Why does the Three Lines of Defence model remain essential in financial crime compliance, and how can firms use it to strengthen oversight and control effectiveness? Financial Crime Partner Michael Knight-Robson outlines the key considerations as part of a new series on building practical, risk-based assurance.
Financial crime compliance has changed significantly since I first joined the industry in 2010. What was once a back-office administrative function is now a core part of a firm’s ability to scale safely and sustainably. Regulators, banking partners, investors, and customers now expect firms to demonstrate not only that controls exist, but that they are effective in mitigating financial crime risk.
Although the regulations do not state specifically that firms should have a ‘Three Lines of Defence’ model, if frameworks are regularly tested and seek continuous improvement to counter evolving risks, it goes a long way in ensuring firms maintain effective systems and controls.
While the Three Lines of Defence concept is well-established across many firms, its practical implementation in financial crime compliance is often inconsistent, poorly evidenced, or overly theoretical. Many firms struggle to translate the model into meaningful risk-based testing, and defensible assurance outcomes.
Although we are, as an industry, becoming more automated through smarter and artificial intelligence driven technology, financial crime compliance controls still rely heavily on human decision-making, and consequently this makes structured oversight and challenge essential.
A well-designed Three Lines of Defence model achieves several critical objectives:
Clear Ownership and Accountability - The model structurally establishes that financial crime risk is owned by the business, not outsourced to compliance or audit. The first line of defence (1LOD) implements policy and operates controls; the second line (2LOD) provides advice, and oversees and challenges; and the third line (3LOD) provides independent assurance.
Early Identification of Control Failures – Continuous monitoring and testing ensures that issues are identified before they crystallise into systemic issues, and potentially regulatory breaches. Errors missed by the 1LOD should be detected by 2LOD monitoring, and weaknesses across the 1LOD and 2LOD should be identified through independent 3LOD review.
Evidence of a Mature Compliance Culture - A functioning Three Lines of Defence framework signals that financial crime compliance is embedded into the organisation’s operating model, decision-making, and risk culture, and not treated as a one-off compliance exercise.
While the Three Lines of Defence framework is conceptually simple, its effectiveness depends on how clearly roles are defined, how testing is structured, and how outcomes are used.
The 1LOD consists of business teams and operational functions that create processes from policy requirements, and manage and execute financial crime controls on a day-to-day basis.
A robust 1LOD does not simply “perform controls” but:
Takes accountability for control quality
Performs structured quality control (QC) on its own activities
Builds competency and consistency across staff
Owns remediation of issues at source
The second line, typically the financial crime compliance function, should primarily be responsible for oversight, challenge, and assurance, as well as supporting the 1LOD through advice and escalations. It should not execute controls, but evaluate whether they are operating effectively.
An effective 2LOD framework includes:
Risk-based quality assurance (QA) testing
Independent challenge of business decisions
Thematic reviews and root cause analysis
Clear review of escalations and governance mechanisms
The third line provides independent and objective assurance over both the 1LOD and 2LOD. This is typically delivered by internal audit or, in some cases, external reviewers.
A strong 3LOD:
Assesses effectiveness of the overall framework
Identifies systemic weaknesses
Provides senior management and boards with confidence
Acts as a final defence ahead of regulatory review
Despite widespread adoption, many firms fall into similar traps:
Treating the 1LOD as purely operational with no responsibility for quality
Over-reliance on 2LOD monitoring testing to compensate for ineffective 1LOD controls
Sampling frequency and volume approaches are not aligned to the Firm’s financial crime business-wide risk assessment
Blurred accountability between compliance, operations, and audit
3LOD reviews that are too infrequent or too high-level, and conducted by generalists rather than financial crime subject matter experts
A mature model avoids these pitfalls by designing quality and accountability into each line, rather than using other lines of defence to compensate for earlier failures.
As with all things financial crime, a risk-based approach is needed to ensure a firms’ Three Lines of Defence model is proportionate. However, several firms I have worked with over the years will argue that there are elements of a typical Three Lines of Defence model are not relevant to them, because of their size. I would counter argue to say that all firms should have each element embedded in their framework to some degree, but of course the extent of the testing and assurance, will be dependent on a firm’s size, business model and risk profile.
Over the next month, I will explore each line of defence in more detail. I will focus on how firms can use practical testing, evidence, and governance to build a financial crime assurance framework that works in real life.
As many clients say, “you can’t know what you don’t know”. A strong Three Lines of Defence model helps firms understand where their gaps are and where to focus their efforts.
Thistle’s financial crime team provides clear, independent assurance that shows whether your systems and controls work as intended. We test frameworks end to end, highlight the gaps that carry real risk, and give practical steps to strengthen oversight and control effectiveness. Our aim is simple: to help firms demonstrate a robust, well-evidenced financial crime framework that stands up to regulatory and stakeholder scrutiny.
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.