Shearman And Sterling

London Financial District - 30 St. Mary Axe, The Gherkin

September 08, 2021

Realizing the Benefits of an Effective Legal function in Financial Institutions


Jump to...



With the inexorable rise and expansion of Risk and Compliance departments, aspects of the role of the Legal department and external legal advice in a global financial institution have been diminishing for a number of years, potentially to the detriment of risk management.

The 2007–2009 financial crisis highlighted acute weaknesses in the risk management and compliance controls framework of financial institutions. Risk and Compliance functions were given extraordinary, and needed, attention and resource, enhancing control over all aspects of non-financial risk. There was a substantial increase in headcount in those functions, and a significant investment in technology to support them. Structural changes were also made, with an emphasis on the “three lines of defense” model, which has evolved into a useful, straightforward but wide-ranging approach for addressing firms’ risk. This has involved dividing the financial firm’s operations between its business, control and audit functions, detailing various processes and procedures for each, and placing additional emphasis on the monitoring of data and metrics. Avoiding compliance breaches and the risk management of these breaches has become an increasing focus for senior executives, boards and regulators.

The rise of Risk and Compliance and the way in which the organization of firms has developed has arguably made Legal functions less central to the running of financial institutions, although, of course, not every firm has been so affected and the trend is probably most evident outside the United States. Any diminution is in part because the Legal function does not typically fit neatly into the three lines of defense model, sometimes acting as a control (a second line function) and often providing support for the business (a first line function). It is also partly because Compliance has assumed lead responsibility for interacting with the regulators, especially outside the United States, in some cases at the behest of regulators who are concerned about the dual role of Legal as business support as well as control. The closeness of Compliance’s interaction with the regulators has given Compliance an informed view of regulatory expectations and has meant that firms place greater weight on Compliance’s view of the scope and content of regulation. Compliance input is invaluable, and firms will often defer to the wishes and expectations of the regulators. Nonetheless, effective decision-making depends on a holistic view of the matter and that, in turn, requires a full analysis of the law, statutes, regulatory rulemaking and guidance on which informed determinations are made. An over-reliance on Compliance and a lack of fully integrated legal analysis in decision-making can lead to an overly cautious response to real and substantive day-to-day issues for the firm. It can make it harder to develop regulatory interpretations, both on a standalone basis and in conjunction with the regulators.

To establish a fully effective Legal function, firms should at least ensure that the following steps are taken:

  • Position Legal appropriately within the governance structure of the organization,
  • Drive collaboration between Risk and Compliance, and Legal,
  • Ensure the Legal function itself and the lawyers within it are equipped with the skills to support most effectively the whole institution, and
  • Appropriately involve external legal advisors

Legal’s Role in Governance

First, Legal should be positioned appropriately within the governance structure of the organization.

Structural integration. The Legal function should sit at the center of the financial institution’s structures and should not be consigned to a narrowly conceived legal silo, such as for transaction or documentation execution and litigation only. If the Legal function is merely reactionary and cannot influence decisions to avoid risks to the firm, then the risk of enforcement action and litigation will only increase. An arrangement placing legal functions at the heart of decision-making would exploit the full value of legal expertise and legal judgement. Legal should report to a sufficiently senior and influential executive, ideally the Chief Executive Officer, or to the board. Some firms look to have Legal report to the Chief Administrative Officer or the head of an all-encompassing Risk function, both of which can be made to work satisfactorily. It is important that the CEO visibly supports the General Counsel and that Legal has a seat on significant internal committees, including key business and control committees. It is common for the control functions regularly to meet alone with independent members of the board of directors. The General Counsel should have similar meetings with independent directors, without executive management present.

Clarity over lines of defense. Legal is best seen as a second line function within the three lines of defense model, reflecting its primary role as a control function. Although Legal will often play a role akin to first line support, the primacy of the control dimension of the Legal role should be the deciding factor in determining its categorization. This is not necessarily because of the time spent in that role, but in terms of the importance to the institution of compliance with law and regulation. Notably, although it is arguable that Legal should not be allocated to any of the lines of defense, and that its proper place is outside the conceptual controls framework, such an approach risks reducing the importance of Legal. It is best for Legal to be placed at the heart of a firm’s operations and controls framework.

Collaboration Across Legal, Risk and Compliance

Next, it is important to drive collaboration across Legal, Risk and Compliance.

Clarity of roles. Management should ensure that there is a workable description of the roles and responsibilities of each of Legal, Risk and Compliance. Whilst much of this exercise will be uncontroversial, there are areas of overlap which will require resolution. This is particularly the case between Legal and Compliance:

  • Legal. Legal’s primacy should be with respect to the interpretation of law and regulation and its application to specific facts.
  • Compliance. The work of Compliance focuses on designing and implementing the firm’s compliance controls framework and on ensuring that it is operating effectively. Compliance’s job includes developing policies, procedures and structures within the firm to comply with law and regulation. It then monitors and tests the operation of those controls to ensure they are working.

Most compliance departments include within their ranks seasoned lawyers, and it is not uncommon for legal judgements to be made within the Compliance function. Similarly, Legal will often provide input on various aspects of the controls framework. Some overlap between the Legal and Compliance functions is inevitable and to be welcomed, although it remains important for the leadership of the functions and management to be clear about their respective responsibilities.

Status. In the past, Compliance often reported to Legal. Over time, this has changed, and it is now most common that the functions report separately. This partly reflects the concern of some regulators about the Legal function’s role in supporting business and a greater confidence in Compliance as a control function. It may also indicate that regulators have found Compliance staff less concerned about privilege and more willing to hand over documentation. At the same time, changes in the Compliance role, with the greater focus on design and implementation of the controls framework, has brought it closer to the Risk, and even Internal Audit, functions. Regardless of the precise reporting lines of the functions, Legal, Risk and Compliance should enjoy similar standing within the firm in terms of the quality of each function’s personnel and the respect in which they are held, especially when opining on topics within their area of expertise. Management should ensure that the groups work collaboratively, not in competition with each other.

