The three lines of defence (3LOD) has become a staple scope area during FCA visits and subsequent s166 skilled person reviews. It even featured as a common failing in last year’s Dear CEO letter to retail banks. Nevertheless, there are steps you can take to meet regulatory expectations.
Under the Senior Managers and Certification Regime (SMCR), the responsibility for countering the risk that a firm is used for furthering financial crime sits with all senior management. Yes, there are specific responsibilities for the Money Laundering Reporting Officer (MLRO)/SMF17/prescribed responsibility D, but these do not transfer all financial crime risk ownership to those roles. The FCA is very clear that senior management function (SMF) holders within the business have shared responsibility.
Regulators expect that a firm’s senior management are actively engaged in financial crime risk decision-making. This extends beyond policy approval and receipt of the annual MLRO report, and includes the assessment and approval/rejection of high risk customers, financial crime-related exit/maintain decisions, and determining whether or not risks relating to high risk customers can be effectively mitigated (such as through enhanced monitoring).
Despite the senior manager responsibilities alluded to above, in practice, these are not always wholly embraced or accepted. In some cases, senior management can display limited understanding or even reluctance, when it comes to their ownership of financial crime risks. Greater priority is given to senior managers' first-line sales and operational responsibilities rather than to anything financial crime related.
Instead, financial crime matters are viewed as the responsibility of the MLRO alone. This perceived (and sometimes actual) lack of ownership at the top can filter down so that staff throughout the first line are not adequately aware of financial crime risks within the firm, impacting their ability to identify and report suspicious activity.
In contrast, a properly informed and engaged first line senior management will lead the dialogue around customer acceptance (and refusal) on financial crime risk grounds and the approval of higher risk customers. They will proactively debate risk mitigation measures and readily identify those customers where the risk cannot be mitigated to within clear appetite levels. They will promote financial crime risk management as an integral part of their business area, consulting collaboratively with the MLRO but always retaining ownership of the financial crime risks in their part of the business.
A useful first step towards improving engagement can be the formal documentation of financial crime roles and responsibilities, such as the development of a financial crime 'responsible, accountable, consulted and informed (RACI) matrix, which is subject to board approval.
This should provide clarity around the ownership of financial crime risk and help initiate dialogue among senior management in firms which have not previously had appropriate first line ownership. The RACI should be produced collaboratively, regularly updated, and be well communicated and understood across the firm.
Ownership of key controls in the first line should then be aligned with the documented roles and responsibilities. Having controls, such as approval of non-high risk customers, and CDD owned at a senior level in the first line can significantly help in making sure processes work as intended, and increase awareness and understanding of financial crime risks by staff throughout the business.
The lack of first line ownership can have far-reaching consequences. A commonly occurring issue is an ever-expanding second line, which can arise when second line teams step in to fill the first line vacuum and take on typically first line activities such as due diligence, alert management and customer risk assessment.
MLROs can find themselves sponsoring financial crime change and remediation activities which should rightly be owned by the first line, because otherwise the change or improvement wouldn’t happen at all.
Over time, this expansive second line further reinforces the lack of risk ownership in the first line and it becomes a difficult cycle to break. This also has the unintended consequence of reducing the level of protection that the board and investors might expect from a fully-functioning three lines of defence model.
A helpful preventative or corrective measure is to ensure governance arrangements of key financial crime controls are carefully designed to align ownership of financial crime risks within the first line. For example, where a committee reviews and approves politically-exposed persons (PEPs) and other high-risk customers (such as a take-on panel or onboarding and exit forum), this should be chaired by senior management from the business, with the MLRO required for quorum and voting rights structured to ensure all perspectives are appropriately considered.
Remediation activity should similarly be sponsored from within the first line, with relevant attendance at steering groups by second and third lines. In this way day-to-day activities reinforce the 3LOD model, and the increased engagement improves understanding and awareness of financial crime risks within the first line.
Financial crime risk generally requires specialist skills and expertise, particularly relating to core AML, sanctions and ABC controls, such as customer risk assessment, initial and ongoing CDD, screening and monitoring processes. These are typically found in the second line where there are dedicated financial crime and/or compliance personnel, as well as the MLRO.
Large firms will also have expertise within first line teams where operational processes such as screening and due diligence take place, but this is not always the case at smaller or less mature firms, and expertise can become overly concentrated in the second line. This situation is exacerbated by the constraints in the recruitment market with firms often finding it a struggle to identify and recruit sufficient numbers of suitably capable financial crime SMEs.
Where there is insufficient financial crime expertise in the first line then the second line may end up carrying out first line activities such as due diligence and onboarding, or there may be over-reliance by business units on ‘advice’ from second line teams which in practice becomes second line decision making on individual cases over which they are supposed to provide oversight. This not only diminishes the second line’s ability to provide independent oversight and monitoring, but it can also reinforce a lack of risk ownership by the first line.
Where there is insufficient financial crime expertise in the third line, then appropriate internal audit outsourcing or co-sourcing arrangement will be required. However, there still needs to be sufficient understanding of the financial crime risk profile of the firm outside of the MLRO and second line to adequately plan and scope financial crime related audits.
Financial crime capabilities need to be assessed across all three lines of defence, and regularly kept under review. Whatever the size of firm, there must be sufficient awareness and understanding of financial crime risks and key control processes in the first and third lines to make the 3LOD model effective while maintaining proportionality. Second line teams must take care to assess, document and manage any conflicts of interest arising from the allocation of operational first line tasks to second line teams, such as through separate reporting lines.
'The only constant in life is change' applies to many firms as new products/services, technological changes, internal restructures, and changing senior management can all impact a firm’s 3LOD model. There is no ‘one size fits all’ and each firm will need a 3LOD model that is tailored and specific to their organisation in order to be effective. It must also evolve to meet the needs of a dynamically changing business
However, updates to a 3LOD model, or any significant element of it, should be well considered and thoroughly planned. While it can be tempting to think you ‘just’ need to move this team or that process and guesstimate there won’t be a material impact, too often this causes larger problems in the long run resulting in a disjointed, inefficient and ultimately ineffective 3LOD.
Whenever adjustments to the 3LOD model are required, it's important to clearly articulate the desired target model and the steps required to achieve it. A thorough impact assessment of each change should be carried out to ensure skilled resources are in the right place prior to changes being implemented. Gradual controlled change is far more likely to achieve a robust and effective 3LOD model without causing unintended consequences or unforeseen risks to materialise.
If you would like to talk to someone about improving your 3LOD model for managing financial crime risk or are preparing for an FCA or skilled person visit, get in touch with Alison Kopra or Tom Townson.