By David Crawford, VP of Compliance, Ubiquity
The rise of corporate compliance programs in recent years has been a response to major corporate scandals, lack of internal oversight, and regulatory reforms aimed at protecting consumers. The size and complexity of compliance programs vary depending on various factors such as industry sector, type of services offered, level of customer data involved, and geographical location. Establishing an effective compliance program requires skill, experience, top-level support, and adequate resources.
Here we’ll learn how companies can leverage resources beyond their employees by using outsourcing partners or vendors through a compliance-by-design relationship model. We will review history, briefly explain what the 3 Lines of Defense (3LOD) Model is, and outline how a company can integrate a vendor or outsourcing partner to enhance its risk management model.
The scandals that got us here
Over the past two decades, there have been several significant regulations enacted as a result of corporate scandals, including the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, and the European Commission’s General Data Protection Regulations (GDPR) of 2018. Additionally, the California Consumer Privacy Act (CCPA) was published in 2018, with further expansions to privacy protections in 2023 through the California Privacy Rights Act (CPRA).
Other notable regulations include enhanced broker-dealer oversight following the Madoff Investment Securities Ponzi scheme, increased regulations for emissions testing after Volkswagen’s emissions cheating scandal, increased regulations for bank sales practices after Wells Fargo’s unauthorized account creation and sales practices violations, and further expansion of state-based privacy protection in 2023 and beyond.
Consumer protections on the horizon
Governments across the globe are continuing to draft new regulations aimed at protecting consumers, with a focus on enhancing privacy rights and protections. According to Gartner research, it is estimated that modern privacy regulations will cover the personal data of 75% of the world’s population by 2024. GDPR is widely seen as a blueprint for other governments, and organizations are adopting its principles as a global framework to reduce the complexity of managing individual country or region-based privacy programs.
Similarly, a new Consumer Duty is being established in the UK in 2023. This new regulation will become effective in the UK, which requires firms to act to deliver good outcomes for retail customers. This new duty encompasses products and services, price and value, consumer understanding, and consumer support. The duty “sets higher and clearer standards of consumer protection across financial services, and requires firms to put their customers’ needs first.”
By integrating vendors or outsourcing partners into their risk management model, companies can leverage the resources, experience, and skill of others while still maintaining control over their compliance program.
The challenges for global businesses
Global businesses face the challenge of adhering to different privacy policies and new consumer protections depending on where their customers are located. For instance, the UK is still assessing its privacy policies following its exit from the EU, as reported in TechCrunch. This presents a significant challenge for multinational companies or businesses with customers in various regions or applicable oversight regimes.
In the past few years, we’ve seen a large uptick in well publicized corporate scandals that impact consumers and public trust. Examples include:
- In 2020, Wirecard, a German software maker and the country’s most valuable firm was exposed for accounting irregularities, and admitted that €1.9 billon ($2.1 billon) on their books “probably does not exist,” which is about 25% of the company’s balance sheet (reported in The Economist).
- In 2022, Dewan Housing Finance Limited (DHFL), an India non-banking finance company defraud 17 banks worth more than 340 billion Indian rupees ($4 billion), which has been called DHFL banking fraud is being termed as “the country’s biggest scam in banking industry.” Just months earlier, India’s ABG Shipyard fraud was exposed relating to a series of transactions architected to defraud 28 banks of more than 228 billion Indian rupees ($3 billion).
- The U.S. Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law in 2020. More than $2 trillion in economic relief was released in the U.S., including forgivable loans to small businesses through the Paycheck Protection Program (PPP). Billions are estimated to be lost to fraudulent, wasteful, or abusive relief claims. At the same time, fraudulent Personal Protective Equipment (PPE) businesses popped up around the world.
- In 2022, major cryptocurrency exchange FTX lost an estimated $8 billion of customer funds. Prosecutors have accused the company’s chief executive Sam Bankman-Fried of misappropriating FTX customers’ funds to pay debts at his cryptocurrency trading firm Alameda Research and to make other investments.
If history is an indicator of what might be ahead, new rules are likely to be coming as regulators in the US, UK, EU, and beyond are clearly taking more action to ensure companies have well-designed programs that prioritize the best interests of consumers. A lapse in adhering to consumer protection principles can have catastrophic implications for businesses, including costing millions of dollars, lower employee morale, and distracting corporate leadership from the strategic mission.
