The Evolving First Line of Defense

April 17, 2018
Michael Held, Executive Vice President and General Counsel
Keynote Address at the 1LoD Summit, New York City As prepared for delivery

Good morning.  It’s an honor to join you at the 1LoD Summit.  The views I express today are my own, not necessarily those of the Federal Reserve Bank of New York or the Federal Reserve System.1

I’ve heard it said that being in the risk control business can be, and often is, a thankless task.  We get all the blame when something goes wrong, and none of the glory when things go right.  So, I want to start my remarks with a word of gratitude to you, my fellow travelers in the world of risk controls.  Thank you—not just for the invitation to speak today, but also for the work you perform each day at your firms. 

The growing sophistication and stature of the first line of defense is, in my view, an unqualified improvement in corporate governance—especially at financial firms.  Let’s begin with what you are defending. 

The credibility and reputation of your colleagues, your employer, and your industry. 

The trust of your customers and clients.  

And, perhaps most important, the public interest.  

From my perspective, you are not just a first line of defense for your organization.  You are the first line of defense against significant risks to the financial system.  This may sound inflated to some.  And it is not unusual to begin a speech with a bit of flattery.  But I mean this sincerely.  The first line of defense helps keep problems small.  It enhances a firm’s commitment to both its private and public purposes.  It contributes materially to the trustworthiness of firms and the financial system, and therefore promotes financial stability. 

Today’s agenda promises to inform and to challenge, and to help the first line develop professionally as a distinct area of corporate controls.  For my part, allow me to share some observations based on my work at the New York Fed. 

First, I want to discuss the risk of developing harmful silos in a three lines of defense model.2 

Second, I want to encourage you to be creative and inclusive in your approach to the first line of defense.  You are probably already consulting with technology specialists.  But I am also thinking of fields such as behavioral science.  The observations of neuroscientists and psychologists have disrupted the field of economics, and may help firms better manage risk.

Third, I will offer some thoughts on the development of professional attributes in the first line of defense, especially community and courage.

Three Lines of Defense, Not Three Silos of Defense

Since the financial crisis, we have seen a proliferation of the three lines of defense model across the financial industry.  The official sector has helped promote this framework.3 

The three lines of defense model is a useful framework, but it is a means to an end.  It is not an end in itself.  The goal is a well-controlled firm with respect to its risks.  There is a potential danger associated with applying the three lines of defense framework so rigidly that it detracts from that goal.  Independence and expertise are desirable.  Silos are not.  Excessive formalism can limit the overall control framework of an organization. 

I offer these observations with humility gained through experience.  I have witnessed many discussions about where lawyers fit into the three lines of defense.  First line?  Second line?  Not in any line?  In hindsight, such debates are a distraction.  It is much more important to think instead about the tasks the lawyer is performing.  How do those tasks fit in to the overall goal of helping the organization control its risks? 

Ultimately, substance matters much more than form.  Of course, clarity of roles and responsibilities is important.  It is also important that a front line business feel accountable for managing the broad set of risks confronting it.  Indeed, one of the benefits of the three lines of defense model is that the business lines think more expansively about the risks they face, beyond just traditional notions of credit and counterparty risk.  But an effective risk manager worries less about whether her firm’s risk management framework exactly matches the theory of the three lines of defense, and more about whether the risks facing the firm are well controlled. 

Get Creative

It’s easy to say, in essence, “Don’t miss the forest for the trees.”  Let’s acknowledge that the challenges you encounter in the first line of defense are a veritable thicket.  To manage effectively the risks that your firms face requires intellectual agility and creativity.  For now, I want to touch on a few considerations: diversity, choice architecture (especially incentives), and moral reasoning.  These inputs can help you apply the three lines of defense model more effectively, especially in the face of rapid technological innovation.


If you want to think nimbly, embrace diversity: the way we think, our backgrounds and areas of expertise, our experiences—including, but certainly not limited to, the ways that people treat us because of where we were born, our race, gender, pedigree, sexual orientation—and even our values.  Diversity can help address the problem of silos that I described earlier.  The problem with silos is not specialization, but blind spots.  At the New York Fed, I don’t want economists making legal judgments, or lawyers performing economic analyses.  But I very much want lawyers and economists to provide insights to each other based on their specialties. 

More generally, inviting outside views helps avoid common, human biases.4  “Groupthink” is one well-documented bias.  Another is the “endowment effect”—placing greater value on what one already has versus what one does not.  What links these phenomena is an excessive preference for the status quo.  It is remarkable how often problems in financial firms can be overlooked because of a sense that are they part of a normal, business-as-usual state of affairs.  A diversity of inputs can help us see the flaws in what we accept as normal. 

