Three Lines of Defense: Definition and Use in Compliance

What is Three Lines of Defense?

The Three Lines of Defense is a risk governance framework that assigns accountability for managing, monitoring, and independently auditing risk to three distinct functions within a financial institution.

The first line is the business itself. Relationship managers, product teams, operations staff, and front-office personnel generate the transactions that create risk exposure. Under this framework, they also own the controls designed to manage that exposure. In an AML context, this means the first line runs Customer Due Diligence (CDD) checks at onboarding, applies transaction screening, and maintains the documentation that proves those controls were followed.

The second line is compliance and risk oversight. The Money Laundering Reporting Officer (MLRO), the AML compliance team, and the chief risk officer's function sit here. They set policy, monitor the first line's adherence, and escalate material issues to the board. They don't originate transactions and don't own the client relationship. That independence is what lets them challenge the first line without conflict of interest.

The third line is internal audit. It reports to the audit committee rather than to management, which is the structural guarantee of its independence. Internal audit tests whether the first two lines are functioning as designed. It doesn't set policy or manage risk. It asks whether the controls are real.

The Institute of Internal Auditors formalized this structure in its 2013 position paper. In July 2020, the IIA published the updated "Three Lines Model". The 2020 version shifted language from defense to coordination and added explicit governing body accountability above the three lines. The Basel Committee's 2015 "Corporate Governance Principles for Banks" references the same architecture. Every major jurisdiction has adopted it as a standard.

A concrete example: a bank onboards a corporate client. The first line collects identity documents and runs a sanctions check. The second line reviews the file against the institution's risk policy. Internal audit, six months later, samples onboarding files to test whether first-line checks were actually performed and whether exceptions were properly approved. Three separate accountabilities on a single customer.

How is Three Lines of Defense used in practice?

Practitioners use the Three Lines framework constantly, even when they don't call it by name.

The clearest example is the Suspicious Activity Report (SAR) workflow. When a transaction monitoring system generates an alert, a first-line analyst makes the initial disposition: close it as a false positive or escalate. The AML compliance team in the second line reviews escalated cases, applies policy judgment, and decides whether a SAR is warranted. Internal audit periodically tests whether alert dispositions are documented correctly, whether SAR filings met required timelines, and whether the overall transaction monitoring program is functioning as designed.

The same logic applies to customer onboarding. The first line collects KYC documents, runs identity verification, and approves the account within defined risk parameters. The second line reviews exceptions to policy, approves higher-risk onboardings, and owns the firm-wide AML risk assessment. Internal audit samples completed onboarding files to verify documentation quality and confirm that exceptions were handled according to procedure.

Where the framework gets operationally difficult is at the boundary. The classic failure mode: the compliance team starts reviewing transactions before the first line has made a decision, absorbing a first-line function in the process. Or the business drafts SAR narratives because the compliance function is understaffed. Once those lines merge, the regulatory value disappears. Supervisors look for evidence of genuine independence. Separate boxes on an org chart don't satisfy examiners.

AI introduces a new version of this problem. When an institution deploys automated transaction monitoring, who owns the model output? If the business adjusts detection thresholds without second-line validation, the first line has absorbed an oversight function. If the compliance team both builds and reviews the model, it's simultaneously taking risk and checking itself. Neither arrangement survives regulatory scrutiny.

RACI definitions solve most boundary disputes. When an examiner asks who approved a policy exception, the answer has to point to a specific role in a specific line. "We all looked at it together" is the answer that generates enforcement findings.

Three Lines of Defense in regulatory context

Regulators don't always cite the Three Lines by name, but the architecture is embedded in virtually every major governance framework for regulated institutions.

The Basel Committee's 2015 "Corporate Governance Principles for Banks" requires institutions to have a strong, independent risk management function with direct board access, a separate compliance function, and an independent internal audit function reporting to the audit committee. That's the second and third lines described in supervisory guidance every major jurisdiction has adopted.

