The assessment of three lines of defence (3LOD) models is a staple scope area in s166 Skilled Person reviews focussing on financial crime. There are common pitfalls across all three lines, and each one presents it's own challenges for optimising the management of financial crime risk. The first line can be extremely busy and requires focus on accurate operational delivery, bringing specific challenges for detecting and preventing financial crime. Even in this fast-paced environment, there are strategies that can help keep it under control and satisfy regulators' expectations.
The first line is where financial-crime risk is owned and managed and usually refers to an organisation’s business units. Activities relating to controls' implementation and controls-effectiveness testing should take place in the first line on behalf of the business unit head. This is distinct from monitoring, advisory, and assurance activities performed by the second line, and third line independent audit.
First line functions are often customer-facing and carry out many large scale, high-volume operational processes. Key controls for managing financial crime risks are carried out by the first line, including sanctions and politically exposed person (PEP) screening, customer risk assessment, customer-identification and verification, and customer due diligence. As key controls, you can expect the FCA to assess all of these during a visit, including through review of sample customer files. It's therefore crucial that first line teams design and implement these controls effectively to protect the firm from exposure to financial crime risk.
On any visit, the FCA will look at whether there's clear and appropriate ownership of financial crime risks. Where risk ownership is misunderstood at any level, it's unlikely to be effectively managed. When staff receive mixed messages on what they're responsible for, decision making is often sluggish and poorly informed about risk, and governance can be compromised. When it comes to key financial-crime control processes, a lack of effective governance can mean major control weaknesses go undetected for prolonged periods, putting the firm at risk.
To protect against this, firms should ensure they've clearly documented financial crime roles and responsibilities that are well understood at all levels across the organisation. Risk ownership must sit in the first line within the business where the risk is created, along with responsibility for the related controls. What is documented in senior management role profiles and RACI-type matrices, must also be evident in practice and flow through first line procedures, control testing, sponsorship of change initiatives, reporting lines, first line committee packs, and day-to-day communications across the firm.
Many firms encounter recurring quality issues in complex financial crime processes, such as customer due diligence (CDD) and ongoing due diligence (ODD) reviews. These require a holistic risk-evaluation which staff coming from a prescriptive rules-based operational background can find challenging. The required judgement skills, and the confidence to use them, can take several months to sufficiently develop to achieve acceptable quality outputs, and staff attrition in operational teams means a fairly steady flow of staff working towards competency.
Firms aren’t expected to get every case right first time, every time, particularly for the more complex evaluative processes. However, firms are expected to show that quality is being proactively managed through a competency framework, clear and consistent procedures, robust quality-control processes with effective feedback loops, and appropriate oversight by senior management. Given that quality issues are often resource and time intensive to address with increased QC coverage and more time spent on re-work until quality targets are met, firms are likely to need to keep resourcing levels under close review to avoid causing or exacerbating backlogs. This is particularly important in time-sensitive processes such as CDD for new customers and periodic ODD reviews.
With alert and case volumes that can vary significantly from day to day and week to week, resourcing and throughput are a key concern for first line senior management. When it comes to a regulator visit, firms must demonstrate how they balance alert and case volumes in first line teams against resource levels, including how they respond and effectively manage sudden volume spikes (such as screening or transaction monitoring alerts), while maintaining quality.
Firms will need to ensure their documented approach to monitoring the resource capacity of financial crime operational teams is rigorous and detailed. An experienced operational manager can make all the difference to successfully achieving a flexible resource model that allows additional skilled resources to be leveraged when needed. Test environments should also be utilised to impact assess planned system or rule changes and predict spikes in volume where possible. Some spikes will always be unavoidable, such as when sanctions lists are updated.
Where backlogs exist, it's important to have a structured plan to address these on a risk sensitive basis, and ‘turn the tap off’ to stop backlogs from continuing to grow as early as possible. These should include resource planning, throughput targets and risk-based quality control and assurance processes, and should be monitored through appropriate financial crime governance forums. A robust and realistic plan to address a backlog can demonstrate to the FCA that associated financial crime risks have been considered and are being appropriately managed.
Small and medium-sized firms in particular, can find their specialist financial crime expertise is concentrated in second-line teams, and they may lack appropriate technical knowledge in the first line to adequately complete more complex financial-crime processes, particularly risk-based initial and ongoing due diligence. This can also contribute to a culture where second line are, in practice at least, seen to own financial crime risk instead of the business.
To counter this, firms need to invest in tailored, role-specific training for first line teams. The adoption of a formal competency programme can help to manage and monitor ongoing quality in operational teams, even where there are relatively high levels of attrition. Recruiting sufficient expertise in core financial crime processes, such as screening and CDD, into the first line at team-manager level can really help to drive up quality and competency from within, through direct knowledge transfer and coaching. Board and executive level training and education can also be a valuable tool for money-laundering reporting officers (MLROs) who are trying to increase understanding of, and engagement with, financial crime risks by first line senior management.