Diversity is a frequent topic of conversation, but it is not easy.  My view is that, like other ethics, diversity is a habit that takes practice.  As first line of defense professionals, try to develop the habit of seeking out other points of view.  Diverse points of view may come from junior employees in your line of business.  They may also come from HR professionals, sociologists and psychologists, communications experts, even lawyers.  For financial firms, prudential supervisors can also contribute to a diversity of viewpoints.  Their horizontal view of practices across firms not only helps promote a more stable financial system, but also helps firms identify problem areas. 

A diverse set of views, professional training, and life experience may help you see shortcomings in your risk management framework—even in the three lines of defense model.  Just because three lines of defense is a sensible way to manage risk does not mean it is perfect—no model is.  A diverse set of inputs will help you figure out how to apply more effectively the three lines of defense in your organization.

Choice Architecture

I recommend as well that you pay attention to choice architecture in deciding how best to construct a first line of defense.  By “choice architecture,” I mean the broad array of options that promote decisions aligned with the values and goals of your respective firms.5  How choices are presented can have a dramatic impact on outcomes.  Taking account of ordinary, human biases—including the ones I just mentioned—and organizational culture can help you present options in a manner that yields better results.

In the world of risk controls, individuals face choices every day—choices whether to walk right up to the line of appropriate behavior and risk crossing it; choices to get more or less compensation in exchange for riskier behavior; and choices to raise their hands (or not) when they suspect that something has gone awry.  In my view, effective controls require an appropriate balance of narrowly focused, prescriptive rules, and broader principles and standards.  The precise balance will vary, depending on the task and the firm.  But regardless of the setting, a thoughtful set of risk controls can improve the choices that employees make. 

One other word of advice on choices.  People need time—time to stop, breathe, and ask for help if they need it.  Making decisions sooner than necessary can lead to mistakes.  As human beings, we do not always see consequences in the first instance.  We need time to process.  Of course, time can sometimes seem like a luxury.  Time is, after all, money—or so we have been told.  But the consequences of making the wrong choice because you are in a hurry can be far more expensive.  I was speaking recently with a colleague with years of experience as a criminal prosecutor.  She observed that the first step on the path to criminal ruin often begins with one seemingly small, often rushed choice.  My own experience from years of seeing mistakes in the financial services industry leads me to agree.  People—especially junior employees—too often decide sooner than they must, without taking the time to raise their hand and ask for help.  So do not confuse thinking quickly and creatively with choosing rapidly in every instance.  When considering what structures in your organization can help people make good decisions, consider ways to build in adequate time to decide.


In any discussion of choices, it is critical to consider incentives.  Compensation is a powerful form of incentive.  We need to think creatively about how to structure compensation in ways that promote conduct aligned with the values and long-term financial interests of the firm.  Bill Dudley, the President of the New York Fed, has proposed one possible improvement.  Pay material risk takers and senior managers in the form of deferred debt, which vests in line with the medium- and long-term risks for which they are accountable.6  The idea is to create a performance bond for bankers akin to the security deposit that a tenant provides to a landlord. 

But, believe it or not, money is not the only way to motivate people.  One lesson of the LIBOR scandal is that employees are motivated by more than pecuniary gain.  In that case, loyalty to a network of professional contacts was a powerful incentive to commit fraud.  I am lucky to have had a very different experience at the New York Fed.  I oversee a staff of legal, compliance, and law enforcement professionals who appreciate their paychecks but, in all candor, are not in it for the money—or, at least, not entirely in it for the money.  What matters to them is the Federal Reserve’s public mission.  A good way to encourage their best conduct is to acknowledge their contributions to that mission. 

But don’t take my word for it.  A growing number of organizational experts and management consultants have concluded that job satisfaction and other intrinsic benefits matter as much if not more than extrinsic rewards, including pay.7  This is not to say that incentive compensation is weak tea.  It is certainly a powerful motivator.  My point is that, in your efforts to construct the most effective controls for your organization’s risks, consider both monetary and non-monetary incentives. 

Moral Reasoning

It is also important to promote moral reasoning.  I know there’s a joke in there somewhere.  After all, what is a lawyer doing talking about morality?  And there is some tension in advocating moral judgment in a discussion about controls.  Controls seek consistency and objectivity.  Morality, by contrast, can be very personal or subjective.  Controls often remove discretion.  Moral reasoning is all about choice.

But let’s be realistic.  We cannot rely exclusively on controls or process to achieve desired outcomes.  Not every situation can be anticipated.  Not every decision can be automated.  Controls can be out-maneuvered—sometimes unwittingly, but other times on purpose.  For all these reasons, good processes are necessary but not sufficient.  There will be situations in which your employees have to make choices.  Ignoring the moral dimension of choices carries significant risk.8  If you want your organization to be well controlled with regard to its risk, you have to consider the quality of choices, not just the reliability of processes.9  An organization should therefore develop the capacity of its employees to make good choices, not just permissible choices. 

