The Three Lines of Defence model is the most widely adopted framework for organising risk management and compliance responsibilities within financial institutions and other large organisations. It provides a clear conceptual structure for allocating accountability across an organisation, ensuring that financial crime risk — alongside other categories of risk — is identified, managed, and overseen by distinct groups with clearly defined and non-overlapping roles. The model was formally endorsed by the Institute of Internal Auditors (IIA) and has been embedded in EU regulatory expectations through the EBA‘s Internal Governance Guidelines, which require significant financial institutions to organise their risk management and control functions in a manner consistent with its principles. Regulators use the three lines framework as a lens through which to assess whether an institution’s governance of financial crime risk is genuinely robust or merely cosmetic — a firm that cannot clearly articulate where accountability sits within each line, or where the lines are blurred or under-resourced, will typically attract adverse supervisory findings.
The first line of defence consists of the business itself — the front-line staff, relationship managers, product teams, and operational functions that own and manage customer relationships and conduct day-to-day transactions. In the financial crime context, the first line is responsible for identifying and managing financial crime risk at the point of origination: conducting customer due diligence at onboarding, collecting KYC documentation, making risk-based judgements about customers and transactions, escalating concerns to compliance, and ensuring that financial crime controls are embedded in their normal operating processes rather than treated as a separate compliance exercise. Critically, the first line owns the risk — it cannot simply pass financial crime responsibility entirely to a compliance team and consider itself discharged of obligation. Regulators have been explicit that a culture in which front-line staff view AML as someone else’s problem is itself a governance failing.
The second line of defence is the compliance and risk management function — including the Financial Crime Compliance team, the MLRO, and the broader risk function — which is responsible for setting the policies and standards the first line must follow, providing oversight and challenge of the first line’s risk management activities, maintaining the firm-wide financial crime risk assessment, operating transaction monitoring and screening systems, and making SAR filing decisions. The second line does not own individual customer relationships but holds independent authority to override or escalate first-line decisions where financial crime risk demands it, and reports directly to senior management and the board.
The third line of defence is internal audit, which provides independent, objective assurance to the board and senior management that the first and second lines are functioning as intended. Internal audit does not manage risk itself — its role is to test and evaluate whether the controls operated by the first and second lines are adequate, effective, and consistently applied, and to report its findings. In the financial crime context, internal audit is expected to assess the design and operational effectiveness of the entire AML and sanctions framework, including the adequacy of transaction monitoring systems, the quality of CDD files, the timeliness of SAR decisions, and the sufficiency of staff training — providing the board with an evidence-based view of whether the institution’s financial crime defences are genuinely working.
