The business and operations units own and
manage compliance risks and controls through
policies, procedures, and monitoring processes
within the daily operations. May also include first
line of defense compliance teams in larger banks.
Works collaboratively with the second line to
address improvements required to enhance
controls and mitigate compliance risks.
The first line reports to senior management.
Compliance and Legal teams support the first
line by providing advice, expertise, process
improvements, and a second level of monitoring
of business line and operations unit activities.
The second line is an oversight function operating
under the direction of senior management.
In many organizations, the second line reports to
either the risk or legal departments and the audit
committee and/or risk committee of the board.
The Internal Audit function is separate
and independent of the first and second
lines of defense. It provides assurance
to both senior management and the
Board of Directors around compliance
and other activities.
Internal audit should primarily report to
the audit committee of the Board and
administratively to the CEO.
Small and large financial institutions
alike must continue to evolve their
compliance teams to set the culture of
compliance throughout the organization,
resulting in a more effective CMS.
The Three Lines of Defense
For the compliance team to be effective, it must lay out the plans
for the three lines of defense: first (business lines and compliance), second (risk and compliance), and third (internal audit).
Defining its roles and responsibilities is a critical first step,
and often and may be led by the corporate compliance group
or the Chief Compliance Officer (CCO) in conjunction with
his/her colleagues in the business lines, support functions, and
internal audit. The chart below provides an illustration of how
the lines of defense are generally structured.
Because the entire institution has an obligation to manage
compliance activities effectively, defining who is responsible,
accountable, consulted, and informed of these activities is the
cornerstone to a successful CMS. While the defense lines may be
blurry within a smaller institution, clarity of responsibility is still important. Depending on an institution’s
business objectives and strategy, it may choose to assign
certain first line responsibilities to the second line or
vice versa, and hire a qualified external firm to execute
the compliance internal audit activities.