The front office control function is a growth industry right now. Look out for further migration of jobs and an even greater remit in the future.
While those in sales and trading roles can be seen looking nervously over their shoulders and wonder if they’re about to be replaced by a robot, those in any way connected to the front office control function can sleep more easily.
However, while the job is clearly not going away, it is also likely to change and mutate over the coming years. Jobs might change, headcounts might shift, and lines of reporting might mutate.
Regulation demands it
Chief financial officers might be disappointed, but not perhaps surprised, to learn that no-one thinks the mandate is going to shrink. A huge 80% of correspondents said that the function has grown over the last year and 90% said that it will continue to grow over the next 12 months – with all the concomitant implications for staffing levels this entails.
To break this number down a little further, around 76% said that there will be a ‘small expansion’ over the next year and 14% said that there will be a ‘significant expansion’.
Over one-third of those who replied to the 1LoD survey said regulatory pressure continues to be the main influence on the development of the front office control function. Many senior risk officers underscore this point. As one senior risk officer says: “Regulation is the main driver to what we do. Everything that is done seems to be in reaction to either breaches of regulation or in response to new regulations in the pipeline, like MiFID.”
More people, greater remit
But another third say that the function will expand as jobs migrate from the 2nd line to the 1st line. This is a major theme of the industry at the moment. Surveillance, for example, is often still performed in the 2nd line but it is becoming increasingly common – and makes increasingly good sense – for the 1st line to do surveillance as well. Many of the tasks surrounding Know Your Client (KYC) and financial crime agendas are also now more likely to be executed in the 1st line.
Some of the client onboarding functions are now also done by the business as well. The emphasis now is that if the business owns the risk, the front office needs to own all the controls and functions to monitor that risk as well.
Nick Lovett, global markets controls officer and GM EMEA chief operating officer at Credit Suisse in London, tells 1LoD:“The business should be accountable for risks and a key area of risk is from the clients we face. So, in many firms, the functions focusing on client risk, such as KYC and client screening, have moved or are moving from the 2nd line to the 1st line. The 2nd line is then able to set the standard and framework for bringing client risk into the firm and monitor the actions and progress of the 1st line.”
Regulatory reporting and controls assurance testing are also now quite likely to be found in the 1st line of defence. In the past, assurance testing was either not done at all, or was likely to be done by compliance or audit. But now, in keeping with the new philosophy of the front office being responsible for the risk and also the controls, it is likely to be done in the 1st line.
Some shedding will occur
Not everyone thinks that the 1st line of defence will continue to own all the functions it does currently. Its mandate is likely to develop and expand, but it may also shed some roles it performs at the moment.
“Like any new function implemented at speed with high demands, it has ended up acquiring a lot of activities that it wouldn’t own if you did it again, more slowly,” says Jamie Hamilton, global business controls officer at JP Morgan in New York. “It owns a number of responsibilities around the conduct agenda, for example, that can only be addressed through procedure, governance and tactical tools. That will change.”
Who does what?
Of course, every bank is different. This is evident from the results of the 1LoD survey whereby correspondents were asked where various functions reside. For example, 28% said supervisory training is performed jointly by both the 1st line and 2nd line, while 38% said it is done in the 1st line and 34% said the 2nd line.
Controls assurance testing is done by both lines of defence, say 45%, with 40% saying it is done only by the 2nd line. Clearly the migration of testing from the 2nd line to the 1st has yet to affect all banks.
Some 45% say both lines own incident management, 35% say it is done in the 1st line, while 20% said it is still held by the 2nd line of defence. Surveillance, one of the most vexed topics of all, is executed by both lines, according to a whopping 76%, leading some observers to wonder, perhaps, if there is not some duplication of resources here.
No-one said that surveillance is done exclusively by the 1st line; 24% say it is done by the 2nd line alone.
Finally, control remediation is executed by only a minority of firms in the 2nd line – just 5% said that the function resides here. Almost 50% say it is done by both lines of defence, and over 45% say it is owned by only the 1st line.
Just one hymn sheet, please
The landscape with regard to where and how key control functions are exercised is clearly characterised by heterogeneity rather than homogeneity. No single universally acknowledged model has yet to establish itself. As another head of front office controls says: “If you spoke to 100 different firms, you’d get 100 different answers about where and how control functions are organised. There is continuous refinement of the operating model.” Our survey results certainly back that up.
What is agreed is that it is crucial to have a common taxonomy and language across all three lines of defence. All functions must identify and characterise risk in the same way and use the same terms of reference, or the results will be calamitous. One auditor tells 1LoD that some banks have yet to adopt the fundamental principles of governance, risk management and compliance (GRMC) management, and until they do the three lines will fail to sing from the same hymn sheet.
What of the audit function?
With the increasing accretion of responsibilities to the 1st line seemingly unlikely to end any time soon, one might wonder if the audit function fears for its existence. But Imtiaz Hussain, senior audit director of Bank of New York Mellon, is sanguine. The regulators have specific expectations from audit, he says, and it has to meet these expectations without placing any reliance upon the 1st and 2nd lines of defence.
“We have to audit conduct and culture, and we can’t delegate that,” Hussain says. “We collaborate but we don’t lose our own independence. The audit job hasn’t changed all that much; however, for internal audit to stay relevant it has to collaborate with 1st and 2nd line, be innovative, and continue to demonstrate courage.”