Three Lines of Defense

“[I]n the context of AML/CFT [Anti-Money Laundering / Combating the Financing of Terrorism], the business units… are the first line of defence in charge of identifying, assessing and controlling the risks of their business… The second line of defence includes the chief officer in charge of AML/CFT, the compliance function but also human resources or technology. The third line of defence is ensured by the internal audit function.”

– Basel Committee on Banking Supervision, Guidelines on Sound Management of Risks Related to Money Laundering and Financing of Terrorism 2020

In this article, we will look at how the “three lines of defense” model, also called the “three lines” model, can be applied in financial institutions, keeping in mind that there are many variations based on the size of the institution and its preferred operating model.

The First Line (1LOD)

The first lines of defense are the business units of a financial institution, including sales, relationship managers, traders, and sometimes client-facing support staff. These staff have the initial interactions with potential and current clients, which provides them with the first opportunity to identify risk factors – as well as potential business opportunities. These staff also engage throughout the client lifecycle, enabling them to identify changes that impact the risk profile of their clients.

Some examples of situations that may change a client’s risk profile include:

🚩 A client expands into new global markets which have higher financial crime risks than their existing markets, such as proximity to sanctioned countries;

🚩 A client introduces new products which are dual-use items subject to export controls, requiring additional levels of due diligence;

🚩 There are changes in corporate ownership or directors who may be politically exposed persons (PEPs).

First line staff are responsible for implementing and ensuring compliance with the financial crime risk management policies and standards set by the second line.

The Second Line (2LOD)

The second line of defense comprises the compliance function as well as other support functions such as technology and human resources.

• Policies & Standards: Focusing specifically on AML/CFT, the second line of defense establishes the policies and standards to ensure compliance with regulatory requirements. This will also be directed by the company’s internal “risk appetite”. Although a company cannot decide to apply lower standards than regulations require, it may decide to impose additional (higher) standards when selecting clients, jurisdictions of operation, or products.
• Regulatory Compliance: The second line interprets regulations to identify how and whether they apply to the firm based on considerations such as jurisdiction, client segment, and product. They should also monitor regulatory enforcement actions against other companies to identify and apply any lessons learned. They update the internal financial crime risk policies and standards, then communicate the changes to the first line so the first line can update their processes and systems accordingly.
• Oversight: The second line also provides oversight, for example undertaking compliance testing on how effectively the first line is fulfilling their responsibilities and communicating any issues to senior management or the Board.
• Support: The second line supports the first line to achieve their responsibilities by providing advice and support on how to interpret policies and standards to achieve business outcomes while remaining compliant. In larger firms, advisory support may be performed by embedded compliance staff within the first line.

The second line may also undertake broader responsibilities such as responding to regulatory proposals. Their experience of how compliance works within a financial institution gives them expert knowledge to make suggestions on how to achieve policy objectives, while ensuring the proposed measures can be implemented in practice.

Third Line of Defense (3LOD)

The third line of defense is the internal audit function, which provides independent oversight of the design and effectiveness of the first and second line controls. Internal audit conducts regular reviews and reports its findings directly to the Board of Directors or a Board Committee.

Advantages of the Three Lines Model

The key advantage of the lines of defense model is that it provides segregation and prevents conflicts of interest between those setting standards and those applying them. For example, the Basel Committee states that, “to enable unbiased judgments and facilitate impartial advice to management, the chief AML/CFT officer should, for example, not have business line responsibilities.”

Looking at an example of what could occur if these responsibilities were combined, if a person was assigned sales targets to bring in new business as well as being responsible for setting compliance standards for new clients, there would be a conflict between their two objectives and a risk that one would be disproportionately prioritized over the other.

By providing segregation and independence, the first and second lines can work together in mutually complementary ways.

The three lines model has other benefits.

✔ It can support specialization in knowledge and skills, enabling depth and capability to be achieved.

✔  Training can be customized to be specific to the tasks of each team, making it more relevant and therefore more likely to be remembered.

✔  It can help avoid duplication where functions overlap.

However, the model also has limitations. For example, in new and emerging areas where in-demand skillsets are scarce and the evolution of products and markets requires new solutions, what adaptation need to be made to the lines of defense? View our recorded webinar,Mastering Compliance in Digital Assets through Multi-Tiered Defense Strategies to find out more.