Hi Dora!
I have worked at two small banks and one mid-to-large non-depository mortgage lender in compliance and fair lending, so I am using those institution experiences for my answer.
3 Lines Structure
At each institution:
- Second Line (Compliance) owned the Fair Lending program framework, monitoring, testing, training, issue tracking, and board reporting.
- First Line owned day-to-day execution (underwriting, pricing, servicing).
- Third Line provided independent assurance - either through an internal audit function or outsourced consultants.
Independence wasn't about complete separation; it was about clearly defined roles, escalation authority, and independent validation through audit.
Thresholds
There was no single numeric "fair lending tolerance." Thresholds were defined using a tiered, risk-based approach, with escalation triggers based on severity, repeat findings, and whether issues appeared random or directional.
Anything suggesting potential disparate treatment, prohibited basis impact, or systemic control breakdown was treated as zero tolerance and escalated.
Thresholds were documented, consistently applied, and adjusted over time based on volume, product risk, and prior findings.
Frequency
Two institutions performed quarterly reviews. At the higher-volume non-depository, we moved from quarterly to monthly monitoring in key areas to keep oversight manageable.
All institutions conducted a comprehensive review following HMDA submission.
Frequency ultimately aligned with size, complexity, and risk profile.
Sampling & Scope
We used the Interagency Fair Lending Examination Procedures as a floor for sampling, but often reviewed 100% of higher-risk files rather than relying solely on samples.
At two institutions, we also conducted formal self-testing consistent with the interagency self-test/self-evaluation guidance, which examiners viewed favorably.
Practical Approaches That Worked Well in Exams
What resonated most in exams was having a documented, consistently applied program - not hitting a specific percentage threshold.
In practice, that meant:
- Risk Assessment-Driven Monitoring: A documented fair lending risk assessment that clearly drove the monitoring plan and was updated when products, channels, staffing, or underwriting criteria changed, not just annually by default.
- Clear Governance & Escalation: Defined 3LOD roles, documented thresholds, and evidence that issues were escalated and resolved, not just identified.
- Data & Complaints Integrated into Monitoring: Regular analysis of pricing, underwriting, decisioning, timing, and marketing data, with complaints treated as a risk input and fed back into control reviews and training.
- Self-Testing Where Appropriate: At two institutions, we conducted formal self-tests consistent with interagency guidance, which strengthened exam discussions and demonstrated proactive oversight.
- Documented Corrective Action: Findings were tied to root cause analysis, corrective action plans, and follow-up validation. Examiners consistently focused on whether issues were fixed, not just detected.
Programs that showed clear linkage between risk assessment, monitoring, training, and corrective action tended to hold up best in exams.
-------------------------------------------