PwC Discusses How Financial Institutions Can Bolster Defenses Against Risk

Many financial institutions1 have implemented the three Lines of Defense (LoD) model to help define their risk management frameworks and bolster supervisors’ (e.g., desk heads and senior traders) abilities to monitor risk.2 However, as frameworks for managing financial risks (e.g., credit, market, and liquidity) have become more developed, regulators are increasingly focusing on oversight of non-financial risks (e.g., operational and conduct).3

Supervisors are often not only expected to design, manage, and execute a financial institution’s first LoD controls framework, but to do so while meeting (or exceeding) revenue expectations. In order for supervisors to meet the expectations of both regulators4 and senior management, the traditional three LoD model has had to evolve. As a result, many financial institutions have adopted a front office central supervision team (CST) within the first LoD (known in some financial institutions as line 1.5) to assist supervisors with assessing issues, designing controls, executing supervisory processes, and monitoring non-financial risks.

The CST strengthens the supervisory framework by taking over the initial review of tasks associated with non-financial risks from supervisors (leaving financial risk issues to traders and desk heads), while still bringing any material issues to supervisors’ attention.5 Importantly, supervisors maintain accountability over all risks. But, with the help of the CST they are better able to filter through the noise to get to the real issues, which allows them to spend more time serving clients and focusing on meeting revenue goals.6 Further, since building a strong CST requires financial institutions to analyze the roles of the three LoD within their supervisory framework, the CST can help clarify the roles and responsibilities of the first and second LoD in order to remove duplicative tasks.

Although many financial institutions already have a CST in place, most still struggle to define its mandate, determine the appropriate operating model, and use available tools to help supervisors and the CST more efficiently carry out their various responsibilities.

Ahead we take a closer look at how financial institutions are defining their supervisory framework and using a CST to enhance non-financial risk management practices within the first LoD.

The supervisory framework

The standard three LoD framework requires supervisors within the first LoD to be accountable for all risks related to their business activities. Therefore, the supervisory framework is built on a number of internal controls that measure, monitor, control, and report on those risks. These controls can generally be grouped into six broad categories: (1) financial risk management, (2) operational risk management, (3) trade lifecycle activities, (4) personal conduct, (5) client fair dealings, and (6) prevention of other potentially manipulative activities. Each of the six categories includes activities for which supervisors are accountable to ultimately ensure the financial institution’s risk is being managed.7

The level of sophistication of a financial institution’s first LoD risk management framework (specifically whether or not they have a CST in place) affects how much time supervisors spend performing risk management tasks, rather than managing their day-to-day client and revenue objectives.

The CST’s mandate

The vast majority of financial institutions define the CST’s mandate using a model wherein supervisors delegate the performance of certain tasks, such as producing and reviewing surveillance and exception reports, to individuals within the CST. However, regardless of delegation, it is important that the supervisor remains accountable for the potential risks associated with performing or failing to perform that task. Financial institutions that use a delegation model must ensure that the roles of the CST and the supervisors are clearly defined and that there are rules in place about what may be delegated, and to whom. Further, financial institutions should ensure that anyone to whom a task is delegated has the proper training needed to identify and escalate issues.

In addition to taking over certain tasks from supervisors, CSTs also help to develop, organize, and standardize the front office supervisory control framework, as well as design and implement enhancements to control processes. The CST often helps assess the effectiveness of existing controls in order to understand where enhancements are needed, assist supervisors in responding to testing inquiries, and self-identify issues when necessary. It is important for financial institutions to keep in mind, however, that the CST should not be created as another testing function nor are their actions meant to duplicate, pre-empt, or replace the testing functions of the second and third LoD. Instead, they represent a proactive approach for supervisors to ensure prudent execution of supervisory activities and to identify and address any gaps in control systems.

The optimal operating model

While the CST lies within the first LoD, financial institutions differ on whether the team should be centralized (i.e., ultimately rolling up to one global head that reports to the financial institution’s division head
or COO), or decentralized aligning to various business lines or regions.

A centralized model is beneficial for defining a single mandate across the institution and applying resources based on specific needs across the various business and product lines. Alternatively, a decentralized model enables the CST to be organized by region, business lines, or both, and can be tailored to take jurisdiction and/or type of product (and therefore, applicable regulations) into account.

We believe that a hybrid model, which allows financial institutions to perform certain supervisory activities centrally (e.g., email review) while taking a business-specific approach to other activities, is most effective. Regardless of which approach a financial institution chooses, a global head of the CST should ensure there are effective standards and guidance applied across the financial institution.

Resourcing needs

Financial institutions also contend with challenges in determining how to staff the CST (e.g., what skills are required and where the CST should be located). Typically, the CST is made up of individuals with backgrounds in: compliance, finance, law, audit, and risk (including former traders and risk managers). Depending on the tasks assigned to the CST, the skillsets required may vary among subject matter expertise, quantitative analysis, and project management skills.

In addition, some financial institutions have shifted compliance officers from the second LoD to the CST. Similarly, some financial institutions believe the first LoD is better suited to perform trade surveillance. While the first LoD has traditionally been accountable for its business activities and preventing violative conduct at its source, compliance (the second LoD) has generally been responsible for trade surveillance. These financial institutions should be mindful to leverage resources effectively, ensuring tasks are integrated, and avoiding unnecessary duplication of tasks among the LoD.

Financial institutions are also exploring opportunities to minimize the cost impact of creating a CST, through use of shared utilities, third parties, and offshoring to perform certain standardized tasks (e.g., creating e-mail lexicons and collecting Know Your Customer information).8 Those exploring these options face challenges, especially in finding, training, and retaining third-party vendors. Importantly, financial institutions that have offshored certain tasks still require that the final supervisory sign-off occurs in the main office.

