Building Up the Three Lines of Defense in Your CMS

Building Up the Three Lines of Defense in Your CMS

When it comes to compliance, there is a good reason for three lines of defense. They ensure that a bank’s lending compliance management system (CMS) is effectively guarding the bank against unnecessary risk.

The First Line of Defense: Employees

The first line of defense is the business. From the back office to the front line, employees must be trained on and be responsible for carrying out the bank’s compliance policies and procedures. Employees need to know their roles and responsibilities, follow risk and compliance processes, apply internal controls, and recognize risk.

Banks with a culture of compliance have the most effective first lines of defense. A good culture of compliance is defined by:

  • Leadership that visibly and proactively supports compliance efforts
  • Compliance function empowered with sufficient authority
  • Shared information and open communication
  • Adequate resources
  • Independent audits
  • Regular and transparent reporting

Where Does the First Line Fall Short?

The first line of defense is most likely to fail when there isn’t adequate training. Compliance training isn’t just a quick check-the-box activity—especially when it comes to areas where enforcement actions are most common, such as BSA, deceptive advertising practices, and fair lending.

Training must be robust to be effective. The bank needs to review audit results (see the Third Line of Defense) to uncover weaknesses in the first line and repeat and improve training as needed.

Why does training fall short? In many cases, there are mixed signals from the top. If management or the board are saying compliance training is necessary but aren’t doing anything to ensure employees have the time or resources they need to train effectively, training won’t accomplish its goals. If management is telling lenders to follow compliance training (wink, wink, nudge, nudge) but really only cares about making as many loans as possible— or, worse, if management incentivizes lending staff to break rules— the first line of defense will fail.

It goes back to that culture of compliance.

This also applies to vendors acting on behalf of the bank. If there isn’t sufficient vendor management and oversight to ensure a culture of compliance, a non-compliant third-party vendor can easily cause a fair lending or other compliance violation.

The Second Line of Defense: Compliance and Risk Management

The second line of defense is made up of the bank’s compliance and risk-related functions. These areas are responsible for creating and executing the policies, procedures, and systems that oversee and guide the first line of defense.

Risk management is responsible for assessing the risk of all business activities—including their lending compliance risk. If a business activity doesn’t fall within the bank’s risk tolerance, internal controls need to be added or adjusted—or the activity may need to be discontinued. For instance, many banks exited the mortgage market when increasingly complex mortgage regulations made the risk of doing business too high to be worth the potential award.

This is where data is extremely valuable. It helps measure risk in an easily quantifiable way. For example,  fair lending analytics can uncover potential fair lending compliance issues stemming from flawed policies or procedures, inconsistent waivers, or human error. Knowing there is risk allows your bank to investigate its source and remediate it.

Risk management also identifies high-risk areas that require increased scrutiny in the form of testing and monitoring to ensure the first line is working as intended to comply with rules and regulations.

Compliance is responsible for identifying applicable laws and regulations, interpreting them, and then developing and enforcing policies and procedures to support them through the compliance management system. It should work hand-in-hand with risk management to ensure risk assessments are thorough and up-to-date.

Risk management and compliance are also responsible, in most banks, for fostering relations between the first and third line of defense and providing some reporting to the board and senior management.

While different banks will divvy up these responsibilities in different ways and to different areas, the bottom line is that risk management and compliance play an essential role in ensuring effective lending compliance.

The Third Line of Defense: Audit

The third line of defense is the external and internal auditors who independently evaluate lending compliance risks and controls. They are also responsible for reporting on risk to the board, senior management, and other stakeholders. A good audit program allows a bank one last chance to uncover internal flaws that are hindering lending compliance.

The third line of defense includes ensuring that findings are addressed promptly and consistently. Auditing provides no value if you don’t do anything with the information. Being able to visualize and remediate problems is an essential step in assuring that risks are appropriately mitigated and the organization is ready for external regulatory exams and reviews. It makes sure that a bank identifies and corrects problems itself, rather than waiting for an examiner to uncover an issue.

The third line should focus its efforts on the areas where risk exposure is the greatest. For instance, auditors may take an extra close look at HMDA data accuracy if regulatory agencies issue additional consent orders in that area.

Two Out of Three Is Bad

With apologies to Meat Loaf and his 1977 power ballad, having just two of the three lines of defense isn’t good.

If only one line of defense is working well, it can present risks to the other lines as well as the bank. Three strong lines of defense support a compliance management system that proactively manages and mitigates compliance risk.

A bank must always be looking forward, ahead, and at the present when it comes to lending compliance. The three lines of defense make that possible.


Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk. During his legal career, Mr. Berman was involved in numerous regulatory, compliance, and contract management challenges and assisted in the development of information systems to better manage these efforts. Prior to founding Ncontracts, he was General Counsel for Goldleaf Financial Solutions, Tecniflex, Inc. and Imagic Corporation. Mr. Berman is a wellregarded speaker at financial institution conferences on risk management. He received his undergraduate degree from Cornell University and holds a J.D. degree from the University of Tennessee.