Posted: 24th February 2017

The drivers of regulatory action are wide and varied, although the root cause can usually be traced to one of two things; either a firm has failed to react to a known issue which led to customer detriment, or failed to detect an issue which led to detriment.

Either way, the outcome is often the same – both in terms of regulatory impact and the wider costs involved, including reputational damage and loss of consumer trust.

When consumer credit firms went through the process of FCA authorisation, they were required to:

  • Write or update their regulatory business plan, which told the story of the business model
  • Identify all regulated activities and any unregulated activities they intended to continue
  • Identify the likely business and conduct risk factors (specific to their firm and its business model)
  • Explain and demonstrate how they would monitor and control these risks on an ongoing basis

With the imminent implementation of the Senior Managers and Certification Regime, the need to provide senior managers with effective assurance has never been greater. Through compliance monitoring, compliance teams, boards and non-executives can be provided with a view of their firm's current performance, and there should be a healthy appetite for this kind of insight at board level. However, this is not the only benefit of effective assurance - it can provide insight to inform business improvement and customer outcomes, leading to improved customer advocacy, trust and brand loyalty. It also plays a key role in protecting firms against the risk of financial crime and fraud.

So how can consumer credit firms provide effective assurance to senior management which is proportionate to the conduct and financial crime related risks they face?

Options for providing assurance

Here, we outline two options for delivering effective assurance. The appropriate option will depend on the size of your firm and the complexity of its business model.  

1. Three Lines of Defence model

First line – the firm carries out quality assurance (QA) checks of operational processes – for example, checking the effectiveness of sales and claims processes through call monitoring and file reviews.

Second line – a compliance team is in place to provide an independent assessment of controls to ensure the delivery of fair outcomes for customers.

Third line – internal audit provides further independent assurance that the firm’s risk management, governance and internal control processes are operating effectively, which includes the effectiveness of compliance monitoring in the second line.

Integrated assurance is critical to the success of a three lines of defence model and relies on knowledge sharing between the three lines to ensure assurance work is targeted towards the right areas. For example, the management information provided to the board should be equally accessible by first, second and third lines to inform each party’s role in the assurance process. 

2. Two Lines of Defence model

For smaller firms undertaking slightly less complex or risky business, a two-line model may be sufficient. In this model, first line checking is supplemented by the compliance monitoring function or external, independent assurance.

This more streamlined approach – when used in the right circumstances – enables better communication in a smaller organisation and reduces the operational impact of coordinating compliance monitoring as well as internal audits.


In your application for authorisation, you will have articulated how you intend to manage the regulatory risks faced by your firm and your arrangements for compliance monitoring. Delivering effective assurance begins with a plan of what to monitor, and in the modern regulatory environment, a risk-based approach is key.

Monitoring 100% of its business is clearly not a realistic aspiration for a firm, and therefore a more sustainable approach to monitoring is needed. By focusing on the areas that are not performing well or where management information (MI) tells you something is wrong or outside of expectations, you can ensure a proportionate approach that provides a clear view of performance where it is most needed.

When it comes to ensuring compliance monitoring-related MI is clear and robust, the board should be made aware of the metrics that need to be reported on, and why this is the case. They should also be engaged in the need to periodically revisit the MI that is provided in order to ensure it remains appropriate.

Below are just a few examples of what you could monitor in any assurance line:

  • How your products are sold – gathering sufficient information and customer understanding at the outset of an agreement is likely to contribute significantly to this; do you also test what your brokers, dealers, retail partners etc. do if they are part of your end to end customer journey?
  • Remuneration, reward and incentives – high on the regulatory agenda, the FCA is looking to ensure that firms are able to monitor the impact that these have on the way products are sold, as well as how they influence collection activity, complaint and claims handling among others
  • Vulnerable customers - how do you deal with vulnerability in your firm and are you able to identify and deal effectively with the various forms of vulnerability?
  • Outsourcing – reviewing third parties undertaking regulated activities on your firm’s behalf is vital to maintaining a clear view of your firm’s overall compliance

As monitoring progresses, a firm gains more insight into their products and the outcomes they provide. This allows them to deliver a continuous programme of improvement. Create a program of assurance that is forward looking and plans for the next 12 months at least (a 2 or 3 year updateable plan is better); this will allow for effective assignment of resource in each line of defence. 


The effectiveness of assurance activity is dependent on the scope of the review. Robust MI helps to define an effective scope, but it is often collated for reasons other than the management of conduct risk, so may require development. Nevertheless, certain metrics can be good indicators of what should be in scope for assurance activity:

  • Poor quality assurance results
  • Customer complaints
  • Customers in arrears
  • Impact of charges on the cost of credit
  • Lapse rates

Once the scope is agreed, terms of reference should outline what, why, when, where and how the review will be undertaken and agreed with the manager responsible for the area being reviewed.

You should regularly update the business area being reviewed on emerging issues so when it comes to reporting, discussion can focus on actions needed to address accepted issues. It may be helpful to define key closure criteria, outlining ‘what good looks like’ to assist the business area is developing actions that will address the issue.

All reports should be circulated to relevant senior managers and any issues should be tracked and reported on further, for example, at risk meetings. This should ensure senior management has visibility of the risks facing the business and are able to mitigate against the risk of false assurance. Senior managers, however, should guard against complacency and if necessary provide effective challenge to assurance arrangements to ensure effective assurance is being delivered.

Protection for your business

Effective assurance is more than a regulatory obligation; it can add significant value to your business by giving peace of mind that conduct risks are understood and mitigated, and making sure that any investment in this area is proportionate to the risks involved.

In the modern regulatory environment, ignorance of an issue is not sufficient defence for exposing customers to poor outcomes, and consumer credit firms should always strive to understand more about the experience they are delivering. This includes the risks customers could be exposed to and how to address them.

Your operating model for assurance must be appropriate to your business model and the risks arising from it. Whatever assurance model you develop, good MI is the key to pinpointing where to focus your assurance work and the effectiveness of your efforts in protecting your business and its customers.

Huntswood h blue

Huntswood - Insights