Specific, overlapping areas of focus. There are many areas where collaboration between Legal, Risk and Compliance could provide for a more cohesive controls framework. These include:

  • Risk assessments. Periodic risk assessments are a long-established tool for Compliance departments but are less common in Legal. Properly structured, risk assessments allow Legal to think strategically about the risks facing the business and how best they can be mitigated. Conducting a risk assessment allows the Legal function to engage proactively with business colleagues on risk topics. A Legal risk assessment should be run in conjunction with similar exercises carried out by Compliance and Anti-Financial Crime. This reduces the burden on the business engaging with multiple risk assessments. Cross-function collaboration should generate richer content and a more acutely observed final product.
  • Horizon scanning. Business horizon scanning, e.g. for new legislation, consultations, new legal developments and potential risks, is another example where collaboration should enhance the controls framework, helping the business to identify the problems of tomorrow.
  • Data. The increasing focus by firms on data and technology, and on process and procedure, can be perceived to be at odds with the arguably more nuanced approach to reasoning for which lawyers are trained. Nonetheless, it is important that the Legal function operates in this sphere. Legal should collaborate with Risk to find a suitable way to input legal data into standard risk reporting. Legal should constructively engage with the development of risk type taxonomies, assume responsibility for those risk types where they are best placed to do so and support other functions where there is potential overlap.

Equipping the Skills

The Legal function itself and the lawyers within it must be equipped with the skills to support the institution most effectively.

Cultural issues. Ensuring that the Legal function is fit-for-purpose speaks to the culture within the function and the operating ethos established by the General Counsel. For many projects, the control dimension of the Legal role may be relatively small compared to the amount of time spent on execution. The General Counsel should enunciate unequivocally their expectation and the expectation of the firm that, whatever the dynamics of the particular matter, the lawyers’ primary role is to protect the firm from harm. As a control function, lawyers need the necessary courage, governance empowerment and senior management support to halt action which the lawyer believes will harm the company, however challenging that might be. The General Counsel should ensure that staff on the front line working with the business are properly supported by senior lawyers. No lawyer should feel pressurized into making a decision against their better judgment. Escalation to a more senior colleague is the appropriate escape route.

Style of lawyering. The way in which lawyers interact with senior management and the business is critical. Closeness to management, and understanding the business and the challenges it faces, are prerequisites for internal lawyers and external legal advisors to be useful. Internal lawyers, whatever their position, should engage with the business and communicate interest and legal and commercial acuity, and external advisors must always have in mind not only the needs of in-house counsel but those of the business to whom any advice will be delivered. The most effective lawyers work with management to resolve the issue under consideration and, in doing so, actively participate in the decision-making process. The most effective lawyers do more than simply offer options, leaving the choice to management. They do more than simply define the legal boundaries for action. They express a view as to the preferred option and advocate for that, including in instances in which the choice should be made in a particular way.

Legal processes and procedures. Nowadays, it is important that Legal operates with a strong eye to process and procedure within its own function. Regulators increasingly want to know that the function is operating effectively and that the advice given by the Legal function is of appropriate quality. The large legal departments of global financial institutions are equivalent to medium-to-large sized law firms in their own right and require organization and structure to run properly. There are many areas that an internal legal management arrangement might cover, and much will depend on the existing culture of the department and firm. Areas to consider include:

  • the selection, usage and hiring of external legal counsel;
  • interaction with and reviewing the advice of external legal counsel;
  • procedures for the initiation, management and settlement of litigation and enforcement matters;
  • procedures for the execution of transactions and other projects for other areas of the bank;
  • the supervision and training of junior lawyers, including with regard to the style of lawyering;
  • promotions; and
  • compensation.

Some of these areas will be influenced by group-wide rules and procedures and there is a need to ensure that the approach is not too bureaucratic and does not sap the enthusiasm of the best lawyers. The headline, however, is that it is critically important that the General Counsel puts in place a coherent and formal management framework for the Legal function.

Using External Legal Advisers

External legal advisers should be appropriately involved. External legal advisers play an important role in the provision of legal advice to a financial institution. They are integral to the execution of many transactions and to litigation and enforcement matters. They can play a critical role in helping the firm navigate complex regulatory matters. The deployment of external legal advice is best effected with the involvement of the in-house Legal function. For many transactions, the choice of outside counsel is best made by the in-house function, perhaps with input from the business, or by the business selecting from a list of counsel approved by the in-house function. For litigation and regulatory matters, a combination of in-house and external expertise is likely to produce the optimal result for the firm. In recent years, there has been a trend to utilize the services of compliance consultancies and accountancy firms to provide regulatory advice. Whilst such organizations can provide value, especially with regard to the development of processes and procedures, their use in interpreting law and regulation requires caution. As a technical matter, advice from compliance consultancies and accountancy firms may lack the protections of privilege. They may also lack the legal expertise that is core to the practice of the major global law firms.


Fully harnessed, the Legal function can bring significant benefits to a financial institution. This includes the sophisticated interpretation and application of rules, regulations and laws—the core skill set of the lawyer—as well as the use of legal reasoning to assist in the myriad of other challenges facing any firm. The Legal function can be revived by taking the above steps. All eminently achievable, they will ensure a fully effective Legal function and offer significant gains for the controlled and successful running of the firm as a whole.

Authors and Contributors

Simon Dodds

Of Counsel

Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5156

+44 20 7655 5156