Strengthening bank corporate credit risk management & TPRM - Closing gaps in the Three Lines of Defense

Financial institutions have been using the Three Lines of Defense (3LoD) risk management framework since the early 2000s. It is a widely adopted system designed to enhance an organization’s risk coverage. However, as recent bank collapses have proved, this traditional strategy is no Iron Dome. In reality, it sometimes functions more like a glass covering – prone to cracking under the pressures of today’s dynamic and often volatile risk environment. As new risks continue to emerge and growing business interconnectedness amplifies the impact of traditional ones, such systems need to be strengthened. While some are doing this by adding additional lines of defense, others are working on enhancing collaboration between the three lines. Whatever the recourse, it is clear that gaps exist and that technology can play an important role in closing them. 

The Three Lines of Defense and their weaknesses

First line of defense – Frontline due diligence

The first line of defense is formed mainly by customer-facing personnel. To name a few, these are the sales executives who specialize in selling loan products, the relationship managers who act as trusted client advisors, and the credit underwriters who ensure prudent lending decision-making. Just like pawns in a game of chess, these business units serve on the front line and play a critical role in shielding the bank from risks while also advancing its customer base and profitability.

However, much of the decision making at this stage can be subjective, hinging on an employee’s impression of the risks posed by a borrowing business. Such perceptions can be influenced by several factors, such as the business owner’s net worth, their history with the bank, current market valuation of the business, or even the employee’s need to meet quarterly revenue goals. In such cases, even if the bank has robust loan-approval benchmarks in place, a bad judgment call can lead to a policy exception that exposes it to unnecessary risks. An infamous example of this is the case of Credit Suisse, which approved loans to companies such as Greensill and Archegos despite several warning signs. Both companies eventually collapsed, ultimately leading to the bank’s downfall.

Combined with departmental inconsistencies in risk control and an overdependence on manual processes, such subjective measures produce a fragmented frontline risk management process, replete with dangerous gaps. 

Second line of defense – Ongoing risk management and compliance

Extending the chess analogy a step further, if the first line of defense is like the pawns, the second line functions more like a queen with its ability to move in any direction, strategically attacking or defending as needed. It is performed by risk management and compliance teams whose function is to proactively identify risks, set and enforce policies, monitor compliance across different business units, and step in when needed. This is, however, easier said than done. Such teams often rely on time-bound historical financial data rather than real-time information, leading to periodic monitoring and delayed risk detection.

So, instead of being proactive, teams usually react to issues as they arise. This ad hoc approach limits their ability to act decisively and safeguard the bank against regulatory and financial threats. In addition, teams need to assess and mitigate risks from multiple angles, including credit, third-party, and regulatory standpoints. The vast scope of this effort makes comprehensive monitoring impossible, leading to a primary focus only on high-risk companies, which in turn increases a bank’s exposure to unforeseen or rapidly evolving risks. 

Third line of defense – Backend auditing

The purpose of the last line of defense is to see if the first two are working as they should. Accordingly, banks have independent audit teams that periodically test the effectiveness of the company’s risk management, compliance, and other internal controls. Essentially, they ensure that the bank's defenses are strong and risks are managed effectively. However, much like credit risk assessments, such audits are conducted only periodically, making it difficult to detect emerging fault lines. Recent examples of this are Silicon Valley Bank and Signature Bank – both institutions collapsed mere weeks after receiving a clean bill of health from their independent auditors.

In addition, traditional audit approaches tend to rely heavily on manual sampling – reviewing only a small subset of transactions or processes due to the time and resource-intensive nature of the task. This means risks hidden in the untested portions go undetected.  Such a methodology can also be subject to human predispositions as auditors may unintentionally focus on familiar patterns while missing newer or more complex irregularities.

Closing the gaps with AI and data analytics – A technology-driven defense framework

There’s a common weakness across all three lines of defense – an inability of the teams involved to cover all the bases. There’s just too much to do manually with limited time and resources. Technology can step in to close these gaps. Here’s how:

Process automation – Automating repetitive tasks frees up personnel to focus on their other duties. More importantly, it allows teams to shift from manual sampling or priority-based monitoring to analyzing everyone and everything. It also enables continuous monitoring, allowing banks to transition from periodic review schedules to real-time, daily risk detection.  

Machine Learning – With its ability to swiftly process large datasets, analyze patterns, and flag anomalies, AI algorithms can help frontline and risk management teams detect risks that human oversight might miss. It can generate data-driven risk scores that enable swift risk identification and ensure consistency in decision-making. In addition, AI processes such as entity extraction and document indexing can streamline the analysis of documents such as company reports and enhance due diligence by identifying key risk indicators from structured and unstructured data sources. 

Real-time data processing – Large Language Models (LLMs) can process real-time data from multiple sources, analyzing it to detect unusual patterns and trigger red-flag alerts. This allows financial institutions to detect and mitigate risks early. Including real-time data is also known to improve the accuracy of risk forecasting models.

Sentiment analysis - By analyzing news articles, social media, earnings calls, and financial reports, AI-powered sentiment analysis can identify negative trends, such as declining investor confidence, reputational risks, or public dissatisfaction with a business. Such leading risk indicators can provide alternate insights into a company, giving risk teams a holistic view of a company’s health.  

How TRaiCE fits into the 3LoD framework

Our AI-led risk management platform is designed to augment and bridge all the gaps left by traditional risk monitoring practices. One of our USPs is how seamlessly and smoothly our systems can integrate into existing bank workflows to make them more efficient – proving especially useful in strengthening the first and second lines of defense. Our ability to incorporate structured and unstructured data into the risk monitoring process means that teams can assess more risk variables, uncover more hidden risks, and make more comprehensive checks on their borrowers. 

This enhanced due diligence has helped several of our clients, including a California Bank that wanted to increase its loan volumes and used us to risk rank their lead prospecting lists (Find out what TRaiCE found here). Our automated system tracks businesses and their subsidiaries daily, providing immediate alerts when red flags are detected. This has helped risk managers spot potential risks early. Our clients have also used us to conduct risk analyses on their network of third parties, using our outputs for more informed decision-making. 

Additionally, our processes are fully explainable and auditable, providing banks with a transparent, streamlined, and continuous monitoring system that demonstrates a culture of compliance to regulators.

Need help with strengthening your organization’s defense frameworks? Contact us at info@traice.io or schedule a demo with us today! Our team would be happy to talk to you about implementing a pilot project at your organization or to give you a free walkthrough of our platform.