The way each major bank chooses to interpret the ubiquitous three lines of defence model varies greatly. 1LoD spoke to the major banking players, and found that while the signposts may look different, they all point in the same direction.
The three lines of defence model of risk control is now firmly established across banks and it would be a shock to find any first or second tier organisation that didn’t employ it. But there is plenty of scope for difference in the way the model is implemented, the contents of each line, and to whom they report. Every bank is doing it slightly differently than its peers. So, while the institutions 1LoD spoke to are different from each other in many ways – some are European, some are American, some are universal banks, others are not – there are also a lot of similarities.
These banks are all global firms, with trading and sales operations in the major locations trading the full range of markets instruments and asset classes. So, they all face the same issues and challenges when looking to implement an effective and resilient risk controls framework.
Reporting lines: a tangled roadmap
Jeff Rosen, managing director and COO for Americas global markets at Société Générale in New York, describes its formula for the 3LoD model as “pretty standard”. The first line is composed of “guys on the ground doing the work that have supervisory responsibilities”. The second line comprises risk and compliance, and its role isto challenge the first line. It has oversight responsibilities including financial crime, market risk and credit risk. The third line, meanwhile, comprises audit.
However, like most organisations, between first and second lines, Société Générale has an intermediary layer, sometimes called line 1.5 or line 1b. The purpose of this extra layer is to support the supervisors in the first line.
The model at Morgan Stanley is not significantly different. The first line of defence comprises the business function, but also support functions like operations and finance.
The second line is responsible for operational risk, credit risk and market risk. Compliance and legal also sit in the second line, but have an additional advisory function to support the first line. The third line, again, is audit.
A few firms, such as HSBC and Barclays, employ a group level chief control officer, who is responsible globally across all divisions for the control functions that sit outside of the traditional compliance, financial crime, operational and financial risk functions. And it’s a massive role. But others do not.
At Morgan Stanley, explains Todd Sullivan, the bank’s head of risk management for fixed income, Americas, the second line functions report to a single chief risk officer, who has a global remit for market, credit and operational risk and sits in New York. There are also functions that have a different reporting line. The compliance, legal and global financial crime functions, for example, report to the chief legal officer, who also sits in New York. Meanwhile, the first line of defence reports to a variety of senior managers – operations, for example, reports to a chief administrative officer while finance reports to the chief financial officer.
At Société Générale, line 1b in the Americas reports to the chief operating officer for the markets business, Jeff Rosen, who reports to the head of the markets business.
The bank chief operating officer, meanwhile, is also head of technology and operations.
These structures, and those at similar institutions, have the appearance of frameworks that grew up organically rather than according to an established rubric. They are also in a state of flux, responding to a changing landscape and changing regulatory requirements. Nonetheless, there is a sense that the pace of change has slowed in the last year or two. “There is less revolutionary change than there was a couple of years ago,”confirms Mark Reed, head of Americas supervisory control group at Société Générale (which sits in the global markets COO team).
Conflicts of interest?
One area around which there is considerable debate, however, is where the surveillance function should reside. Some have it in the first line, some in the second, while others have different components of surveillance in each.
There is a view that market abuse surveillance needs more independent validation than specific trade compliance surveillance. Thus, it is perfectly acceptable to have surveillance of things like timely trade clearing in the first line, yet surveillance of market abuse – which implies failure of conduct issues – in the first line raises all sorts of conflicts of interest. This probably requires independent review and quality assurance testing in the second line.
One bank confirms that it places trade monitoring in the first line, but formal trade oversight in the second line. Looking forward, all risk control officers hope and believe that in the next couple of years or so, trade surveillance will be less formally structured and based more on big data and machine learning processes. “That is where I would like us to go and I think that is fairly common across the Street,” says one.
Guided by machines?
All risk officers told 1LoD that in the next few years their organisations will become more agile and more nimble in their use of technology, with machines doing the work currently performed by humans.
The leaps and bounds performed by machine learning and AI in recent years suggest that technology will be able to pick up patterns and judge normalcy in a way that is currently done by humans.
“In five years’ time, we’ll have fewer people and we’ll rely on big data and analytics more,” Rosen says. “I always tell people that our job is to take the haystack and find the needles. The supervisors need to tell us what needles matter and we’ll automate it more and more.” But, warns another risk officer, the smarter that technology gets, the smarter bad actors will get.
Every bank is worried about the burgeoning cost of the control function. But, while some functions can be performed adequately in lower cost centres, there are a number of processes, particularly in the world of surveillance, that require an intimate knowledge of the business.
Moreover, there is only so much that can be done to curtail rising costs of control and the boards at most banks seem to realise that. This is the world in which banks now operate and, to fulfil their regulatory obligations as much as anything else, there is nowhere to hide.
“Would you care if the cost of oxygen went up? Yes, but you don’t have much choice,” asserts Sullivan. “There is concern that this is a non-revenue producing area of resources, but the alternative is the inability to generate any revenue at all. It would be penny wise and pound foolish to make random cuts to control.”
What regulators want more than anything else is for banks to have the ability to provide evidence of control. If it can’t be demonstrated, then it can’t be proved that it exists. That is a cardinal principle and is the area where banks have moved forward a long way in the last decade since the crisis and particularly in the last five years.
Banks can now show their liquidity positions, their risk positions and their capital positions clearly, according to a variety of different metrics, and in fact are asked to do so on every quarterly earnings call with analysts. There is no place for smoke and mirrors any more.
The fact that they are able to do so is in large measure due to the innovations and improvements in the risk environment. Though there is indubitably work still to be done, the industry can take some quiet satisfaction from this.