground in many cases.

The concept of 3 Lines (when misinterpreted and abused) induced more organizational conflicts, delayed more decisions and triggered creation of so many redundant jobs and needless tasks than potentially any other financial regulation on this planet.

Why?

Because many representatives of?the 2nd line of defence (sometimes without even realizing it) interpreted? the concept of the 3 lines of defense a permission not to make any decisions and instead to push all the risk acceptance and uncertainties either?down (to the individual functions) or up (to the auditors or senior management or boards).

When you face a compliance reporting "problem" because of missing processes, tools or commitments that you did not fulfil, it is highly likely that you first created or adopted an unrealistic plan or unrealistic policy that you were not able to follow.

Very often you adopted it because your compliance and legal team suggested that it would be better to create a policy that reflects "ideal" compliance situation and then, if it is not followed, to? document? the deficiency.

Compliance team may have felt that having a "perfect situation" policy protects them and protects the company, however, it is a very common misconception, that creates a lot of externalities,?complicates the reporting and actually creates regulatory vulnerabilities that may not exist. To address this very common issue,?I?will cover?specific scenarios on how to document gaps and deficiencies and exceptions (and also how to avoid them) during the workshop.

FULL AGENDA:

• Annual MLRO reporting, key? reportable AML metrics to help you prepare for??AML audits;
• Annual Risk Assessment (template included) and Risk Acceptance Framework
• Execution of the Compliance Plan (template included)
• Effectiveness of the Internal Controls Framework
• Reporting incidents and special events (Covid, Brexit, FTX, security incidents ...)
• Reporting gaps, deficiencies and exceptions.
• 3-step decision tree methodology guiding you how to decide whether to include and exclude an item and what should be the appropriate level of details.

INCLUDED TEMPLATES:

• Annual MLRO Report Sample
• Annual Enterprise Risk Assessment Template
• Annual Compliance Plan Execution Template language
• Compliance Assurance Framework Sample
• Annual Audit Plan sample
• Internal Controls Report and sample disclosures on the Effectiveness of the Internal Controls
• Risk Appetite Framework
• Sample Disclosures for incidents and adverse events reporting

When and how:?the next live session will take place on February 27th 2025 at 2pm CET over Zoom, and later the recordings will be?available?on demand.

Sign up TODAY!