September 08, 2021
With the inexorable rise and expansion of Risk and Compliance departments, aspects of the role of the Legal department and external legal advice in a global financial institution have been diminishing for a number of years, potentially to the detriment of risk management.
The 2007–2009 financial crisis highlighted acute weaknesses in the risk management and compliance controls framework of financial institutions. Risk and Compliance functions were given extraordinary, and needed, attention and resource, enhancing control over all aspects of non-financial risk. There was a substantial increase in headcount in those functions, and a significant investment in technology to support them. Structural changes were also made, with an emphasis on the “three lines of defense” model, which has evolved into a useful, straightforward but wide-ranging approach for addressing firms’ risk. This has involved dividing the financial firm’s operations between its business, control and audit functions, detailing various processes and procedures for each, and placing additional emphasis on the monitoring of data and metrics. Avoiding compliance breaches and the risk management of these breaches has become an increasing focus for senior executives, boards and regulators.
The rise of Risk and Compliance and the way in which the organization of firms has developed has arguably made Legal functions less central to the running of financial institutions, although, of course, not every firm has been so affected and the trend is probably most evident outside the United States. Any diminution is in part because the Legal function does not typically fit neatly into the three lines of defense model, sometimes acting as a control (a second line function) and often providing support for the business (a first line function). It is also partly because Compliance has assumed lead responsibility for interacting with the regulators, especially outside the United States, in some cases at the behest of regulators who are concerned about the dual role of Legal as business support as well as control. The closeness of Compliance’s interaction with the regulators has given Compliance an informed view of regulatory expectations and has meant that firms place greater weight on Compliance’s view of the scope and content of regulation. Compliance input is invaluable, and firms will often defer to the wishes and expectations of the regulators. Nonetheless, effective decision-making depends on a holistic view of the matter and that, in turn, requires a full analysis of the law, statutes, regulatory rulemaking and guidance on which informed determinations are made. An over-reliance on Compliance and a lack of fully integrated legal analysis in decision-making can lead to an overly cautious response to real and substantive day-to-day issues for the firm. It can make it harder to develop regulatory interpretations, both on a standalone basis and in conjunction with the regulators.
To establish a fully effective Legal function, firms should at least ensure that the following steps are taken:
First, Legal should be positioned appropriately within the governance structure of the organization.
Structural integration. The Legal function should sit at the center of the financial institution’s structures and should not be consigned to a narrowly conceived legal silo, such as for transaction or documentation execution and litigation only. If the Legal function is merely reactionary and cannot influence decisions to avoid risks to the firm, then the risk of enforcement action and litigation will only increase. An arrangement placing legal functions at the heart of decision-making would exploit the full value of legal expertise and legal judgement. Legal should report to a sufficiently senior and influential executive, ideally the Chief Executive Officer, or to the board. Some firms look to have Legal report to the Chief Administrative Officer or the head of an all-encompassing Risk function, both of which can be made to work satisfactorily. It is important that the CEO visibly supports the General Counsel and that Legal has a seat on significant internal committees, including key business and control committees. It is common for the control functions regularly to meet alone with independent members of the board of directors. The General Counsel should have similar meetings with independent directors, without executive management present.
Clarity over lines of defense. Legal is best seen as a second line function within the three lines of defense model, reflecting its primary role as a control function. Although Legal will often play a role akin to first line support, the primacy of the control dimension of the Legal role should be the deciding factor in determining its categorization. This is not necessarily because of the time spent in that role, but in terms of the importance to the institution of compliance with law and regulation. Notably, although it is arguable that Legal should not be allocated to any of the lines of defense, and that its proper place is outside the conceptual controls framework, such an approach risks reducing the importance of Legal. It is best for Legal to be placed at the heart of a firm’s operations and controls framework.
Next, it is important to drive collaboration across Legal, Risk and Compliance.
Clarity of roles. Management should ensure that there is a workable description of the roles and responsibilities of each of Legal, Risk and Compliance. Whilst much of this exercise will be uncontroversial, there are areas of overlap which will require resolution. This is particularly the case between Legal and Compliance:
Most compliance departments include within their ranks seasoned lawyers, and it is not uncommon for legal judgements to be made within the Compliance function. Similarly, Legal will often provide input on various aspects of the controls framework. Some overlap between the Legal and Compliance functions is inevitable and to be welcomed, although it remains important for the leadership of the functions and management to be clear about their respective responsibilities.