Tools for effective supervisory risk management

Financial institutions with less-developed reporting structures monitor their supervisory obligations through a variety of exception reports and controls (e.g., reviewing cancelations and corrections, and a daily report for TRACE late trades, etc.).9 Such reports often contain a lot of non-pertinent information and may not create an audit trail of escalated and remediated issues, making it difficult for supervisors to find the information they need and evidence their supervisory oversight. As a result, many financial institutions require their supervisors to attest on a monthly basis that they have met their supervisory responsibilities.

Financial institutions with more mature reporting structures support supervisory obligations by providing the CST with tools such as a “supervisory dashboard,” a one-stop-shop for key supervisory controls that provides targeted information on action items (e.g., breaches of limits or thresholds, escalation items requiring remediation, etc.). Instead of supervisors tracking, reviewing, and escalating issues using multiple systems, the dashboard provides a central solution where the CST can review alerts and bring them to supervisors’ attention when necessary.

At its most basic functionality, the dashboard creates an alert when an action or review is necessary and provides other key metrics by pulling data inputs (either manually or automatically, depending on the maturity of the platform) from various internal sources on a daily, weekly, or monthly basis. The dashboard can be populated by reports (by direct feed or manual inputs from the CST) that are sourced from control areas such as operations, controllers, model review, and compliance. The dashboard may also have a set of smart criteria that pre-screens which issues get escalated for supervisory action.

Dashboards can also be used to create a workflow tool that provides a clear escalation and remediation process, helping to produce an audit trail of decisions and information reporting (e.g., allowing supervisors to see comments from the Trade Surveillance team explaining why a price exception alert was escalated). This eliminates the need for supervisor attestations that have become a “check-the-box” exercise. In addition, the dashboard can be used to conduct regular reviews
(e.g., trade pre-clearance reviews) and monitor compliance with regulatory requirements (e.g., market-making inventory limits under the Volcker rule). By creating a more efficient review process, a CST with the help of a supervisory dashboard allows supervisors to focus only on material issues (i.e., exceptions, escalation points, etc.) and their revenue generating goals, without spending time on false positives.10

What should financial institutions do now?

Regardless of the maturity level of a financial institution’s supervisory framework, there are factors that each financial institution should take into consideration in order to bolster their risk management framework when utilizing a CST.

  • Define, document, and implement clear roles and responsibilities for the CST. This includes how the CST works with other front office personnel and how and when the CST interacts with the
    second LoD.
  • Create a clear policy regarding which tasks are appropriate for supervisors to delegate to
    the CST.
  • Ensure delegates have the required knowledge, skillset, and training to perform their tasks and understand how and when an issue should be escalated to supervisors.
  • Identify and implement key tools and technology (e.g., dashboards) that create audit trails and allow supervisors to point to evidence of controls in action, rather than relying on an attestation.
  • Design and implement a standardized supervisory framework across similar businesses and products so that reviews and escalations can be
    prioritized appropriately.


  1. This paper is focused on banking organizations with broker-dealer and capital markets sales and trading businesses.
  2. The “three lines of defense” model is the prevailing risk governance construct. The first LoD is the risk-taking business unit and is responsible for managing the risks of its activity. The second LoD consists of independent risk management oversight functions, separate from the first LoD, that have responsibility for identifying, measuring, monitoring, or controlling aggregate risk. Finally, the third LoD – internal audit – provides independent assessment and assurance on the entire risk framework.
  3. From 2011-2015, the top five US banks have paid $167 billion in fines for conduct-related violations. To learn more about regulatory scrutiny on non-financial risks, see PwC’s A closer look, Sales practices: OCC exams and beyond (October 2016).
  4. g., the Federal Reserve Board (Fed), Financial Industry Regulatory Authority (FINRA), the Securities and Exchange Commission (SEC), and the Commodities Futures Trading Commission (CFTC).
  5. The CST focuses on helping supervisors manage non-financial risks, so that front office employees such as traders and desk heads can focus on monitoring risks that are more aligned to their roles, e.g., monitoring P&L.
  6. In some respects, this model resorts back to the creation of business-line Compliance officers. The role of the Compliance officer was originally created with a similar mandate of the CST to partner with business heads in navigating the complex regulatory landscape. Since the financial crisis however, the focus has been on supervisor accountability within the first LoD (i.e., the owners of the risk), leading to the creation of the CST to bring responsibility back to the first LoD.
  7. The following are examples of tasks within each category: (1) financial risk management includes supervisors reviewing and approving their P&L on a daily basis; (2) operational risk management includes ensuring trading authorities (e.g., what traders can trade what products) are kept up-t0-date; (3) trade lifecycle activities includes controls around cancellations, corrections, and amendments that prevent unauthorized trading; (4) personal conduct includes the performance of communications surveillance and gifts and expense activity reviews; (5) client fair dealings includes suitability analysis being performed for customers; and (6) preventing other potentially manipulative activities includes access controls and off premises trading monitoring.
  8. See PwC’s Financial crimes observer, AML: Do you really know your customer? (January 2016).
  9. The Trade Reporting and Compliance Engine (TRACE) facilitates the mandatory reporting of over-the-counter secondary market transactions in eligible fixed income securities.
  10. While the dashboard on its own does not solve the issue of excessive false positives, the CST and the dashboard combined allow supervisors to spend less time on them. In addition to the dashboard, many financial institutions are also piloting other big data solutions in order to achieve more meaningful analytics that will ultimately help solve for among other issues, too many false positives and the various inefficiencies that accompany their investigation.

This post comes to us from PwC. It is based on the firm’s publication, “A closer look –The supervisory framework: building a stronger defense,” dated March 15, 2017, and available here.