Skip to main content Skip to navigation

State of Financial Crime 2023 Report

What are the Compliance Team’s Three Lines of Defense?

AML Compliance Knowledge & Training

The “Three Lines of Defense” describes how financial institutions should manage and structure their anti-money laundering and counter-terrorist financing (AML/CTF) risk. Firms can use this framework to mitigate risk management gaps and duplication of unnecessary risk coverage.

Part 5 of the Compliance Team’s Guide to Customer Onboarding considers the three lines of defense while taking a closer look at the compliance team, highlighting best practices for conducting training, internal audits, and supervisory oversight. 

The line of business

Also known as the front line, the line of business consists of customer-facing employees best equipped to get the information firms need to meet their due diligence obligations. Operations, risk, and control teams that support the business may also be referred to as the first line of defense.

The line of business is responsible for implementing and maintaining policies and procedures and communicating these to all employees. It must also establish procedures for screening personnel to ensure high professional standards and deliver appropriate training on AML/CFT policies and procedures based on roles performed.

While individuals working within the AML/CTF space usually produce the training program, senior management must also review and agree upon it.

Types of training for compliance staff

The compliance and internal control function

The AML compliance function is the second line of defense. This includes the chief money laundering reporting officer (MLRO) managing and monitoring AML/CFT activities. The AML officer is responsible for developing policies to ensure AML compliance and escalating identified noncompliance or points of concern to senior management.


The AML officer should be the contact point for all AML issues for internal and external authorities and be responsible for reporting suspicious transactions. Members of the second line of defense must have sufficient independence from the business lines to prevent conflicts of interest. 

The Compliance Officer’s additional responsibilities include:

  • Managing the onboarding program
  • Understanding of the firm’s current software packages, their strengths and weaknesses, and any gaps in the processes
  • Linking with senior management
  • Recruiting and training the onboarding team
  • Maintaining a culture of compliance 
  • Appointing deputies
  • Investigating alerts and coordinating a group approach
  • Ensuring that clients and transactions are monitored beyond the initial onboarding stage
  • Overseeing the sanctions compliance program

The internal audit

A firm’s internal audit function independently reviews the controls applied by the first two lines of defense. The auditors should report to the audit committee of the board of directors, or equivalent, and independently evaluate the firm’s risk management controls through periodic assessments. These include:

  • A review of both strong and weak elements of the AML/CTF function (as well as sanctions compliance activities)
  • A set of readily identifiable recommendations with target dates for implementation as well as a list of names outlining responsibilities
  • Any additional research senior management needs to sign off on the report

This report will need to link to previous reports to show any prior problems and whether steps were taken to address them. It will also need to be accessible for external review. Firms should note that regulators have previously fined businesses for failing to address weaknesses identified in their internal audits.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

  • How to determine what level of due diligence is appropriate for different customers
  • The importance of understanding ultimate beneficial ownership (UBO) structures
  • How to report potentially suspicious behavior

After reviewing all five sections of the training, test your knowledge with a questionnaire and receive a completion certificate you can share with your LinkedIn network.

Understand the role of compliance

Learn more about how to effectively manage compliance teams to enhance the different roles they play in Part 5 of our Onboarding Guide.

Read Part 5

Originally published 05 December 2022, updated 05 December 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).