Are you getting enough good quality compliance information?

As a senior manager were you ever surprised upon receiving a regulatory report which identified several weaknesses? If your answer is yes, then you are missing something in your governance regime.

I can recall over many years as an internal auditor and more recently a regulator, when presenting an examination report, asking “are you surprised?” The best answer would have been that senior management was aware that there were control weaknesses. My expectation as an examiner was that any issues should have been identified and corrective work had begun. Sadly, this was rarely the case.

In this article I shall explain how the senior manager can be aware of the shortcomings and of equal importance, on the way to achieving sustainable correction. I say sustainable as it is one thing, for example, to obtain a missing passport or ask deeper details of the purpose of the transaction, but more importantly is to have a control environment which provides a timely warning. On paper the solution is quite simple but not always easy to implement. The solution is through a governance framework known as the Three Lines of Defence. (3LD)

What do I mean by the 3LD? A Google search will reveal 49 million “hits.” We can read of the history of the 3LD model beginning in the 1990s which came into being following numerous corporate failures at that time. We can also read of the adoption of the 3LD by the Basel Committee on Banking Supervision and the Institute of Internal Auditors, so much so that it has, for many years, become an accepted component of risk management.

In brief the 3LD considers.

• The first line of defence is performed by staff implementing operational processes and controls mandated by senior management.
• The second line of defence commonly referred collectively as “compliance2” adopts an oversight regime with a degree of independence through its reporting line to senior management. The second line is not involved in the day-to-day activity of the business.
• The third line of defence is undertaken by internal audit which is mandated as wholly independent reporting directly to the highest level of the organisation.
The purpose of this article is not to describe the 3LD to a level of detail but to explain the challenge and difficulties of implementation faced by those financial businesses with a small number of staff. The merits of a strong 3LD framework adopted by larger organizations are clear to see. However, in those financial businesses with a small headcount of staff the ability to implement the framework considerably hinders the efficacy of the control environment.

The first line of defence sits naturally with the frontline staff who are armed with adequate training, documented policies and procedures, checklists etc. with supervisors exercising the approval process within allocated levels of authority.
It is the second and third lines of the structure which deviate from the preferred framework.
The second line of defence, most likely to be the compliance function becomes muddled, in practice, by undertaking a hybrid role which straddles the first and second lines.

In small businesses resourcing the compliance function tends to take one of two options.
i) The truly independent compliance officer who is not involved in the day-to-day gathering of due diligence, and monitoring client activity. This arrangement presents the closest to the “standard” second line of defence and provides an oversight function without any conflict of interest. Or alternatively.
ii) The compliance officer operates as a “centre of excellence.” The motive being that in a small firm that one person is regarded as the expert in AML matters and quite naturally senior management look to that person to perform both complete and accurate due diligence and client activity monitoring.

Despite the clear logic of having a centre of excellence in a small firm this second option leads me to raise a further question as an examiner “how do you know the compliance officer is doing the right things?” Without a designated and independent compliance officer the answer to such a question is difficult as in fact there is no second line of defence undertaking an oversight role.
The position is further exacerbated by many small firms, because for cost constraints, will be most unlikely to have a third line of defence in the form of internal audit.

The result is that senior management will almost certainly be caught in a surprise situation whenever an outside review such as a regulatory visit is performed.

What can be done about this situation? The most obvious answer to this is senior management must recognize the absence of independent assurance.

The more lasting solution relies in the engagement of an independent reviewer, on a short-term contract basis which can double up in providing a second line and third line of defence.

In covering second and third lines of defence the approach must be allied to risk. I suggest

• A shorter quarterly review with the focus towards the high-risk areas identified in the business level money laundering and terrorist financing risk assessment. The scope would be expected to include client onboarding and ongoing monitoring as critical areas. Areas which have also breached risk tolerance metrics should be included and must take account of the root cause of the breach.
• A deeper dive on an annual basis to validate the assumptions and risk criteria which formed the basis of the business risk assessment. The control assessment should be validated against current circumstances. The resultant updated residual risk assessment of the business should be monitored to identify any major deterioration or declining trends.
Concerns revealed in the deep dive review should inform the scope of quarterly reviews going forward.

In providing a hybrid second and third lines of defence as described above, senior management will go a long way to being fully informed on the quality of the work undertaken by the first line of defence.

In summary senior management should ask themselves –
• Do I receive good quality compliance information?
• Am I being informed on the standards of compliance which I can rely upon?
• Am I made aware of changes in the risk profile of the business in a timely manner?

If the business model does not facilitate such information to reach you as senior management, then one day you will be surprised! Hopefully, this will not be coupled with a regulatory fine or damage to the reputation of your business following abuse by criminals.

Paul Coleman
Owner and Director
Coleman on Compliance Ltd
10th June 2020