Skip to Content
Adult at computer in office
Article

Why community banks should embrace the “three lines of defense”

February 2, 2017 / 3 min read

Risk management isn’t a one-person job. Gear up your recruiting game, and get others in your organization to help strengthen your defensive line.

Two years ago, the Office of the Comptroller of the Currency (OCC) set guidelines establishing “heightened standards” for large financial institutions. The guidelines outline minimum standards for designing and implementing a risk governance framework, commonly called the “three lines of defense.” Both the Federal Reserve and the Consumer Financial Protection Bureau have issued similar directions.

[It’s] tempting to view this development as an unwelcome burden, a closer look shows that the three-lines-of-defense model offers substantial benefits for community banks.

Although the guidelines apply only to large institutions, many community banks are feeling a trickle-down effect, as regulators pressure them to adopt more robust risk management and compliance practices. While it’s tempting to view this development as an unwelcome burden, a closer look shows that the three-lines-of-defense model offers substantial benefits for community banks.

A brief overview

Football teams have long recognized the effectiveness of three lines of defense: the defensive line, the linebackers, and the secondary. The OCC’s framework employs a similar strategy to plug holes in a bank’s risk management systems. The three lines of defense for banks are:

Benefits of a team approach

It’s not unusual for community banks to employ a “one line of defense” approach to compliance. In other words, the entire responsibility for developing, implementing, and monitoring the bank’s compliance program rests on the shoulders of the compliance officer. Inevitably, that employee is stretched too thin, and compliance tasks fall through the cracks.

Getting business units involved in compliance can free up the compliance officer’s time, allowing him or her to focus on higher-level compliance activities. But even more importantly, a team approach can enhance communications; clarify roles, responsibilities, and accountability; and make your bank’s risk management efforts more effective and efficient.

All too often at community banks, compliance officers develop risk management systems and impose them on business units. But without an intimate understanding of a business unit’s activities, compliance officers are likely to design policies and procedures that are inefficient, redundant, or incompatible with existing processes. If that happens, there’s a good chance the business unit’s staff will complain about or disregard these policies and procedures, creating an adversarial relationship.

Suppose, for example, that a business unit is responsible for mortgage loans. These loans are subject to detailed regulations that govern the content and timing of disclosures to consumers. If a compliance officer mandates procedures for generating these disclosures that are too onerous or time-consuming, it’s likely that the staff will take shortcuts that increase the bank’s risk exposure.

A better approach is for the business unit’s staff — typically in the best position to design and implement procedures that are both efficient and effective — to assume responsibility for these tasks and seek the compliance officer’s input. For example, perhaps there’s a way to automate the generation of certain disclosures using the business unit’s existing systems.

Shoring up your defenses

Moving to a three-lines-of-defense model can be challenging for community banks. It requires careful planning to coordinate the parties’ responsibilities without redundancies and inefficiencies. But many banks will find that this approach significantly improves their risk governance and provides greater assurances to regulators.

Related Thinking

View of columns of a government capital building.
November 17, 2020

2020 Financial Institutions Symposium: Available on demand

Webinar 2 hour watch
View of columns of a government capital building.
November 19, 2020

Credit risk management during the COVID-19 pandemic

Webinar 1 hour watch
Group of multidisciplinary business professionals meeting to discuss year-end planning.
November 14, 2024

2024 Year-End Webinar Series

Webinar 8 hour watch Upcoming