QUESTION
I’ve
heard many different things about oversight of banks, non-banks and their
related vendors. Some say it should be done, others say it isn’t that important.
Can you tell me if there are any requirements regarding oversight and what they
say?
ANSWER
We
have noted over the last few years that the Federal Regulators refer to the
Three Lines of Defense for oversight execution. Not only do they verbalize it,
but this same verbiage can also be found on many of their First Day Letters.
These
are as follows:
1st
Line of Defense
At
the business line level, Quality Assurance of business processes must be
performed on a monthly basis. For their vendors, the business should also be
completing scorecards on a monthly basis, all rolled up to management and into
the 2nd line of defense.
2nd
Line of Defense
This
refers to both:
- Corporate Quality Control (not the same as Quality Assurance)
that audits by a selection of loans through Statistically Valid Sampling or Stratified Sampling, and against GSE and FHA guidelines and
best practices; and,
- Regulatory Compliance Audit, which compares the line of
business work product execution and vendor management with the actual
governing laws. These two groups have to perform testing independently of
the business.
These
audits and their findings must report through senior management, with all issues
tracked by the business and second line for oversight until the remediation is
complete.
3rd
Line of Defense
This
refers to the Internal Audit Structure that reports directly to the Board of
Directors or to the highest level of senior management. This is totally
independent of all other lines of defense. This group reviews everything
bank-wide, including the first two lines of defense, and all processes of the
business, end to end, the organizational structure, vendor and ensures
remediation takes place on all that they discover.
Michelle
Leigh
Director/Internal
Audits and Controls
Lenders
Compliance Group
Executive
Director
Servicers Compliance
Group
