How the Traditional Three Lines of Defense Turn into the Three Lines of Governance Torture

Published by Yana on

What is really sad and devastating for the FinTech industry is to see how old-fashioned and narrow-thinking compliance professionals slowly kill their companies by doing [many or all of] the following:

  • They try to make their management and Boards fearful and suspicious of internal and external audits, which makes audit scoping and calibration completely dysfunctional.
  • They highjack audit processes to make audit findings look scarier, riskier, and more serious than they really are; and they do it to extract additional resources, budgets, and headcount for their functions.
  • They refuse to collaborate with other departments and functions within their organization by claiming that “the business and its first line of defense must own their risks”.
  • All of the above leads to complete erosion of trust in the company that makes it impossible to take reasonable risks and slows down innovation.

I would call it a slow death by the Three Lines of Defense.

Most FinTech founders and the majority of non-banking professionals have never heard of the Three Lines of Defense principles, but once they start hearing about it, their first (and lasting) reaction is that it’s one of the most useless theoretical constructs ever designed somewhere in the ivory tower by people who have never run a company (which may or may not be the case, but this is entirely beside the point).

Now – let’s break it down and see, what this concept is really all about.

Essentially, the Three Lines of Defense is a risk management concept, that was formalized and brought into many national legislation in Europe after the financial crisis of 2008-2010. The ultimate goal of the regulators was to clarify the decision-making responsibilities in the banking sector with respect to risks and risk acceptance. To put it simply, the concept suggests that there are three levels where organizations make decisions about risks.

The first level (1st line) covers decisions done by people doing their jobs: engineers writing codes, customer support agents resolving customer tickets, marketing managers writing marketing campaigns, sales managers negotiating with clients. These actors must be capable and empowered to do their jobs but they also need to know where are how they need to involve other teams or get additional approvals. Actually, in the modern days, the role of the 1st line (and in some cases also of the 2nd line) can now be completely automated and enforced through technology.

The 2nd line of defense is essentially a layer where organizational frameworks and policies and rules are being created and enforced. For example, salespeople would have rate cards around how they can negotiate prices or grant discounts. Customer onboarding agents must have guidelines from which countries they can accept customers and which documents they need to request and review. Engineers would have a process around code reviews, testing, and quality assurance controls before the code is deployed into production. The procurement team must know when they need the approval of finance to spend money or make purchasing commitments. Those guidelines and frameworks must normally provide clarity and speed up processes, and eliminate the need to ask for permissions on a case-by-case basis.

The 3rd line of defense is supposed to provide assurance that teams and departments are actually doing what they are supposed to be doing and offer objective and independent feedback for the company, management, and the teams on where they have weaknesses or inefficiencies, but also where they are being too slow, too costly or not competitive.

This is unfortunately not what happens on the ground in many cases.

The concept of the Three Lines (when misinterpreted and abused) induced more organizational conflicts, delayed more decisions, and triggered the creation of so many redundant jobs and needless tasks than potentially any other financial regulation on this planet.

Any FinTech company needs to have the right people in their compliance kitchen. Yes, it’s hard to get good people into any function, including compliance, but the most common mistake I see founders do – they hire compliance people just for their experience or credibility and resume and ignore such things as attitude or personality or ability to communicate clearly and in a non-legalese way. A lot of founders feel their compliance is going to be in good hands if they hire ex-regulators or professionals with a long history of working at large companies or big consultancy firms.

  • Ex-regulators indeed should know well how to satisfy their ex-colleagues’ expectations or what they personally would approve of, however, they rarely understand the impact of their recommendations on customers or user experience, and they rarely understand the technology. This means their recommendations will be disconnected from UX and tech impact.
  • Experts from large organizations can bring structure and streamline processes, but they often have a very siloed mentality: they are used to a very narrow and specific division of labor and they are used to having a lot of resources.
  • On the opposite end of the spectrum, junior employees expect to work with smart people and imply that it means never having to do any boring rudimentary tasks; they read in the job description about “creative culture” and expect all their ideas to be implemented next months at the latest; they read “open communications” and believe that it means “I can criticize my unexperienced founders all the time, because they don’t really know what they are doing, and I justifiably feel hurt and upset every time I receive constructive feedback”; furthermore, they think they know and understand everything, and if they don’t, it’s their manager fault because the company’s main objective is to develop, encourage, motivate and nurture its junior employees.

I know – it’s an exaggeration. But on a serious note, I have never seen a FinTech project fail because of compliance or being shut down because of compliance (yes, you can get into compliance troubles and overspend there, but it’s rarely terminal). The root causes for any company failure are mostly due to product/market fit, running out of money, wrong partners, or bad leadership, however, founders think about compliance as if this is something that’s evil and terrible. Which is another main reason why you should not hire compliance people who cannot sell you on why their function is fantastic – if they don’t love it and enjoy it and can play with it – there is no way they can convince others that your compliance function is brilliant.

It all comes down to the right skills and appropriate incentives when you are hiring and managing Compliance Function.

Which is why I have designed and put together a workshop for FinTech founders, CEOs, MLROs, Heads of Compliance, CCOs, and other FinTech professionals who are in the process of building and expanding compliance teams and are (likely) suffering from organizational conflicts related to compliance responsibilities and division of labor.

It’s about time we all need to FINALLY UNDERSTAND and re-define what compliance is accountable for and how to create the right incentives to make compliance efficient, what is the optimal division of labor between various teams, and to reduce the time and energy spent on internal disputes.

When: January 19th and January 20th, 2021 at 12.00 pm CET.

Day 1: Who do you hire and when is the right time.

  • When to hire your first compliance employee?
  • When and how do you build a compliance team? How to implement the Three Lines of Defense in a modern and efficient way?
  • The difference between compliance and legal
  • Pros and Cons of using external consultants and BIG 4 for projects
  • Hiring interns and part-time freelancers for compliance-related activities
  • What to do during your first 30 days in any new compliance role – your compliance onboarding plan
  • How much it should cost

Day 2: Evaluating Compliance Deliverables and Managing Organizational Conflicts

What compliance should deliver and be responsible for as a part of the following activities:

·     FinTech Licensing

·     Relationships with regulators and auditors

·     Opening bank accounts and closing partnerships

·     Product Developments and Testing

·     Customer Support

·     Conflicts, disputes, complains

Typical organizational conflicts and how to deal with them:

  • Compliance vs Product and Engineering
  • Scrutinizing and Approving Customers or Compliance vs Customer Support and User Experience
  • Compliance vs Marketing
  • Compliance vs Business Development and Sales

So, if you’d like to learn how to avoid the most common organizational slowdowns and conflicts and act with clarity where it comes to hiring and managing compliance resources, you are to join this workshop on January 19-20th, 2020.

>