When the concept of the three lines of defense was originally developed in the UK, it was completely unknown in the US legal and regulatory framework for the banking sector until the OCC proposed under the Obama administration to include it in its risk management guidelines. These guidelines are the only place where the concept is used within the U.S. legal and regulatory framework. The Federal Reserve refused to apply the concept in its later proposed governance guidelines for board effectiveness and risk management.  To the shock of many members of the bar, the OCC`s proposed guidelines placed the legal department on the front line of defense in 2014 and treated it as the equivalent of a revenue-generating business unit.  The opinion appeared that the legal department had created a risk. Not surprisingly, the American Bankers Association, along with many other lawyers, commented on the proposed guidelines, and this characterization was removed.  The OCC`s final guidelines recognized that, with rare exceptions, the legal service is not part of the first line of defence. There is also a misconception among some about the costs that should really be attributed to legal services.
If a reserve is to be created or if a high fine or settlement has to be paid due to measures in an area of activity, this is not a cost factor of the legal service. These are costs caused by the commercial division. Many internal budgets make this distinction, but its nuance is lost in the media and in the minds of many people unfamiliar with legal risk management. Another element that is lost is the use of advisors through risk and compliance as a substitute for legal advice. Often, in fact, these services are the unauthorized exercise of the law without the safeguards imposed by legal ethics or knowledge of how to interpret the hierarchy of the legal framework. As I have written elsewhere, I am not a purist in the unauthorized exercise of law.  However, legal advice substituted by consultants, which is not tracked as part of legal fees, as hiring is done through risk and compliance, or more importantly, overseen by in-house counsel, distorts both legal fees and the monitoring of the quality of legal advice implemented throughout the organization through policy or otherwise. Often, this substituted legal advice is marketed as “regulatory advice”.â Regulations and guidelines cannot be distinguished from the law; They are part of the law. As I have acknowledged elsewhere, there is a clear benefit to having readers of regulation, but the almost total absence of regulatory oversight by lawyers carries the risk of compliance violations within banking organizations.
These compliance violations exist both due to the misinterpretation of the legal framework and the fact that banking organizations and bank branches allow the unauthorized exercise of the law by superiors and non-lawyer consultants. There is also a need to renew the commitment to closer coordination between the legal, risk management and compliance functions, with the clear idea that, although there may be many readers of the regulation, only the Legal Service and the Advocate General can make final legal judgments.  This closer coordination should also include stricter legal oversight and oversight of external advisors and technology providers engaged by Risk and Compliance to provide advice mistakenly referred to as “regulatory advice,” but which in fact includes legal interpretation and judgment that is not overseen by lawyers. A new balance should be struck that recognizes the existence of multiple readers of the regulation, but also makes it clear that there are no equal and multiple legal interpreters within the organization. The right answer to complex legal risks and legally infused reputational risks isn`t that every person who reads and Google can assess legal risks. Another way to find a solution is to strengthen coordination between law, risk and compliance, both by aligning interpretive views and by hiring external suppliers and consultants who are readers of the regulations. The important principle that, while there may be many readers in regulation, only the legal department and the GOC can make final legal judgments should be affirmed. This closer coordination should also include more input from the legal department and sometimes also the follow-up of “regulatory advice” imbued with legal interpretations and provided by external consultants and risk and compliance providers, as well as better coordination of budgets so that external consultants and service providers do not duplicate the work of in-house and external legal lawyers. Learn how to deal with a problem with a bank or loan company, such as a mortgage provider. Another side effect is the lack of training of management staff on the legal framework. Training on the legal framework was not available or was transferred to the regions.
 As explained below, interprofessional training in silos is essential to finding solutions. I`ve written before about how the hierarchy of the legal framework can be misunderstood by the many regulatory readers and even by some digitally native lawyers.  There should be a duty to provide adequate training to all non-legal staff, suppliers and advisors who are readers of the regulations.  Basic training should be provided to help regulatory readers understand the hierarchy of powers in the legal framework, the basic principles of legal interpretation, the sources of free internet law, including the material available on the Agency`s websites, and when to consult an experienced lawyer. It doesn`t take three years of law school to get the basics.  The medical profession has long accepted the need for nurses and other nursing assistants. The main difference is that when the nurse gives us an injection, we know that he has been trained for it. However, in the clash of silos between risk, compliance, oversight, consultants and lawyers, this lesson has been lost. Legal interpretation is not like normal reading, and knowing how to read is not enough to interpret the law. A clear understanding of the hierarchy of the legal framework and the foundations of the canon of legal interpretation is needed.
There is no reason not to share this knowledge widely. The rise of risk management and compliance has even led to academic majors in the field. Strikingly, the descriptions of academic majors in compliance mention accounting, economics and statistics, but nothing about the law. Popular professional association certifications for risk and compliance professionals include little or no training on the law.  The introduction of the three lines of defence within banking organisations, as well as the increased intensity of supervision and the influx of heavy fines and enforcement orders, some of which are criminal, against banking organisations have rightly led to a sharp increase in the number of risk management and compliance professionals in banking organisations.  In comparison, the number of in-house counsel has increased to a limited extent. It is difficult to obtain high-quality public figures for bank branch staff, but it is obvious that the supervisory staff of bank branches has increased further, while the legal services of bank branches have increased only slightly. At the same time, banking supervisors have pushed for compliance to be transferred from the legal department of banking organizations to the newly expanded risk management services. This pressure occurred behind closed doors, with little or no active oversight by agency leaders, and no meaningful transparency or public accountability, which is essential to the proper functioning of a democratic system of government.  Today, almost all large banking organizations have jeopardized compliance, while most small banking organizations maintain it in the legal conditions. The second part of this article argues that this situation has become dangerous for banking organisations and the rule of law.
The pressure on the budget and resources of the in-house legal service, the tolerance of several legal interpretation and evaluation poles within banking organisations, a narrow view of the role of lawyers and a poor understanding of professional secrecy in the admission of open internal discussions are all elements that should be reconsidered.  For example, the requirements of the American Bankers Association Certified AML and Fraud Professional do not cover a basic understanding of the legal framework or legal interpretation. Materials for certification as a data protection specialist are a waste of the legal framework.