The Three Lines of Defence (3LOD) compliance model should be a crucial area of focus for businesses wanting to uphold a robust risk management process, explains Newgate Compliance's Head of Financial Crime, Joe French

Since the onset of the Covid-19 pandemic and the upending of traditional working practices, the UK's Financial Conduct Authority (FCA) increasingly expects firms to focus on 'tone from within', which requires every person in an organisation to be personally accountable and engaged for its compliance with FCA rules. Firms must therefore review and adapt their 3LOD model to ensure that it effectively addresses any risks posed by the pandemic.

Line 1 - Employees

A firm's employees are the crucial first line of defence against conduct risk and senior managers need to be confident that day-to-day operating procedures deliver regulatory compliance. Front line teams must be responsible for managing and mitigating their own compliance risks. The key here is having clear and practical policies which are supplemented with effective training.

Working remotely, at least part-time, is now a business norm, so it is vital that firms provide employees with the right level of support and training. Convoluted, vague or overly bureaucratic policies have a negative effect and do not increase staff compliance nor reduce regulatory risk. At Newgate, we work with clients to ensure that employees have the access to tailored and appropriate policies which provide them with clear guidance.

Our dedicated online training centre offers a suite of online courses designed to help employees not only meet their mandatory training requirements, but also assist with their continuous professional development.

Line 2 - Compliance monitoring

The second line of defence is the application of a risk-based compliance monitoring programme. Robust compliance monitoring is fundamentally important in identifying areas where a firm might be at risk of non-compliance with FCA rules or regulations. This should never be just a quick tick box exercise in an attempt to appease any future FCA visit, but a meaningful review by a firm's compliance team of the first line of defence. If your compliance monitoring is not identifying risks or breaches, it is ineffective.

Too many firms view entries on breaches registers as deeply negative, whereas we argue quite the opposite. This is the second line doing its job effectively and bringing with it a greater confidence that issues are going to be identified and addressed at an early stage, rather than allowing them to snowball into a more significant or material event.

Newgate's online gateway system is a comprehensive compliance management tool which our experienced consultants have carefully designed to assist firms test their systems and controls on a regular basis. Our consultants update these tests regularly to reflect all emerging requirements including, most recently, the risks posed by remote working.

Line 3 - Independent assurance

An annual independent review of a firm's compliance framework is the final line of defence and the one which perhaps provides senior managers with the greatest degree of comfort.

Too often, however, is this line perceived as simply picking holes in the work being carried out by the first and second lines. At Newgate, we work with clients on identifying areas which might require measures being strengthened but we are equally not afraid to provide a clean bill of health, or even highlight areas we believe are in line with best practice.  

Our experienced team of consultants, many of whom are ex-regulators with the FCA, can provide independent assurance and audits of a firm's compliance programme by way of a compliance health check. We also provide independent audits on AML KYC file reviews and ensure that your outsourced providers (e.g. appointed administrators) carry out their roles effectively in line with FCA requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.