So, how do you practice moral reasoning?  Bill Dudley has offered what I thought was a good starting point.  Get rid of the notion that a separate morality applies at work than at home.10  Bankers—and, for that matter, lawyers—cannot check their morals at the door when they step onto a trading floor or into a courtroom. 

Here are some other ideas, courtesy of a 2016 report by the Financial Conduct Authority entitled “Behaviour and Compliance in Organizations.”11  The report argues, among other things, that ethical considerations need to remain salient in order to promote good choices.  Salience can be achieved by prompting about moral codes—through language that emphasizes words like “moral,” “ethical,” and “good.”  Discussions by leaders and key culture carriers—that is, esteemed colleagues regardless of rank in a hierarchy—can also help if they address ethical dilemmas that arise in the course of business decisions.  Finally, salience occurs through proximity of decision-makers to those affected by decisions.12 So, look for ways to make the human consequences of choices more apparent.

In my view, a habit or culture of considering what is right, and not merely what is permissible, will help any organization attract, retain, and develop high-quality employees.  It will promote individual wellbeing and will contribute, over time, to an industry that makes fewer errors of judgment.

Do Not Rest

Above all, remember that this is a marathon, not a sprint.  So your organization now has three lines of defense—great!  But your work is not over.  You still have to question whether your organization can be better controlled vis-à-vis its risks.  The challenges and opportunities facing your firm do not stop changing.  You need to adjust accordingly. 

I encourage you to ask questions about the three lines of defense model and how it is applied in your organizations.  Here is one of the questions on my mind:  How do the three lines of defense take account of advances in technology?  Technological solutions in financial services are becoming cheaper, faster, more easily available—almost off-the-shelf—and help make your business more efficient and profitable.  But do you know how these solutions work?  Chances are, not really.  I certainly do not, but then I’m just a lawyer.  There may be a tendency to believe that brilliant people built and tested the product.  Surely they know better than you or I about how it works.  We should therefore just trust the experts. 

I have seen this movie before.  Similar assumptions existed a decade ago about CDOs and other complex securitizations and hedges.  It has been said that the financial crisis occurred because of a failure of imagination—of not anticipating risk.13  There was also a more basic failure.  Not enough people understood how complex financial products actually worked. 

It is critical that all three lines of defense—and, especially, the first line of defense—understand technology.  I urge you to question your current technology, and to think ahead to further changes.  For example, how will artificial intelligence challenge traditional methods of testing and assurance, which address static coding rather than dynamic learning?  How will machine choices about access to financial services, or the cost of those services, avoid perpetuating or exacerbating historical disparities of race, gender, age, or zip code?  These questions do not have easy answers, and they will likely lead to more questions.  So don’t rest.  Keep learning so that you can better anticipate risks.

Professionalism and the First Line of Defense

Finally, I encourage you to continue to develop a sense of your field as a profession.  Now, I do not mean to imply that anyone in this room is unprofessional.  But, like many others, I see a role for professionalism in finance.  The Banking Standards Board in the United Kingdom is a thought leader in this field.  According to its most recent annual review, which I recommend to you all, “[P]rofessionalism comprises the attitudes, judgement and high standards of behaviour, knowledge and skill expected of individuals working in banking. . . . [G]reater professionalism in banking would help create a sector that, now and in the future, better met the needs and expectations of its customers, clients, members, employees, the economy and wider society.”14

In my view, various aspects of professions have a lot to offer.  The eligibility requirements for many professions improve the likelihood that a practitioner will meet standards of competence and behavior in her professional conduct.  These requirements cover character, prior record, and reputation—not only skill or education.

Members of professions also benefit from codes of conduct that transcend specialized practices.  These principles offer an ethical framework within which to tackle problems that are not easily resolved by narrow rules or processes.  They make it easier to make and stick with good decisions. 

Gatherings in which members of a profession can come together and exchange ideas and opinions are crucial.  They help members of a professional community keep up to date on important industry-wide developments and raise issues that present the need for collaboration.  They also help to instill a shared sense of purpose and responsibility for carrying out the goals of the profession.

A profession can also provide personal accountability.  Lawyers, for instance, can be disbarred, and complaints against them can become matters of public record.  That is added incentive to maintain the skills, character, and other qualifications required to become (and remain) a member of the bar.

And, critically, professions do not stop improving.  Lawyers continue—I hope—to seek a more just society.  Doctors, a healthier one. 

I do not mean to call for the equivalent of the legal bar for bankers—although it might not be a bad idea.  But there are elements of professions that could be useful.  For example, forums like this one facilitate information sharing and promote a sense of community.  A code of professional conduct is another example.  Again, I refer you to the work of the Banking Standards Board, which has developed a “Statement of Principles for Strengthening Professionalism.”  Like Bill Dudley, I have argued that banking would benefit from a misconduct database.15  Records of employee misconduct would be available to future employers to combat the so-called “rolling bad apple” phenomenon.  Hopefully this would encourage more careful choices by bankers in the same way that the risk of disbarment prompts lawyers to think about the long-term consequences of their decisions. 

