Blog
/
KYC
/
The Three Lines of Defense: Simple in Theory, Tougher in Practice

The Three Lines of Defense: Simple in Theory, Tougher in Practice

Anders Meinert Jørgensen
March 1, 2025
AML
Banks and Financial Institutions
How To
KYC
Opinion

What's the deal with the 3 lines of defense?

When speaking to funds and other regulated companies, I almost always discuss the Three-Line Defense (LoD) model.

The idea of the lines of defense was first formulated in 2011 by the Basel Committee in their report “Principles for the Sound Management of Operational Risk” and related to operational risk management principles. Still, it had been in the making years before by more mature risk management practitioners.

It’s a model that's easy to understand from a theoretical viewpoint but hard to implement practically, as this is usually when all the dilemmas and organizational differences come to light. In short, the 3 lines and their responsibilities are:

1st Line of Defense: Business Units and Front-Line Employees.

✅ Implement internal controls within their business processes.

✅ Identify, assess, and manage risks.

✅ Ensure adherence to policies and procedures.

✅ Escalate risks or compliance breaches to the 2nd line when necessary.

2nd Line of Defense: Risk Management and Compliance Functions.

✅ Develop and enforce policies to manage risks.

✅ Provide oversight and challenge the 1st line’s risk-taking decisions.

✅ Run monitoring on 1st line’s compliance performance and report on this.

✅ Monitor regulatory changes.

✅ Conduct risk assessments, policy training, and advisory support.

3rd Line of Defense: Internal Audit and Independent Assurance.

✅ Provide independent assurance about effectiveness across all lines of defense.

✅ Conduct audits to assess internal controls and governance structures.

✅ Recommend improvements and corrective actions and report findings.

The typical problem for a smaller organization is that it's simply impossible to spread the lines of defense on multiple people. This implies that you will have people “double-hatting” across 1st and 2nd LoD tasks. This adds to the requirements for documenting conflict of interests and to the required integrity of that person.

There is no silver bullet to this other than being fully transparent about the conflicts by documenting this in relevant framework documents. This way, the firm shows to the regulator that it is making conscious choices. It's better to have made a well-documented but wrong choice, as the regulator can see that the firm has thought about it and been transparent about it.

For bigger organizations, the problem is related to the size of the beast and the time it takes to implement changes. Implementing the LoD model requires larger changes, including moving tasks (and often people), reporting obligations, changing processes, and technology. The sheer grit and grunt work required is often underestimated, but it always starts with some very long workshops to define the to-be solution.

After this comes the relevant actions and changes needed. Again, it’s better to have defined the to-be model and be transparent that it's under implementation than knowingly run around with a model that is not fit for purpose and has been poorly implemented.

Relevant products

Avallone products and services that can help you

KYC Hub
Immediate, secure and easy management of all your KYC efforts including built-in organization.
KYC Collector
Collect KYC - including information and documentation - from anyone outside of your organization.
KYC Responder
Quickly and easily respond to KYC questionnaires coming in from your counterparties - such as banks, law firms, auditors and more.