Status. In the past, Compliance often reported to Legal. Over time, this has changed, and it is now most common that the functions report separately. This partly reflects the concern of some regulators about the Legal function’s role in supporting business and a greater confidence in Compliance as a control function. It may also indicate that regulators have found Compliance staff less concerned about privilege and more willing to hand over documentation. At the same time, changes in the Compliance role, with the greater focus on design and implementation of the controls framework, has brought it closer to the Risk, and even Internal Audit, functions. Regardless of the precise reporting lines of the functions, Legal, Risk and Compliance should enjoy similar standing within the firm in terms of the quality of each function’s personnel and the respect in which they are held, especially when opining on topics within their area of expertise. Management should ensure that the groups work collaboratively, not in competition with each other.
Specific, overlapping areas of focus. There are many areas where collaboration between Legal, Risk and Compliance could provide for a more cohesive controls framework. These include:
The Legal function itself and the lawyers within it must be equipped with the skills to support the institution most effectively.
Cultural issues. Ensuring that the Legal function is fit-for-purpose speaks to the culture within the function and the operating ethos established by the General Counsel. For many projects, the control dimension of the Legal role may be relatively small compared to the amount of time spent on execution. The General Counsel should enunciate unequivocally their expectation and the expectation of the firm that, whatever the dynamics of the particular matter, the lawyers’ primary role is to protect the firm from harm. As a control function, lawyers need the necessary courage, governance empowerment and senior management support to halt action which the lawyer believes will harm the company, however challenging that might be. The General Counsel should ensure that staff on the front line working with the business are properly supported by senior lawyers. No lawyer should feel pressurized into making a decision against their better judgment. Escalation to a more senior colleague is the appropriate escape route.
Style of lawyering. The way in which lawyers interact with senior management and the business is critical. Closeness to management, and understanding the business and the challenges it faces, are prerequisites for internal lawyers and external legal advisors to be useful. Internal lawyers, whatever their position, should engage with the business and communicate interest and legal and commercial acuity, and external advisors must always have in mind not only the needs of in-house counsel but those of the business to whom any advice will be delivered. The most effective lawyers work with management to resolve the issue under consideration and, in doing so, actively participate in the decision-making process. The most effective lawyers do more than simply offer options, leaving the choice to management. They do more than simply define the legal boundaries for action. They express a view as to the preferred option and advocate for that, including in instances in which the choice should be made in a particular way.
Legal processes and procedures. Nowadays, it is important that Legal operates with a strong eye to process and procedure within its own function. Regulators increasingly want to know that the function is operating effectively and that the advice given by the Legal function is of appropriate quality. The large legal departments of global financial institutions are equivalent to medium-to-large sized law firms in their own right and require organization and structure to run properly. There are many areas that an internal legal management arrangement might cover, and much will depend on the existing culture of the department and firm. Areas to consider include:
Some of these areas will be influenced by group-wide rules and procedures and there is a need to ensure that the approach is not too bureaucratic and does not sap the enthusiasm of the best lawyers. The headline, however, is that it is critically important that the General Counsel puts in place a coherent and formal management framework for the Legal function.
External legal advisers should be appropriately involved. External legal advisers play an important role in the provision of legal advice to a financial institution. They are integral to the execution of many transactions and to litigation and enforcement matters. They can play a critical role in helping the firm navigate complex regulatory matters. The deployment of external legal advice is best effected with the involvement of the in-house Legal function. For many transactions, the choice of outside counsel is best made by the in-house function, perhaps with input from the business, or by the business selecting from a list of counsel approved by the in-house function. For litigation and regulatory matters, a combination of in-house and external expertise is likely to produce the optimal result for the firm. In recent years, there has been a trend to utilize the services of compliance consultancies and accountancy firms to provide regulatory advice. Whilst such organizations can provide value, especially with regard to the development of processes and procedures, their use in interpreting law and regulation requires caution. As a technical matter, advice from compliance consultancies and accountancy firms may lack the protections of privilege. They may also lack the legal expertise that is core to the practice of the major global law firms.
Fully harnessed, the Legal function can bring significant benefits to a financial institution. This includes the sophisticated interpretation and application of rules, regulations and laws—the core skill set of the lawyer—as well as the use of legal reasoning to assist in the myriad of other challenges facing any firm. The Legal function can be revived by taking the above steps. All eminently achievable, they will ensure a fully effective Legal function and offer significant gains for the controlled and successful running of the firm as a whole.