The “defenses” to protecting your money

Businesses’ “three lines of defense” may not be strong enough to withstand the next lapse of controls.

If a financial institution collapses, who comes first? You, the customer; or a long list of creditors? And as management of the financial institution, what do you have to worry about?

In June 2010, a global financial institution received the largest fine in the UK’s Financial Services Authority’s (FSA’s) history at £33.3m (S$70m). The fine was for failing to put as much as £16b (S$34b) of customers' funds into segregated accounts protected with trust status. This would have protected the client funds in case the bank became insolvent. In what was described as a "serious breach" of rules governing the segregation of the bank's money and its customers’, had the bank become insolvent at any time, these customers’ monies would have been at risk of loss to the customer.

Margaret Cole, Director of Enforcement and Financial Crime, Financial Services Authority in the UK said, when publically announcing the fines: "Customers should be able to assume that authorized firms have the right systems and controls to safeguard their assets. To put clients at risk of significant financial loss by failing to segregate client money appropriately for a period of two years - this is simply unacceptable. It is essential for firms to adhere to our client money rules and recent action in this area shows that our focus has intensified. Firms should be in no doubt that if they fail to get their house in order in this regard we will take action against them." She also said that they had "several more cases in the pipeline”.

So even with regulations and safeguards in place that serve to protect the interest of customers, financial institutions may not have always complied. And while incidents like the above are not common, it does happen. The question really is: Is this just the tip of the iceberg and a sign of bigger problems?

So what went wrong?

In the above case, £33.3m is a colossal amount for what one could argue was an “administrative oversight”. Upon closer inspection, it reveals weak internal controls and a lack of coordination among the “three lines of defense” within the organization.

The “three lines of defense” commonly refers to the way a business manages its risks. The “first line of defense” is the line management who assume ownership of risks across the business. Their job is to identify major risks and implement robust controls that safeguard both the business and its customers.

The “second line of defense” consists of the risk management, legal, compliance and, in insurance companies, actuarial functions. These groups of people should develop an effective risk management framework that enables them to continually monitor risk exposures, and support and advise the line management.

The “third line of defense” is internal audit, whose role is to provide independent and objective assurance over the effectiveness of the first and second lines of defense. However, many view the internal auditors as causing periodic disruptions to the business and adding little value to the organization, beyond ensuring compliance.

In reality, internal auditors are in a position to play a strategic role by generating ideas for process and control improvements, and should be involved in any strategic business investment where a missed risk could dampen earnings or reputation. Internal audit should be looking at the bigger picture. It should not be auditing lower-level risks, rather auditing the risks that truly matter and to that end, have a seat in the boardroom to explain the risks and gaps that need to be addressed. The desired transformation of the role of internal audit will, in itself, warrant a step to change everyone’s mindsets.

So with the “three lines of defense” in place, how could things still have fallen through the cracks? One of the possible reasons is that many multinational financial services institutions have grown organically, with ad-hoc acquisitions and without structured planning. Over time, as departments and functions evolve, duplication – or worse – gaps of activity or control occur among the three lines of defense through lack of awareness, inadequate risk mitigation or simple complacency.

Further, the situation is exacerbated by how the “three lines of defense” upwardly report. Typically, each of them reports independently to the board and executive management. With each of them having different definitions of risk in terms of terminology, importance, likelihood etc., and making differing assessments of the business in silos, boards and executive management are often handicapped by the lack of a single, clear picture of where the real issues lie.

What can you do?

Before the next lapse in controls occurs in your organization, as management of a business, it is timely to consider if your “lines of defense” are integrated and if internal audit is focusing on the risks that matter. It pays to ensure that there is a cohesive and coordinated approach to managing your risks, and that there is leverage, not duplication, among your lines of defense to provide a harmonized picture of your risk exposures. The advantages of providing a more integrated assurance approach are clear – lower risk, lower costs and greater competitive advantage.

If you are an Audit Committee or board member, challenge the risk coverage in the organization. Examine if the organization is identifying the high impact risks or just making incremental changes to existing risks. Question when an independent review of the effectiveness of the internal controls, such as the safeguards for client monies, last took place.

And if you are a customer of a financial institution, it is in your interest to take control of the concentration of your monies, and to always ask the right questions before you park your funds with any institution.