I’ve heard many different things about oversight of banks, non-banks and their related vendors. Some say it should be done, others say it isn’t that important. Can you tell me if there are any requirements regarding oversight and what they say?
We have noted over the last few years that the Federal Regulators refer to the Three Lines of Defense for oversight execution. Not only do they verbalize it, but this same verbiage can also be found on many of their First Day Letters.
These are as follows:
1st Line of Defense
At the business line level, Quality Assurance of business processes must be performed on a monthly basis. For their vendors, the business should also be completing scorecards on a monthly basis, all rolled up to management and into the 2nd line of defense.
2nd Line of Defense
This refers to both:
- Corporate Quality Control (not the same as Quality Assurance) that audits by a selection of loans through Statistically Valid Sampling or Stratified Sampling, and against GSE and FHA guidelines and best practices; and,
- Regulatory Compliance Audit, which compares the line of business work product execution and vendor management with the actual governing laws. These two groups have to perform testing independently of the business.
These audits and their findings must report through senior management, with all issues tracked by the business and second line for oversight until the remediation is complete.
3rd Line of Defense
This refers to the Internal Audit Structure that reports directly to the Board of Directors or to the highest level of senior management. This is totally independent of all other lines of defense. This group reviews everything bank-wide, including the first two lines of defense, and all processes of the business, end to end, the organizational structure, vendor and ensures remediation takes place on all that they discover.
Director/Internal Audits and Controls
Lenders Compliance Group
Servicers Compliance Group