Banking Exchange Magazine Logo

Defense! Three lines of defense!

What community banks can learn from large-bank risk requirements

Defense! Three lines of defense!

Amid controversy, last year the Comptroller’s Office adopted new regulatory requirements for risk management in large banks—$50 billion in assets and larger. The agency had good reason. These banks are deemed to contribute to systemic risk, so public interest mandates extra protection.

Is there anything community bankers can learn from the large bank requirements that will help them run their banks better? I believe there are some helpful concepts to consider.

Basics of the “three lines” defense

This new regulation states that there are three lines of defense in a banking organization to protect it from risk: 1. the front line; 2. the independent risk management function; and 3. the independent audit function.

The front line is said to “own the risk.” So it is responsible for managing it.

The bank’s risk management function, with the CEO, must drive a comprehensive risk appetite statement and build and maintain a structure for monitoring, enforcing, and reporting in support of the risk limits.

Audit, of course, checks that it all gets done.

The outcome is logical. And the language adopted and the process the OCC used to get there yields insights that community bank leaders may gain from.

What’s being defended from what—and whom

Consider the phrase “three lines of defense.” We all know in defense of what—the safety and soundness of the bank.

But defense from what or from whom is not so clear.

Everyone in the bank has a shared interest in defending the bank from external agents or events that threaten the bank’s safety and soundness. And the front line, of course, shares that interest.

So much of the structure of the risk architecture mandated by the regulation, though, is necessary because there needs to be defense from internal agents as well. These agents reside in … the front line.

OCC spent much effort and received many comments on what or who is considered the front line, and what it means to be independent of them—the ones who actually conduct business with customers.

The agency’s original proposal was both broad and harsh in defining who is or is not in the front line and what “independent” implies here. Fortunately, OCC adopted a more balanced approach, in the revisions process. For example, the agency concluded that the Legal and Human Resource Departments are not likely to be part of the front line.

The “principle-agent” problem

OCC is appropriately concerned with activities in the front line that may jeopardize the safety and soundness of the bank. This results from what economists call the “principal-agent problem.”

That’s a shorthand way of saying that what benefits the agent most may not benefit the principal; it might even harm it. In this nomenclature take “agent” to mean front-line employee, and take “principal” to mean the bank itself.

Much of the difficulty in structure to formulate an effective risk management program in large banks, and the incumbent costs to do so, arise from protecting the bank from its principal-agent problem.

As a community bank leader, to what degree do you think your bank, as principal, lies exposed to the principal-agent problem? 

Before you answer that, understand that that does not mean exposure to error or misjudgment by employees in carrying out their duties. We all run that risk more or less equally.

What I’m referring to is really more a cultural, recognition, and compensation reward question—the answer to which is a key element in formulating the best approach to risk management.

Decisions guided by risk perspective

At the corporate level, decisions are driven almost exclusively by what is best for the bank. To what extent are you sure that the same motivation applies to the customer-level decisions made by your loan and deposit officers?

We are not talking about routine customer relation issues—like offering a higher interest rate on a deposit, or a lower one on a loan if that is available in what you offer. That’s part of how a customer relations officer keeps customers satisfied.

Consider such questions as:

• Would your account officers take on an account when they know it will not be profitable, because taking it on means they will meet a volume goal that allows them to earn more money?

• Even if you allow for their desire to do so, will they be honest in putting forward the facts for others to make a decision? 

• And to what degree will a loan officer drive to meet volume goals to earn an incentive payment when the loan is not beneficial for the bank?

If your organization tilts more toward meeting volume goals and offers significant rewards to employees to do so, then you are more vulnerable to the principal-agent problem.

To meet this additional risk, account acceptance and monitoring processes need to be more segregated from the business development unit and a more formal risk management structure is indicated. Compensation mechanisms should be reviewed to consider whether they are properly aligned to the degree practical to long-term value creation.

On the other hand, let’s say that decisions are based more on full disclosure and analysis at your institution, with a documented line of thought regarding what is best for the bank. Let’s further assume that compensation systems do not tilt toward volume and significant incentive payments. Then a less formal structure will work well.

Which kind of culture does your bank have?

Most community banks I know—but not all—resemble more the latter than the former model. Risk and reward considerations are considered in tandem, without the inherent conflict of the principal-agent problem.

Risk management is critical in any bank, but in a bank that resembles the latter model, save the effort and cost of the more rigid and formal model because your culture and compensation systems themselves diminish your exposure to the principal-agent problem.

Daniel Rothstein

Dan Rothstein is CEO of DR Risk Solutions, a consulting firm specializing in enterprise risk management, loan portfolio management and regulatory relations.  Rothstein’s career spans more than 30 years, and he has spearheaded the development, implementation, and successful integration of best practice ERM programs, operational risk and control systems, and credit and loan portfolio management. He is also an attorney admitted in New York. You can reach him at [email protected]

back to top


About Us

Connect With Us