The UK FCA and PRA built the same structure into their Senior Managers and Certification Regime (SM&CR). The chief risk officer (SMF4) is personally accountable for the second line. The head of internal audit holds a separate Senior Management Function. Personal accountability was designed into SM&CR because firms where lines blurred produced worse compliance outcomes. The FCA has levied significant fines in cases where the second line lacked sufficient independence from the business.

The European Banking Authority's Guidelines on Internal Governance (EBA/GL/2021/05) are the most explicit European statement. They require institutions to implement "at least three lines of defence" with defined responsibilities at each. This is a regulatory requirement, not best practice guidance.

In the US, the OCC's Corporate and Risk Governance handbook and the Federal Reserve's SR 11-7 guidance on model risk management both presuppose the three-line structure. Banks examined for BSA/AML compliance are assessed against it: did the first line have functioning controls, did the second line provide independent oversight, and did internal audit test both.

Anti-Money Laundering (AML) regulation follows the same pattern. FATF Recommendation 18 requires financial groups to implement group-wide AML/CFT policies and a group-level compliance function. Those requirements map directly to second- and third-line responsibilities and apply to institutions operating across multiple jurisdictions.

Common challenges and how to address them

The most common failure is line confusion. When the compliance team starts reviewing transactions before the first line has made a decision, or when the business drafts SAR narratives because the compliance function is understaffed, the independence that makes the framework work disappears.

Regulators have fined institutions specifically for this. HSBC's 2012 Deferred Prosecution Agreement with the US Department of Justice included findings that compliance functions in several jurisdictions had effectively merged with business operations, removing independent oversight. The total penalty was $1.9 billion.

A second challenge is resource imbalance. Small institutions frequently staff the second line with one or two people responsible for everything: policy writing, exception approvals, training, and SAR filing. When internal audit then reviews that function, there's limited evidence of genuine oversight. The practical fix is prioritization: document which second-line activities matter most for regulatory purposes and resource those first.

AI introduces a governance gap the original framework didn't anticipate. When an institution deploys machine learning for fraud detection or customer risk scoring, someone has to own model development, someone else has to validate it, and a third function has to provide independent assurance over the whole arrangement. If the same team builds and validates the model, the second line loses independence. The approach at larger institutions treats model risk management as a second-line function, with independent validation sitting either in a specialist model risk team or within the internal audit scope.

Calibration between lines is also harder than it appears. The second line is supposed to challenge the first, but if it's calibrated too conservatively, it blocks business or generates so many escalations that the first line stops filtering effectively. We've seen banks where 80% of cases escalated to compliance were immediately closed, which tells you the first line stopped doing real analysis. Finding the right threshold requires ongoing coordination between lines, not a one-time policy setting.

Related terms and concepts

The Three Lines framework connects directly to several foundational risk and compliance concepts.

Risk appetite is the foundational document the second line works from. It defines what level and type of risk the institution will accept. The first line operates within those bounds; the second line monitors adherence; the third line tests whether the risk appetite statement actually governs behavior or simply occupies a policy document nobody reads.

The risk-based approach to AML, codified by FATF and most national regulators, operates through the three-line structure. The first line applies controls proportionate to customer risk. The second line sets the risk categories and thresholds. The third line tests whether the calibration is working and whether higher-risk customers are receiving proportionate scrutiny.

The control environment is the sum of all controls the first line runs. It's what the second and third lines assess. A weak control environment, specifically one where controls exist in policy documents but not in practice, is the most common finding in AML enforcement actions.

AI governance is increasingly mapped to the Three Lines. When financial regulators and frameworks describe accountability for AI systems, the language matches directly: the model owner in the first line uses the system, a model risk or compliance team in the second line validates and monitors it, and internal audit independently tests the arrangement. It's the same governance structure applied to a new type of risk.

The audit trail is what makes the Three Lines defensible to examiners. Without documentation of who made which decision at which stage, the three lines exist only on paper. Regulators test the audit trail, not the org chart. If a SAR approval can't be traced to a specific second-line reviewer with a documented rationale, independence hasn't been demonstrated, regardless of what the governance documents say.