What are the compliance team’s three lines of defense?

The “Three Lines of Defense” describes how financial institutions should manage and structure their anti-money laundering and counter-terrorist financing (AML/CTF) risk. Firms can use this framework to mitigate risk management gaps and duplication of unnecessary risk coverage.

Part 5 of the Compliance Team’s Guide to Customer Onboarding considers the three lines of defense while taking a closer look at the compliance team, highlighting best practices for conducting training, internal audits, and supervisory oversight. 

The line of business

Also known as the front line, the line of business consists of customer-facing employees best equipped to get the information firms need to meet their due diligence obligations. Operations, risk, and control teams that support the business may also be referred to as the first line of defense.

The line of business is responsible for implementing and maintaining policies and procedures and communicating these to all employees. It must also establish procedures for screening personnel to ensure high professional standards and deliver appropriate training on AML/CFT policies and procedures based on roles performed.

While individuals working within the AML/CTF space usually produce the training program, senior management must also review and agree upon it.

The compliance and internal control function

The AML compliance function is the second line of defense. This includes the chief money laundering reporting officer (MLRO) managing and monitoring AML/CFT activities. The AML officer is responsible for developing policies to ensure AML compliance and escalating identified noncompliance or points of concern to senior management.

The AML officer should be the contact point for all AML issues for internal and external authorities and be responsible for reporting suspicious transactions. Members of the second line of defense must have sufficient independence from the business lines to prevent conflicts of interest. 

The Compliance Officer’s additional responsibilities include:

• Managing the onboarding program
• Understanding of the firm’s current software packages, their strengths and weaknesses, and any gaps in the processes
• Linking with senior management
• Recruiting and training the onboarding team
• Maintaining a culture of compliance 
• Appointing deputies
• Investigating alerts and coordinating a group approach
• Ensuring that clients and transactions are monitored beyond the initial onboarding stage
• Overseeing the sanctions compliance program

The internal audit

A firm’s internal audit function independently reviews the controls applied by the first two lines of defense. The auditors should report to the audit committee of the board of directors, or equivalent, and independently evaluate the firm’s risk management controls through periodic assessments. These include:

• A review of both strong and weak elements of the AML/CTF function (as well as sanctions compliance activities)
• A set of readily identifiable recommendations with target dates for implementation as well as a list of names outlining responsibilities
• Any additional research senior management needs to sign off on the report

This report will need to link to previous reports to show any prior problems and whether steps were taken to address them. It will also need to be accessible for external review. Firms should note that regulators have previously fined businesses for failing to address weaknesses identified in their internal audits.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

• How to determine what level of due diligence is appropriate for different customers
• The importance of understanding ultimate beneficial ownership (UBO) structures
• How to report potentially suspicious behavior

After reviewing all five sections of the training, test your knowledge with a questionnaire and receive a completion certificate you can share with your LinkedIn network.