The front office or first line of defense has been increasingly assuming overwhelming importance in the organizational structure. It is, therefore, not a surprise that a dedicated front-office control function is now standard practice for firms to enhance the ability to manage non-financial risks.
In this regard, firms have been following the classic three-line defense model to ensure a robust control environment that financial, operational, regulatory, and legal requirements.
This includes First Line of Defence (1LOD) — “front office/business”, responsible for assessing and mitigating risks.
Second Line of Defence (2LOD) — “risk management”, responsible for independently assessing the risk-taking activities and designing a risk framework.
And the Third Line of Defence (3LOD) — “internal audit” is responsible for evaluating compliance with policies, procedures, and processes established by 1LOD and 2LOD and providing independent assurance to the board audit committee.
The challenges of establishing a healthy front office control are many and complex — one of them is the science of perfecting customer experiences by regulating human behaviors within the organization. The very nature of behavior throws up complexities of conduct-related risk and redundancies that need to be addressed through a thorough assessment of customer interaction data to expose risk trends. Added to this is the consistent change in regulatory governance that requires any risk control framework to be adaptable and intuitive.
In sum, the critical challenges in establishing a front office control function are as follows:
Continuous change in regulation
In 2016, Thomas Reuters captured no less than 52,506 updates from 75 global regulators, averaging more than 200 for every single day. This was almost double the alerts seen in 2013. Every change in regulation translates to a change in the governance management, compliance operations, and eventually an overhauling of the front office controls.
With regulators getting more and more exacting about their risk and conduct surveillance criteria and increasing the stakes on failure to abide by them (such as legal procedures against business owners not taking by the SM&CR), keeping up with all the governance requirements is proving a significant challenge for many financial institutions.
Continuous change in risk dynamics
The time is ripe for front office control functions to adapt to emerging risk landscapes. Increasing automated surveillance-based controls, which were necessitated due to the dynamic regulatory atmosphere, may be time for IT acumen to be inducted into the front-office risk control teams. Risk is now an ever-changing force to be dealt with.
Many firms are struggling under huge heaps of diversified complex data that are being produced by the new control surveillance systems operating for their front office functions. One of the most common headaches in surveillance data is the reoccurrence of “false positives” or red flags in the form of potential misconduct or risk.
While many of these may be completely innocent, the sheer amount of time, overhead capital, and technological resources that can go into their investigation are draining. When put in the context of banks’ increasing requirement of data for compliance purposes and the demand for it by their clients for regulatory reports, this becomes an overarching challenge for any risk control function to deal with. It doesn’t matter how advanced your surveillance system is if it does not come with intelligent data management and governance system.
Need for a focus on culture
The emerging risk control landscape depends on organizational culture adaptability and transformation. In the three-line defense model, a cultural transformation has traditionally been seen as a top-down phenomenon. The senior management sets down the tone and cultural norm, the middle management assesses the risk around the procedure, and the lower rung embeds the change.
However, with the evolution of automated front office surveillance systems, a ‘bottom-up’ approach is now possible and perhaps necessary. In either case, however, the defining challenge in studying and changing culture is the complexity and unpredictability. By flagging conduct or the visible evidence of culture and analyzing the risks associated with its expression in 1LOD, the complex body of culture can be navigated, anticipated, and mitigated.
Nothing is ever enough when it comes to establishing a successful front office control function. Whether it’s the controls architecture going over budget trying to factor in complex data management and compliance monitoring or not finding the right team to introduce and implement the control — the struggle is real. Recruiting and budgeting for front office controls are tough.
In addition, with every new leap in surveillance technology, it is important to have individuals that have a combination of business, leadership, and technological acumen. Some of the technical skills that are relevant for front-office are domain knowledge, surveillance & digital risk management, supervision, understanding of standards and controls, conduct risk, controls and measurement, risk assessment, and mitigation.
Regulations such as The Senior Managers and Certification Regime (SM&CR), MiFID II, the Market Abuse Regulation, and the Benchmarking Regulations have maximized non-financial risk-based accountability from heads of businesses in recent times.
This has meant that the surging costs to introduce, maintain and enhance the front office risk control framework are now part of the managerial headache. Whatever ensures perfect risk-free conduct has to be afforded: staffing levels, better surveillance systems, better data management, and the optimal model.