None of these ideas is a magic bullet.  But they may be helpful as you consider how the first line of defense and the financial services industry develop as a profession.

Conclusion: Professional Courage

Let me end with one final thought on professionalism.  Looking back at the financial crisis and more recent scandals, there must have been people who recognized early that what was happening was wrong, but remained silent.16  As the first line of defense develops and convenes in gatherings like this, it is important to remember one other professional value: courage. 

Professional courage is key to the appropriate functioning of lawyers inside corporations.17  In what has been called the “partner/guardian” dilemma—a bit of a misnomer since the “dilemma” is really a good thing—lawyers are supposed to assist the firm in its mission and protect its long-term reputation, its good name as a store of value.18  That takes courage, especially when an action is technically legal but otherwise wrong or just plain stupid.

Your roles in the first line of defense also require professional courage.  You are partners in your business.  You are also guardians of your firm, the investment of its shareholder owners, the trust of its customers, and the expectations of public authorities.  That is not an easy task.  You have my sympathy.  And you have my thanks—not just for being an attentive audience, but also for all of your good work.

1 Pinchas Becker, Thomas Noone, and Angela Sun assisted in preparing these remarks.

2 See generally Gillian Tett, The Silo Effect (2015).

3 See, e.g., Office of the Comptroller of the Currency, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (2014); Basel Committee on Banking Supervision, Review of the Principles for the Sound Management of Operational Risk (2014).

4 See Financial Conduct Authority, Behaviour and Compliance in Organizations, Occasional Paper 24 (Dec. 2016).

5 Id.

6 See William C. Dudley, Enhancing Financial Stability by Improving Culture in the Financial Services Industry, Remarks at the Workshop on Reforming Culture and Behavior in the Financial Services Industry (Oct. 20, 2014).

7 See Salz Review: An Independent Review Of Barclays’ Business Practices 191-92 (2013) (collecting sources).

8 See Wieke W. Scholten, Banking on Team Ethics: A team climate perspective on root causes of misconduct in financial services 110-13 (2018) (summarizing psychological research on moral climates that may facilitate misconduct).

9 See Nicholas Morris and David Vines, Capital Failure 15-16 (2014) ((“Trustworthiness requires conscious choices to be made rather than merely being the outcome of a reliable process.”).

10 William C. Dudley, Remarks at the Culture Imperative – An Interbank Symposium, Jan. 11, 2017, (“My second message is to reject the idea that a separate regime of ethics or morality applies in banking. I’m sure you have heard this, or perhaps even thought this, at some point in your career. Let it end there. We often teach our children by asking them if they would engage in that type of behavior at home. This is good professional advice as well.”).

11 See supra n.4.

12 See Dan Awrey, William Blair, and David Kershaw, “Between Law and Markets: Is There a Role for Culture and Ethics in Financial Regulation?” 38 Del. J. Corp. L. 191, 208 (2013) (“Proximity is a measure of the physical, psychological, social, or cultural distance between a decision-maker and those whom their decisions affect.”).

13 Tim Besley and Peter Hennessy, Letter to Queen Elizabeth II (July 22, 2009), (“So in summary, Your Majesty, the failure to foresee the timing, extent and severity of the crisis and to  head  it  off,  while  it  had  many  causes, was principally a failure of the collective imagination of many bright people, both in this country and internationally, to understand the risks to the system as a whole.”).

14 Banking Standards Board, Annual Review 2017/2018.

15 See Dudley, supra n.6; Michael Held, Reforming Culture and Conduct in the Financial Services Industry: How Can Lawyers Help? Remarks at Yale Law School’s Chirelstein Colloquium (Mar. 8, 2017).

16 See Preet Bharara, Criminal Accountability and Culture, Remarks at the Federal Reserve Bank of New York's Conference: Reforming Culture and Behavior in the Financial Services Industry: Expanding the Dialogue (Oct. 20, 2016), (“[T]here would be less corporate crime and less painful consequences arising from the crime that does occur if more people said something early on rather than remain silent or look the other way.”).

17 See Association of the Bar of the City of New York, Report of the Task Force on the Lawyer’s Role in Corporate Governance 95 (Nov.2006), (“Not to waver or equivocate is no easy challenge for lawyers in some circumstances because of the economic and professional pressures already noted, and because the answers to legal issues are seldom completely free of doubt.  It may take genuine professional courage to provide unwelcome advice and stick to it.”).

18 See Ben Heineman, The Inside Counsel Revolution 7 (2016).

By continuing to use our site, you agree to our Terms of Use and Privacy Statement. You can learn more about how we use cookies by reviewing our Privacy Statement.   Close