The “Four lines of defence model” for financial institutions

Original by I.Arndorfer, A.Minot, BIS, Utrecht university, 2015, 26 pagesHamster_gagarin_linkedin
hamster writter This summary note was posted on 17 September 2017, by in Finance #, #, #


  • The guidelines issued by the Basel Committee on Banking Supervision (BCBS) in 2015 on corporate governance principles for banks (Basel Committee on Banking Supervision, Principles for Enhancing Corporate Governance, Principle  6 and 7 ) emphasises the importance of proper risk management procedures, including, in particular, “an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board.
  • Green Paper of the European Commission (EC) on corporate governance  outlines the perceived inadequacies of board-level risk management: a lack of understanding of risks, a lack of authority, a lack of expertise, a lack of real-time information on risk
  • Scholars have argued that the primary, if not the sole, justification for regulating internal control systems is to maximise the efficiency and effectiveness with which exposure to risk is managed
  • Efficiency includes, in our view, the way in which work is performed (in terms of qualifications, professionalism and resources), the model/structure underlying the parties involved in the process and the interaction between those partie
  • Concludes that it is necessary to reshape the internal control structure of financial institutions by means of an additional fourth line of defence for external control bodies

The three-lines-of-defence model

A three-lines-of-defence model was finally developed by the Institute of Internal Auditors in 2013 ( IIA (Institute of Internal Auditors), Position Paper, The three lines of defence in effective risk management and control, January 2013. )

However, it did not recognise the peculiarities of certain sectors (such as those of regulated financial institutions)

1st line
  • Management control, internal control measures.
  • Reports to Senior management
2nd line
  • Financial control, Security, Risk management, quality, inspection, compliance
  • Reports to Senior management
3rd line
  • Internal audit
  • Reports to Senior management and Governing body/board/audit committee
  • Misaligned incentives for risk-takers in first line of defence
  • Lack of organisational independence of functions in second line of defence
  • Lack of skills and expertise in second line functions :
    • Remuneration and experience in first line functions are still considerably higher and more senior than in second line functions despite the tighter regulation of variable compensation practices. The question remains of how banks can entice highly qualified staff to work in second line functions rather than in first line or risk-taking functions
  • Inadequate and subjective risk assessment performed by internal audit

The four-lines-of-defence model

The three-lines-of-defence model could be strengthened by making supervisors and external auditors an inherent part of the internal control and risk monitoring systems

The Achilles heel of the three-lines-of-defence model stems from a lack of comprehensive overview of the organisational structure

For a long time, international standard setters did not require a close relationship between supervisors, and internal organs and functions. More recently, they have called for a stronger interactions (Financial Stability Board, Supervisory intensity and effectiveness. Progress report on enhanced supervision, 7 April 2014)

1st line (owns and manage risk)
  • Management control, internal control measures.
  • Reports to Senior management
2nd line (oversees risks)
  • Compliance, Risk control, Financial control, Middle office, Model validation etc..
  • Reports to Senior management and Board/audit committee
3rd line (independant assurance)
  • Internal audit
  • Reports to Senior management and Governing body/board/audit committee
4th line (external audit and supervisors)
  • Three way communication between Internal audit, supervisors and external audit (Regulatory triangle)
  • Communication works by reducing, if not eliminating asymmetric informant as to make risk control systems more effective

Relationship between functions

  • Scope of supervisory activities has been broadened to include additional responsibilities such as a review of the operational risk management framework, an assessment of internal control frameworks and of the adequacy of internal and external audit
  • Systemically important banks have been encouraged to implement trilateral meetings (Basel Committee on Banking Supervision, External audits of banks, March 2014)
  • Supervisors have been encouraged to prepare written reports on important issues and exchange these with management, the board and the external auditors
  • External auditor focuses on the financial statements, and attests that these are free from material misstatements
  • Internal auditors must be protected against litigation when disclosing confidential information in good faith
  • Principle 26:  (BCBS Core Principles for Effective Banking Supervision)  assess whether the institution has an independent, permanent and effective audit function
  • Principle 16:  “Supervisors should have regular communication with the bank’s internal auditors to (i) discuss the risk areas identified by both parties, (ii) understand the risk mitigation measures taken by the bank, and (iii) understand weaknesses identified and monitor the bank’s responses to these weaknesses
  • Help improve the quality of external audits, especially in situations where auditors are notified of key areas of regulatory interest in advance
  • There are jurisdictions that specifically prohibit reliance on external auditors for work performed by the internal auditors
  • External auditors are encouraged to minimise the amount of work carried out by the internal audit function and to perform more of the work directly to ensure that they are sufficiently involved in the audit process
  • To ensure independence of the outsourced service provider, internal audit is advised to outsource work to other firms than the chosen external audit
  • If the internal auditor detects critically sensitive information and decides to inform the external auditor outside of its normal chain of command, this act is referred to as external whistleblowing.
  • The internal auditor needs to evaluate whether its local jurisdiction protects it against law suits
  • Empirical evidence brings to the fore the question of whether the work performed by external auditors should be relied upon.
  • Recurring deficiencies have been detected in the external audit of SIFIs relating to judgemental elements of balance sheet items or processes

Situation in different countries

UK (Good)
  • The PRA asked external auditors to contribute to its supervision of firms by directly engaging in a pro-active and constructive way to support judgment-based supervision and help promote the safety and soundness
  • The PRA keeps monitoring the quality of auditor-supervisor dialogue.
Switzerland (can do better)
  • A recent (2014) IMF assessment noted significant weaknesses in Swiss supervision (IMF Country Report 14/143, Switzerland: Financial Sector Stability Assessment, May 2014)
  • Auditors should not be paid by a supervised entity but rather by a “FINMAadministered bank-financed fund”
  • Resources were insufficient to supervise and regulate the entire banking system in a way that met the Core Principles for Banking Supervision, including sufficient in-depth on-site work and oversight of supervisory work done by external auditors, particularly for small- and medium-sized banks
USA (can do better)
  • Supervisors meet periodically with external audit firms to discuss issues of common interest
  • Should provide safe heaven protection for external auditors reporting issues to regulators
  • Weaknesses relating to the fact that supervisors do not have legal powers to add specific issues to the scope of the external audit in order to address issues that are not normally covered by such an audit
Hong Kong (potential improvements)
  • The  HKMA lacks powers to reject the appointment of an external auditor, when there are concerns over its competence or independence
  • It does not have direct power to access the working documents of the external auditor even though the HKMA is able to address issues that arise by indirect means