Traditional 3 Lines of Defense
The Three Lines of Defense (3LOD) model provides layers of protection against organizational risk and is a widely used framework in managing risk and ensuring compliance within organizations. The model encompasses three distinct layers that work together to minimize risk and ensure compliance with regulatory and legal requirements. The three lines of defense are:
- 1st Line of Defense – Operational management maintains effective internal control and executes risk procedures on a real-time, day-to-day basis. This focuses on real-time management controls as a means of checks and balance, and the management owns and manages the risk.
- 2nd Line of Defense – Senior management, risk, compliance, and quality functions help build and monitor the 1st Line defense controls. This is an oversight line, with a degree of real-time activity as it relates to the review of 1st Line activities to ensure risks and controls are effectively managed. (The term compliance in this context is used broadly here to describe the various types of operational compliance teams within an organization—e.g., human resources, vendor management, due diligence, or quality assurance. Generally, the principal function of corporate compliance is to monitor compliance with applicable laws, regulations, and company policies.)
- 3rd Line of Defense – Independent assurance is the principal function, whereby the effectiveness or adequacy of the 1st and 2nd Lines activities is assessed. This is often performed by internal auditors tasked to examine the effectiveness of governance, risk management, or internal controls. External auditors and regulators sitting outside the company can provide additional insight to this line through their examination of the governance and control structure where relevant, such as during financial statement, PCI, SOC, privacy, ISO, or other reviews.
3LOD within companies has been generally viewed as a program designed around captive, internal resources and/or activities. Significant value can be gained through an integrated defense model with an outsourcing partner or partners, which is explored further in the Modernized 3LOD Approach section. The right partner or partners can strengthen a company’s readiness for an increasingly complicated business landscape.
Modernized 3LOD Approach: 3 Lines of “Offense”
Enter the modern 3LOD strategy in an outsourced world: Proactively aligning your outsourcing partner with your existing program and leveraging the outsourcing partner’s knowledge, skills, experience, and resources as a compliance program asset. A compliance program is very much a proactive way to establish and reinforce the culture, ethical basis, and standards for a company operates and across the governing body, executives, senior managers, employees, and those they partner with.
Adopting a 3 Lines of “Offense” strategy through a shared company:partner approach allows both the company and the partner to understand each other’s risk management processes and to ensure that the vendor’s risk management processes align with the company’s overall risk management program. This can help to minimize the risk of a partner’s activities affecting the company’s reputation, financial stability, or regulatory compliance.
In the context of outsourcing, a shared approach involves collaboration between the company and the outsourcing partner to establish and enforce policies, procedures, and controls to minimize risk and ensure compliance with program standards and relevant regulations such as GDPR, Dodd-Frank, Sarbanes-Oxley, and others. Similarly, it can help with adopting new and emerging requirements or policy, such as those within UK’s new Consumer Duty.
By taking a shared company:partner approach to managing risk and the compliance program, companies can achieve better outcomes, improved quality, and overall compliance effectiveness. This approach helps companies to minimize risk and ensure they are meeting their obligations under relevant regulations, while leveraging the expertise and resources of their partners to enhance their operations.
Putting words into action
Using outsourcing partners or vendors can be an effective way for companies to add resources to their compliance program activities and enhance their 3LOD strategy. By integrating vendors or outsourcing partners into their risk management model, companies can leverage the resources, experience, and skill of others while still maintaining control over their compliance program. It is important for companies to consider this model as part of their overall compliance strategy as they navigate the ever-changing regulatory landscape and increasing consumer protections.
Now is the time to get ahead—and stay ahead—of global regulations by designing your 3LOD model with internal teams and business partners. While you cannot and should not trust it to just any partner, finding the right one will save you money and keep your focus on your unique Objectives and Key Results.
David Crawford is responsible for regulatory compliance across Ubiquity’s global footprint, internal audits, and reinforcing a workplace culture with an unwavering commitment to compliance. David has more than 20 years of compliance and risk management experience, previously at Hofstra University as senior director of business affairs and as a vice president at Affinity Health Plan.