In our previous blogs on foreign banking organizations (FBOs), we highlighted our thoughts on some of the next set of challenges for large FBOs following the July 1, 2016 compliance deadline to establish Intermediate Holding Companies (IHCs). We recognize the long road to operationalizing run-the-bank (RtB) processes has just begun and the true “use” tests of the IHCs and their combined US Operations will be unfolding for some time. FBOs have experienced a significant period of change for more than three years, and the baton has now been passed from large change programs to implementation programs. The focus has shifted to embedding the IHC/Regulation YY requirements into businesses to execute, control functions (i.e., second line functions) to monitor and test, and internal audit to validate.
It is critical that FBOs operationalize and then sustain their RtB processes, and reinforce and/or enhance the Three Lines of Defense (3 LoD) governance models currently in place. The ability of these functions working end-to-end and across siloes to do their jobs will be a critical point for enabling risk identification, monitoring and mitigation, ensuring a robust risk and compliance culture, and providing a US-centric view of the FBO’s operations and risk profile. The regulatory spotlight, especially over the course of the next year, will be on risk, compliance and internal audit, and the effectiveness of these second and third lines of defense to identify whether the processes are working.
A legacy of under-investing and deferred maintenance in regulatory risk management capabilities has generally led to a reactionary approach to regulatory requirements and expectations. That, in turn, has led to siloed approaches to responding to regulatory reform, fragmented solutions without an end-to-end view of vulnerable processes, and lost opportunities to harness the power of strong governance across the 3 LoD.
1. Definition of a 3 LoD governance model to improve accountability, effectiveness, and efficiency
In order to demonstrate sustainable regional business practices, there is a need to shift from a reactive approach of addressing increasing regulatory expectations and operational challenges to a proactive, systematic, and forward-looking approach that promotes continued sustainability and drives efficiency and effectiveness.
Given its close involvement in recent change programs, the second line of defense, namely risk and compliance, is uniquely positioned to monitor and test new or enhanced IHC processes deemed to be highly critical. This monitoring and testing should be accompanied with other enterprise compliance programs and safety and soundness requirements. Risk and compliance should be prepared to better understand the availability of data and how to best integrate such data into ongoing monitoring and measurement to increase predictability of risk and compliance issues and trends.
2. Utilization of data and other tools to improve data analytics, testing, and monitoring in ways to have proactive view of risk
Data analytics can also be used in targeted readiness reviews, ahead of scheduled testing by internal auditors, external auditors, or regulators, focusing on risks and processes within the FBO core functions: front office, credit, market, liquidity, currency, interest rate, and other financial risks, as well as strategic risks, third-party risks, cyber risks, and conduct risk.
Additionally, risk and compliance organizations are enhancing their skills, through automation, robotics, and broadening the knowledge base of their professionals beyond the traditional model, all with the mindset of more effective and efficient monitoring and testing through automation. In addition, greater investment in technology will allow efforts to focus on analysis rather than manual aggregation of data and reporting.
3. Validation and testing is next after building
We expect a heavy increase in the regulatory reviews of Regulation YY implementation, and a focus on how the 3 LoD operating model is actually working and whether it is functioning effectively. Ultimately, regulators will ask: are issues escalated, monitored, and remediated through the business, monitored and tested by the second line, and then validated by the third line?
We know that regulatory change can best be managed with clearly defined roles, responsibilities, and accountabilities aligned with the bank’s operating model and risk management and compliance capabilities. There is no “one size fits all” model for an organization’s 3 LoD, and many organizations continue to grapple with the decision to implement a centralized, decentralized or hybrid model, where varying responsibilities exist across the three lines.
The dividing line of responsibilities between the first and second lines of defense continues to evolve, with the guiding principle that those closest to the origin of risk are most capable of identifying and managing it and first to be held accountable. Regardless of how those responsibilities are divided, the first and second lines of defense should continue to become less reactionary and seek to use advanced compliance monitoring approaches for identifying risks with real-time detection and predictive data analytics.
The Federal Reserve’s requirements and expectations for risk and compliance are likely to evolve over the next year as regulators compare practices horizontally across FBOs and domestic firms. Therefore, capabilities developed must remain flexible and scalable. Organizations may consider establishing a targeted regulatory risk team within the second line to liaise with organizational leadership, the front office, and third line of defense about regulatory expectations and requirements in a proactive and holistic manner. Fostering a culture in which everyone is accountable for managing risk and compliance remains a top priority, regardless of the level of centralization within your 3 LoD operating model.
FBOs should continue assessing the organizational structures across the 3 LoD, ensuring that IHC board of directors, governance forums, and regional leaders and control functions are involved and collectively oversee risk management and compliance. The bottom line is that roles and responsibilities should be clearly articulated across the 3 LoD and accountability must be enforced at the highest levels. Evaluating the 3 LoD effectiveness through lessons learned exercises and regulatory feedback is an essential step toward improving the FBO’s capabilities to meet requirements on an end to end basis.
4. Create proactive monitoring and change management function
Modernizing risk management and compliance by better defining roles and responsibilities and arming each line of defense with better tools to identify and monitor risk is the platform for navigating the uncertain risk and compliance environment in an effective and efficient way.
Achieving this modernized framework embodies some degree of ‘central control’ for overseeing regulatory change in a way that promotes consistency, accountability and transparency across each of the three lines of defense. Traditionally, implementation across business and functions is siloed, and the ability to go across the three lines in systematic ways is an essential component to that modernization. We believe such an approach will continue to provide value to an organization long after the regulatory spotlight has faded.
In our previous blog, Regulatory change: Challenges continue, but opportunities exist, we introduced the need for a more strategic regulatory program that provides a capability–level understanding of applicable regulations as the key to increasing efficiency and reducing compliance–related risks. A strategic regulatory function could be uniquely positioned to analyze and digest new developments or changes, and provide insights to various functions within an FBO that will drive how compliance resources are deployed. It can provide proactive monitoring to assist the CEO and front office to deploy these resources in response to regulatory change and actively integrate into business and strategic planning, using both internal and public data. This regulatory change function is intended to look through the 3 LoD model and make it efficient, effective, and streamline responsibilities.