Following the first article in the series, Thistle’s Michael Knight-Robson focuses on the front line of defence, where risk is either mitigated or materialises, and explains what strong first line quality control looks like in practice, why it matters, and the steps firms should take to build it.
For a number of years, financial crime controls sat within the second line of defence (2LOD). But as the FCA began pushing its message that the business should own and manage financial crime risk, firms responded by moving teams into the first line of defence (1LOD) to conduct key controls such as customer due diligence (CDD), transaction monitoring alert review, and name screening disposition.
However, what transpired was that these teams often became operational processors, focusing on ticking boxes and following checklists. In many cases, the business was still not truly owning the financial crime risk. What the FCA expects is for the first line to not only conduct the controls, but also own the quality of those controls.
The effectiveness of any financial crime compliance framework starts with the quality of execution in the 1LOD. While governance, oversight, and independent review are critical, no amount of second or third line (3LOD) assurance can compensate for weak controls at the point of execution.
In financial crime compliance, the first line is where risk is either mitigated or materialises. Key financial crime controls, if not performed adequately at the outset, can expose a firm to severe financial crime consequences. Missing a sanctioned ultimate beneficial owner or overlooking a fraudulent transaction are very real possibilities. If missed by the 1LOD, criminals can use the firm to facilitate financial crime. Ultimately, if these activities are inconsistent, poorly evidenced, or incorrectly performed, downstream oversight by the 2LOD becomes reactive rather than preventative.
Many firms incorrectly assume that quality assurance is the responsibility of the second line. This approach is fundamentally flawed.
The FCA, as well as other external interested parties such as banking partners and investors, increasingly expect firms to demonstrate that the first line owns control effectiveness and errors are identified, analysed, and remediated proactively.
To support this, firms should implement a strong first line quality control framework. A robust approach helps:
Prevent poor decisions from progressing undetected
Improve consistency across staff and teams
Reduce dependency on second line remediation
Demonstrate a mature compliance culture
A successful 1LOD quality control (QC) framework is built on four pillars:
Ownership and accountability
Coverage
Objectivity
Development
For QC to be effective, ownership must sit unequivocally within the 1LOD. The first line is not only responsible for executing financial crime controls, but also for owning the quality and effectiveness of those controls. Where QC is perceived as something “done to” the business by Compliance or the second line, its value rapidly diminishes.
Ownership means that QC findings actively feed into 1LOD governance, decision-making, and remediation. Findings should inform how teams are trained, how procedures are clarified, and how workloads and complexity are allocated.
Crucially, accountability for addressing QC findings, whether individual or systemic, must sit with 1LOD management.
Effective approaches typically include:
Individual feedback loops, providing staff with clear, timely insight into errors, expectations, and improvement areas
Team-level QC dashboards, enabling managers to monitor performance, trends, and emerging risks
Regular trend reporting to senior management and financial crime governance forums
Clear escalation pathways for recurring or systemic issues that indicate control weaknesses rather than individual performance concerns
This approach ensures QC is not simply a control, but a management tool, one that supports accountability while reinforcing a strong risk culture.
Questions for firms to consider:
Is QC clearly owned by the 1LOD, or is it effectively delegated to Compliance?
Do QC findings meaningfully influence 1LOD governance discussions and decisions?
Are QC insights used to improve processes and controls?
QC coverage must be sufficient to provide confidence in control effectiveness. In particular, when new products are developed, new teams formed, new tools implemented or new processes or controls, firms’ QC should begin with 100% coverage.
This means that, initially, every relevant CDD/EDD file, alert, or case completed by a team member is subject to QC. Some may argue that this approach is not in line with the FCA’s principle of a ‘risk-based approach’. However, while resource (and cost) intensive, this approach is critical during periods of change.
Initial full QC coverage serves several important purposes:
Establishes a clear and objective baseline of quality across a team
Enables early identification of systemic errors before they become embedded
Highlights training gaps and unclear procedures
Generates reliable performance data that can be used to inform future operating model decisions
At this stage, the primary objective is learning and stabilisation, not performance management. Firms that prematurely reduce QC coverage often do so without truly understanding their underlying quality profile, leaving them exposed to undetected risks.
