The lines of defence model is familiar to most governance, risk and compliance professionals. In financial crime compliance, however, the model is often quoted more than it is understood.
The weakness usually starts when the model is treated as an organisational chart. First line, second line and third line become labels attached to departments, rather than a discipline for allocating accountability. In practice, the model should answer a more useful question: who owns the risk, who challenges the risk owner, who independently tests the control environment, and who externally supervises or reviews the institution?
Ownership, oversight, assurance and supervision
The first line owns and manages the financial crime risk arising from business activity. It is where customers are onboarded, transactions are processed, products are launched, suppliers are appointed and controls are operated. This line must understand the financial crime implications of what it does.
The second line provides oversight and challenge. It interprets obligations, advises on controls, monitors adherence, challenges decisions and reports weaknesses. In the South African environment, this includes the practical oversight required to support the implementation and maintenance of an RMCP and related AML/CFT/CPF controls.
The third line provides independent assurance. Internal Audit should assess whether the governance framework and controls are designed appropriately and are operating effectively. It should not be drawn into designing the controls it is later expected to audit.
External Audit and regulators are different. They are not additional internal lines of defence. External Audit provides assurance or other work within a defined mandate. Regulators and supervisory bodies issue guidance, inspect, supervise and enforce. Their role is important, but it is external to the institution’s own governance model.
Where the model breaks down
In financial crime compliance, breakdowns often occur when one function is expected to do too much. The business may assume that Compliance owns all AML, sanctions and suspicious activity risk. Compliance may then become involved in operating first-line controls because the business lacks capability. Internal Audit may be asked to provide advice that edges into control design. External Audit may be treated as though its work replaces internal assurance.
Each of these developments may appear practical in the short term. Over time, they weaken accountability.
An institution cannot demonstrate effective financial crime governance if the same function operates the control, monitors compliance with the control, validates remediation and assures the board that the control is effective. The problem is not merely technical. It is a self-review and independence problem.
Applying the model in South Africa
South African accountable institutions should use the lines of defence model to support practical implementation of FIC Act obligations. This includes governance over the RMCP, customer due diligence, beneficial ownership, politically exposed persons, targeted financial sanctions, account or transaction monitoring, reporting controls, recordkeeping and training.
The model should also be applied proportionately. A bank may have mature and separate first, second and third line functions. A smaller DNFBP may not. But proportionality does not mean informality. The institution should still be able to explain how business ownership, compliance challenge and independent review are preserved.
The question is not whether the structure looks ideal. The question is whether it works and whether the institution can evidence that it works.
| For access to the full FCRMC white paper on financial crime role clarity and the lines of defence, contact us directly. |
