Exams or Audits

I am looking to benchmark how other institutions structure their fair and responsible banking fair lending review function within three lines of defense model. 

Do you house Fair Lending within the second line of defense, and if so, how independent is the team from first line of compliance? I'm also interested in how others define fair lending thresholds for errors.   On average are fair lending reviews being done on a quarterly or annual basis?  How many target and controls are reviewed during this process? 

If you are willing to share, I'd appreciate hearing about your review process, tolerance levels, and any practical approaches that have worked well during examinations.  

Thank you in advance for your insights.   
-------------------------------------------

Hi Dora!

I have worked at two small banks and one mid-to-large non-depository mortgage lender in compliance and fair lending, so I am using those institution experiences for my answer. 

3 Lines Structure

At each institution:

• Second Line (Compliance) owned the Fair Lending program framework, monitoring, testing, training, issue tracking, and board reporting.
• First Line owned day-to-day execution (underwriting, pricing, servicing).
• Third Line provided independent assurance - either through an internal audit function or outsourced consultants.

Independence wasn't about complete separation; it was about clearly defined roles, escalation authority, and independent validation through audit.

Thresholds

There was no single numeric "fair lending tolerance." Thresholds were defined using a tiered, risk-based approach, with escalation triggers based on severity, repeat findings, and whether issues appeared random or directional.

Anything suggesting potential disparate treatment, prohibited basis impact, or systemic control breakdown was treated as zero tolerance and escalated.

Thresholds were documented, consistently applied, and adjusted over time based on volume, product risk, and prior findings.

Frequency

Two institutions performed quarterly reviews. At the higher-volume non-depository, we moved from quarterly to monthly monitoring in key areas to keep oversight manageable.

All institutions conducted a comprehensive review following HMDA submission.

Frequency ultimately aligned with size, complexity, and risk profile.

Sampling & Scope

We used the Interagency Fair Lending Examination Procedures as a floor for sampling, but often reviewed 100% of higher-risk files rather than relying solely on samples.

At two institutions, we also conducted formal self-testing consistent with the interagency self-test/self-evaluation guidance, which examiners viewed favorably.

Practical Approaches That Worked Well in Exams

What resonated most in exams was having a documented, consistently applied program - not hitting a specific percentage threshold.

In practice, that meant:

• Risk Assessment-Driven Monitoring: A documented fair lending risk assessment that clearly drove the monitoring plan and was updated when products, channels, staffing, or underwriting criteria changed, not just annually by default.
• Clear Governance & Escalation: Defined 3LOD roles, documented thresholds, and evidence that issues were escalated and resolved, not just identified.
• Data & Complaints Integrated into Monitoring: Regular analysis of pricing, underwriting, decisioning, timing, and marketing data, with complaints treated as a risk input and fed back into control reviews and training.
• Self-Testing Where Appropriate: At two institutions, we conducted formal self-tests consistent with interagency guidance, which strengthened exam discussions and demonstrated proactive oversight.
• Documented Corrective Action: Findings were tied to root cause analysis, corrective action plans, and follow-up validation. Examiners consistently focused on whether issues were fixed, not just detected.

Programs that showed clear linkage between risk assessment, monitoring, training, and corrective action tended to hold up best in exams.

@Alesha Briley - wonderful use of the 3LOD and its breakdown.  Agree with conclusion (practical approaches).

While 3LOD is "replaced" with continuous risk management, it was the universal awareness of everyone's role related to risk, accuracy, completeness, consistency, and fairness (to consumer) that was the foundation of transparency to examinations that helped.  At one point, in prior career working for a mortgage lender, operating in forty states, the ability to show a consistent front, common across entire company in any role, and bundled for state-specific (and loan type specific) exams helped. By being transparent about the lending practices and mission, and giving eagle-eyed focus on each state examiner team's applicable loans and consumer care, it held up as the company volume increased many fold.