QC testing, utilising clear guidelines and scoring, itself must be well-defined, and assess:
Adherence to relevant policies and procedures
Accuracy of decisions and outcomes
Correct application of escalation and approval requirements
Questions for firms to consider:
Can we clearly articulate why our QC coverage level is appropriate for the risk?
Do we have sufficient coverage for changes to processes and controls?
Are our QC standards and checklists sufficiently detailed and consistently applied?
A mature QC framework moves beyond binary pass or fail outcomes. While simple outcomes may be easy to report, they provide limited insight into why issues occur or how they should be addressed.
Structured categorisation allows firms to distinguish between errors that present genuine risk exposure and those that are primarily quality or consistency issues. These could include:
Critical – fails to meet regulatory obligations (i.e. fails to appropriately verify the identity of the customer)
Material – fails to meet industry guidance/best practice (i.e. unclear rationale for discounting an alert)
Minor – fails to meet the firm’s internal document and papering requirements (i.e. the CDD file does not meet the required file structure)
Equally important is root cause analysis. Each QC finding should be linked to an underlying driver, such as:
Knowledge or training gaps
Ambiguity or weaknesses in procedures
System or tooling limitations
Time pressure, resourcing constraints, or volume spikes
This helps shift QC from a backward-looking control into a tool which can offer valuable insight to support remediation.
Questions for firms to consider:
Do our QC outcomes provide meaningful insight, or simply pass/fail statistics?
Can we clearly differentiate between critical, material, and minor errors?
Do we consistently perform root cause analysis, or stop at error identification?
Are QC insights actively used to improve procedures, systems, and resourcing decisions?
Once sufficient quality has been established, firms should transition from 100% QC coverage to a route-to-competency model, where QC coverage is driven by a team member’s experience, capability, and ensuring it’s aligned to the firm’s business-wide risk assessment.
For those perturbed by the 100% QC previously mentioned, this approach is, when deemed appropriate, more aligned to the FCA’s risk-based principles and ensures that resources are focused where they are most needed.
Firms are often cautious about assessing an individual’s ‘competency’ on such a finite scale, but financial crime compliance should be measured like all other business matters. Results matter, and how a firm responds to those results defines its culture.
A robust ‘route to competency’ model includes:
Defined competency levels across all team members (from new joiners to competent team members)
Consequent risk-based QC thresholds for each level (percent of cases QC’d at each level)
Clear competency promotion criteria (sustained QC pass rates)
When implemented effectively, this model reinforces QC as fair, developmental, and credible. Individuals understand what is expected of them, team leads can support individuals with further training where needed, and firms can clearly demonstrate a risk-based approach to regulators.
Questions for firms to consider:
Is QC intensity genuinely risk-based, or applied uniformly regardless of capability?
Are promotion and progression decisions supported by objective QC evidence?
Does our QC framework actively support capability building?
A weak and ineffective 1LOD can significantly impact a firm’s ability to comply with its financial crime requirements.
Consequently, it is paramount that firms are confident that their operational teams not only ‘sit’ in the 1LOD, but also own the quality and effectiveness of the controls that they conduct. Errors need to be quickly identified to ensure that systemic weaknesses do not occur, before the 2LOD and/or 3LOD identify them, by which time it could be too late. Without this foundation, second and third line assurance will always be compensating for preventable failures at source.
Next week, I will be diving into how the 2LOD’s monitoring and testing programme can complement the 1LOD’s QC framework to help provide firms with further assurance that their systems and controls are working effectively.
Thistle’s financial crime team provides clear, independent assurance that shows whether your systems and controls work as intended.
We test frameworks end to end, highlight the gaps that carry real risk, and give practical steps to strengthen oversight and control effectiveness. Our aim is simple: to help firms demonstrate a robust, well-evidenced financial crime compliance framework that stands up to regulatory and stakeholder scrutiny.
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.