“Three Lines of Defence” Framework in the Courts
In Australia, a benchmark risk management framework is the “three lines of defence” model. The three critical lines of defence are (1) Operational Management (2) Risk Management and Compliance Functions and (3) Internal Audit. Experience has shown that challenges arise regarding (a) relationships with external auditors and regulators, and (b) the co-ordination of the three lines – e.g. the assignment of functions and responsibilities, ensuring no gaps exist, avoiding duplication and ensuring the appropriate level of independence and autonomy.
ASIC v Westpac (No 2)  FCA 751 involved ASIC’s claims regarding Westpac’s trading during 2010-2012 in Prime Bank Bills in the Bank Bill Market allegedly to influence the setting of the Bank Bill Swap Reference Rate. In defending the claims, Westpac relied upon expert evidence regarding its use of the 3 lines of defence risk management model which it had introduced in 2010. Beach J made findings against Westpac in relation to four occasions of unconscionable conduct and the inadequacy of its training and procedures. It was the first occasion in which the “3 lines of defence” model had been considered in the Australian courts.
Coincidentally, in April 2018 APRA released its “Prudential Practice Guide: CPG 220 Risk Management” for APRA-regulated institutions. The APRA Prudential Practice Guide is also predicated on the 3 lines of defence model.
In the subsequent penalty judgment in ASIC v Westpac (No.3)  FCA 1701 in November 2018, Beach J imposed penalties of $3.3m against Westpac with the message: “if you manipulate or attempt to manipulate key benchmark rates you are likely to have the maximum penalty imposed, whatever that is from time to time.”
Whilst Westpac’s policy documentation was agreed by the experts to be sufficient, Beach J and one expert cautioned “against the proceduralism which reliance only upon written documents can engender”; ASIC v Westpac (No.2), .
In the post-Financial Services Royal Commission environment, the suitability of corporate risk management frameworks and documentation (including the “3 lines of defence” model), their application by corporations and expert evidence about their adequacy and implementation will require increased scrutiny.