How to fortify compliance and 3 Lines of Defense ahead of international policy updates

The rise of corporate compliance programs in recent years has been a response to major corporate scandals, lack of internal oversight, and regulatory reforms aimed at protecting consumers. The size and complexity of compliance programs vary depending on various factors such as industry sector, type of services offered, level of customer data involved, and geographical location. Establishing an effective compliance program requires skill, experience, top-level support, and adequate resources.

Here we’ll learn how companies can leverage resources beyond their employees by using outsourcing partners or vendors through a compliance-by-design relationship model. We will review history, briefly explain what the 3 Lines of Defense (3LOD) Model is, and outline how a company can integrate a vendor or outsourcing partner to enhance its risk management model.

Over the past two decades, there have been several significant regulations enacted as a result of corporate scandals, including the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, and the European Commission’s General Data Protection Regulations (GDPR) of 2018. Additionally, the California Consumer Privacy Act (CCPA) was published in 2018, with further expansions to privacy protections in 2023 through the California Privacy Rights Act (CPRA).

Other notable regulations include enhanced broker-dealer oversight following the Madoff Investment Securities Ponzi scheme, increased regulations for emissions testing after Volkswagen’s emissions cheating scandal, increased regulations for bank sales practices after Wells Fargo’s unauthorized account creation and sales practices violations, and further expansion of state-based privacy protection in 2023 and beyond.

Governments across the globe are continuing to draft new regulations aimed at protecting consumers, with a focus on enhancing privacy rights and protections. According to Gartner research, it is estimated that modern privacy regulations will cover the personal data of 75% of the world’s population by 2024. GDPR is widely seen as a blueprint for other governments, and organizations are adopting its principles as a global framework to reduce the complexity of managing individual country or region-based privacy programs.

Similarly, a new Consumer Duty is being established in the UK in 2023. This new regulation will become effective in the UK, which requires firms to act to deliver good outcomes for retail customers. This new duty encompasses products and services, price and value, consumer understanding, and consumer support. The duty “sets higher and clearer standards of consumer protection across financial services, and requires firms to put their customers’ needs first.”

Global businesses face the challenge of adhering to different privacy policies and new consumer protections depending on where their customers are located. For instance, the UK is still assessing its privacy policies following its exit from the EU, as reported in TechCrunch. This presents a significant challenge for multinational companies or businesses with customers in various regions or applicable oversight regimes.

In the past few years, we’ve seen a large uptick in well publicized corporate scandals that impact consumers and public trust. Examples include:

If history is an indicator of what might be ahead, new rules are likely to be coming as regulators in the US, UK, EU, and beyond are clearly taking more action to ensure companies have well-designed programs that prioritize the best interests of consumers. A lapse in adhering to consumer protection principles can have catastrophic implications for businesses, including costing millions of dollars, lower employee morale, and distracting corporate leadership from the strategic mission.

The Three Lines of Defense (3LOD) model provides layers of protection against organizational risk and is a widely used framework in managing risk and ensuring compliance within organizations. The model encompasses three distinct layers that work together to minimize risk and ensure compliance with regulatory and legal requirements. The three lines of defense are:

3LOD within companies has been generally viewed as a program designed around captive, internal resources and/or activities. Significant value can be gained through an integrated defense model with an outsourcing partner or partners, which is explored further in the Modernized 3LOD Approach section. The right partner or partners can strengthen a company’s readiness for an increasingly complicated business landscape.

Enter the modern 3LOD strategy in an outsourced world: Proactively aligning your outsourcing partner with your existing program and leveraging the outsourcing partner’s knowledge, skills, experience, and resources as a compliance program asset. A compliance program is very much a proactive way to establish and reinforce the culture, ethical basis, and standards for a company operates and across the governing body, executives, senior managers, employees, and those they partner with.

Adopting a 3 Lines of “Offense” strategy through a shared company:partner approach allows both the company and the partner to understand each other’s risk management processes and to ensure that the vendor’s risk management processes align with the company’s overall risk management program. This can help to minimize the risk of a partner’s activities affecting the company’s reputation, financial stability, or regulatory compliance.

In the context of outsourcing, a shared approach involves collaboration between the company and the outsourcing partner to establish and enforce policies, procedures, and controls to minimize risk and ensure compliance with program standards and relevant regulations such as GDPR, Dodd-Frank, Sarbanes-Oxley, and others. Similarly, it can help with adopting new and emerging requirements or policy, such as those within UK’s new Consumer Duty.

By taking a shared company:partner approach to managing risk and the compliance program, companies can achieve better outcomes, improved quality, and overall compliance effectiveness. This approach helps companies to minimize risk and ensure they are meeting their obligations under relevant regulations, while leveraging the expertise and resources of their partners to enhance their operations.

Using outsourcing partners or vendors can be an effective way for companies to add resources to their compliance program activities and enhance their 3LOD strategy. By integrating vendors or outsourcing partners into their risk management model, companies can leverage the resources, experience, and skill of others while still maintaining control over their compliance program. It is important for companies to consider this model as part of their overall compliance strategy as they navigate the ever-changing regulatory landscape and increasing consumer protections.

Now is the time to get ahead—and stay ahead—of global regulations by designing your 3LOD model with internal teams and business partners. While you cannot and should not trust it to just any partner, finding the right one will save you money and keep your focus on your unique Objectives and Key Results.

David Crawford is responsible for regulatory compliance across Ubiquity’s global footprint, internal audits, and reinforcing a workplace culture with an unwavering commitment to compliance. David has more than 20 years of compliance and risk management experience, previously at Hofstra University as senior director of business affairs and as a vice president at Affinity Health Plan.