​The Shield & the Sword: How the Three Lines of Defense Allow You to Avoid the Pain of Self-Reporting

Posted on September 20, 2023

by Becky Breland, J.D., Principal Consultant, Regulatory Advisory Services

Sometimes it is better to use your shield before falling on your sword.  A large regional bank in the Southeast recently learned that lesson.  The Federal Reserve Board imposed a staggering fine, of approximately $2.95 million for unsafe and unsound practices in the bank’s flood insurance compliance program and for flood insurance regulatory violations. The bank agreed to the fine, without admitting or denying the allegations, on August 14, 2023.  This is even though the bank self-reported the violations with respect to not effectively monitoring a significant number of home equity loans and home equity lines of credit.  According to a spokesman for the bank, “We took corrective action and remediated the issue by 2017. There was no customer impact as the matter was confined to our own internal monitoring of flood insurance policies on certain properties.”


Is Self-Reporting Still Beneficial in 2023?

Sometimes, we have to fall on our sword. Regulatory Advisory Services has long advocated when financial institutions identify regulatory violations during their monitoring processes, to self-report to their primary regulator that the violations were discovered and that, as applicable, corrective measures were undertaken to remedy those violations and prevent future violations from occurring.   Self-reporting has been viewed favorably by the regulatory agencies.  This recent consent order may, however, leave financial institutions questioning whether it is advisable to self-report.  

Rather than focus on the potential negatives of self-reporting, view this latest flood enforcement activity as an early warning indicator that financial institutions should ensure they have an effective compliance management program from the start.  Financial institutions should ensure that their compliance management programs are designed to manage compliance risks, work effectively, prevent violations from occurring that can be identified through monitoring, and have the flexibility to accommodate new products, services, vendors, and identified risks.   

“Effectively monitoring” are the keywords that were contained in the consent order.  The Federal Reserve Board stated that, in connection with the Bank’s pattern or practice of violations of Regulation H, which requires civil money penalties, over more than one year, as a result of changes in loan servicing platforms and third-party service providers, the bank did not effectively monitor a significant number of home equity loans and home equity lines of credit for flood compliance.  What constitutes effective monitoring?  How can other financial institutions avoid similar findings of ineffective monitoring?  The answer may be as simple as looking at the three lines of defense for any weaknesses.

The Three Lines of Defense Model

Before you decide to fall on your sword, make sure you put up a strong shield. The three lines of defense model allow for structure around compliance management and internal controls by the financial institution. 

The first layer of defense is the front line or business unit that performs the daily operations activities. 

The second line of defense is often executed by risk, compliance and/or legal business functions.  This second line group is responsible for establishing policies and procedures as well as serving as the oversight over the first line. 

The third line should be independent of the first two lines and often consists of internal audit and external auditors or consultants. The third line looks to see if the first two lines of defenses are doing what they should be doing and with respect to regulatory compliance, that function effectively monitors the process to ensure no violations.  If the third line of defense finds regulatory violations, then there are breakdowns in the prior two lines that should be addressed. 

Capco’s Community Banking Practice is often called upon to assist financial institutions with not only their day-to-day compliance requirements but also helping with the third line of defense to ensure regulatory compliance.  Now is the time to look at the financial institution’s compliance monitoring reviews and internal/external audit schedule. 


Questions to Assess Your Risk Level

·       Have risk assessments been performed to determine identified levels of risk?

·       Does the institution have front line and second line processes in place to capture any compliance deficiencies or weaknesses?

·       Are the first- and second-lines’ processes and procedures updated, as needed, for new products or services, changes in vendors, or changes in third-party processors?

·       Does the institution have processes in place to escalate any findings to the appropriate persons for remediation?

·       Does the financial institution perform independent monitoring and reviews to validate the first- and second-line compliance processes?

·       Does the financial institution remedy any violations and, as applicable, modify existing policies, procedures, and processes?

How We Can Help

Capco’s Community Banking Practice is here to assist financial institutions with its compliance management program and day-to-day compliance activities. Capco’s Consultant Practice can be engaged for scalability for areas in which the subject matter expertise may be needed.  Capco Academy can develop custom compliance training to assist financial institutions in training in areas that indicate weaknesses or on new processes.  For more information, contact us.

< Back to Blog