Three Lines of Defense: Case Study

A Case Study on Client Due Diligence

📅 July 18, 2024

When establishing an organizational model to effectively manage financial crime risk and regulatory compliance, we need to enable cohesive action towards enterprise objectives while also providing segregation of responsibilities and avoiding conflicts of interest. The “three lines of defense” is one well-established model to achieve these goals.

What are the three lines and how do they work together? Let’s take a look at a real-life case study of the three lines of defense.

In our previous article we outlined the three lines model and the responsibilities of each team. To summarize it into a few lines, it can be helpful to consider the second line as defining what needs to be done and the first line as identifying how it should be done. We can illustrate this using an example of controls that may be implemented as part of a client due diligence (CDD) framework. For this example, we’ll start with the second line.

Second Line: “Standard Setters”

The second line of defense undertakes tasks including:

Interpreting external regulatory requirement to perform due diligence on clients
Identifying if any regulatory enforcement actions identified weaknesses in CDD in other firms and the “lessons learned”
Identifying which of these requirements apply to their firm, taking into consideration its geographic operations, client base, products, and any other relevant considerations
Documenting and communicating the policy and standards to ensure both regulatory and internal requirements are met

The second line of defense sets standards for compliance, including:

Client due diligence must be performed on all clients
Clients are to be risk-rated according to the following characteristics (note that these are examples only):

Country of operations (e.g. countries identified as having weak AML/CFT measures are high risk)
Client industry (e.g. defense and dual-use industries are high risk)
Type of entity (e.g. publicly listed companies are low risk)
Regulated status (e.g. regulated businesses are low risk)

Enhanced due diligence is required for clients identified as overall high risk
If the client is an entity, the beneficial owners and controllers are to be identified
All entities and individuals in the corporate structure are to be screened against watchlists to check for sanctions, AML/CFT risks, and political exposure
Some client types are completely prohibited (e.g. shell companies or businesses that do not have the required licenses in their jurisdiction)

First Line: “Gatekeepers”

The first line of defense takes action to implement the requirements set out by the second line.

For the sales team, this might include writing and communicating a sales checklist with questions to help identify if potential client is prohibited. The advantage of doing this early in the process is that resources will not be invested in due diligence for a client that cannot be accepted.

For the Know Your Client (KYC) team, the following are examples of elements that could be included in the process manual written to implement second line requirements:

Templates to use when requesting CDD information from clients
Instructions on how to risk rate clients and workflows on the due diligence processes depending on the overall risk rating
Lists of corporate registries that can be used when identifying owners and controllers of an entity
Step-by-step instructions on how to use watchlist screening tools to check sanctions, AML/CFT, and political exposure and how to document findings
Escalation paths for any financial crime risks identified

Third Line: “Assurance”

In our CDD example above, the internal audit function would undertake tasks such as setting out an audit schedule for the sales, KYC, and compliance functions to evaluate the effective application of CDD controls. They would document their findings and ensure any required remediation is completed.

The Future of Three Lines

The three lines has been and continues to be an effective risk management model. However, in new and emerging areas like digital assets, in-demand skillsets may be scarce, evolving products and markets require novel and innovative solutions, and there may be a need to adapt quickly to regulatory changes. What adaptations need to be made to the three lines model? View our recorded webinar to find out more.

Recorded Webinar

The digital assets sector presents unique compliance challenges, including a complex and rapidly evolving regulatory landscape, misuse of digital assets in financial crime, and the need to adapt existing risk and compliance frameworks to include digital assets. As this industry continues to grow, with projections indicating substantial market expansion, staying ahead of compliance requirements and future challenges is crucial for financial institutions to safeguard their operations and reputation, while benefiting from the potential of this asset class.

Effective defense strategies are paramount to mitigating these risks and maintaining the highest standards of compliance. Led by industry experts, panelists will assess the integral roles of the first and second lines of defense in maintaining rigorous compliance frameworks and will dive into the future challenges that could redefine regulatory landscapes. Prepare to gain actionable insights and forward-looking strategies to elevate your compliance practices in the fast-evolving world of digital assets.

View Recording

Recommended Blogs

How to be a Digital Asset Detective

November 21, 2024

Step into the role of a digital asset investigator. From tracing complex ownership structures to leveraging blockchain transparency, discover the tools and techniques that bring clarity to a sector often seen as cryptic. Follow along with our investigation into a digital asset business and come away with a step-by-step guide for uncovering hidden risks.

Side Quest

November 19, 2024

“Side quests” are initiatives that align staff motivations, interests, and experience with discretionary projects. They provide solutions to enhance staff engagement, performance, and retention, and are particularly valuable where resource constraints may slow promotions or pay increases, or where compliance tasks involve repetitive work.

Calibrating the Crosshairs

November 13, 2024

This article outlines a practical six-step process financial institutions can follow to implement export control red flags within their compliance program. They are referenced as a key requirement in regulatory expectations of financial institutions, which continue to increase in response to recent geopolitical events.

Unverified and Unsure

November 7, 2024

The Commerce Department’s Bureau of Industry and Security maintains and administers several lists that involve goods, software, and technology, governed by the Export Administration Regulations. The Unverified List is just one of these. What is the Unverified List and what due diligence obligations do entities that transact with parties on the Unverified List have?

Big Fines, Bigger Lessons

October 30, 2024

TD Bank’s $3 billion fine highlights a growing trend: regulators are cracking down hard on weak AML programs. Discover why fines are skyrocketing and how strong AML training can help safeguard your institution.

Risky Convergences

October 28, 2024

New digital solutions in money laundering and underground banking have facilitated the expansion of the criminal business environment in Southeast Asia, integrate billions of criminal proceeds into the formal financial system and enabling the growth of new criminal organizations.

A PEP Talk

October 24, 2024

Politically exposed persons are individuals who, due to their positions of power, influence, or proximity to government, are susceptible to becoming involved in corruption, bribery, or other financial crimes. And because moving and hiding misappropriated assets often involves money laundering, financial institutions across the globe are tasked with the challenge of identifying and managing these risks.

A $3 Billion Mistake

October 22, 2024

TD Bank was recently slammed with a record $3 billion fine for failing to comply with AML laws. With $18 trillion in unmonitored transactions, the bank became a hotbed for criminal activity. What went wrong, and what can other financial institutions learn from this?

Beneficial Ownership: Who Owns What?

October 17, 2024

U.S. efforts to curb illicit finance are in full swing, as the requirement to reveal the beneficial owners of certain entities registered or operating in the United States came into effect this year. In this article, we explore key requirements, benefits, and deadlines as well as address some of the concerns organizations may have about the new regulation.