Financial institutions have been working with the three lines of defence (3LOD) model in some shape or form, since the early 2000s. After the 2008 financial crisis, the ideas behind the three lines of defence in risk management were codified by the Institute of Internal Auditors and adopted by financial service firms and regulators globally.

While the 3LOD model is undoubtedly a crucial tool in banking risk management, it’s important to note that it’s not perfect, requires full understanding and adherence from teams in all functions of an organisation, and can contribute to negative outcomes such as siloed knowledge and duplication of effort and action.

In a changing risk environment, compliance teams are required to do ever more to keep up with regulations as well as their own organisation’s advancements. Using the 3LOD alone may not be enough. This guide walks through all you need to know about the 3LOD model, and also introduces anti-money laundering products and solutions from Salv, which can help businesses of all sizes better understand, measure, and manage their compliance.

What are the three lines of defence?

This guide walks through the three lines of defence and how they work from the standpoint of Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT), particularly in the banking sector. The Basel Committee on Banking Supervision Guidance sets out the three lines of defence in banking risk management:

  • First line of defence: carrying out risk management processes within the business units, e.g., front office, customer facing staff.
  • Second line of defence: ongoing monitoring of the fulfilment of all AML/CFT duties, including review and escalation of related issues.
  • Third line of defence: independently evaluating the risk management and the effectiveness of AML/CFT controls, i.e., internal audit

We’ll walk you through each line of defence one by one to look at what this model means in practice, and how it can be deployed to support compliance and risk management in the banking sector.

First line of defence

The first line of defence acts as an important gatekeeper to prevent money laundering and other illegal behaviours, by identifying and mitigating immediate risks, using policies and processes that have been created by compliance teams.

The Financial Markets Standards Board - review of the 3LOD model highlights the importance of helping the first line of defence to understand the role they have to play in risk management, as well as the need to ensure the physical and emotional wellbeing of front line staff to allow them to fully contribute to risk management processes.

What is the first line of defence (1LOD)?

As with all aspects of the 3LOD model, this line of defence only works as well as the individuals implementing it. For that reason it is crucial that staff are given the training, resources and time to complete the required AML/CFT processes. Before taking up employment, screening processes should be in place based on ethical and professional requirements of the specific role. Training on risk management should take place as quickly as reasonably practicable, and should be regularly refreshed and updated.

Exactly what the first line of defence looks like could vary from one organisation to the next, and training processes should be tailored both to the risk factors of a particular business, and the job function and scope. Keeping risk management front and centre of the organisational culture helps to engage front line staff, and ensure that the 1LOD works effectively.

First line of defence in banking risk management

As part of the first line of defence in banking risk management, organisations must have clearly written and set out policies and processes, and emphasis on prioritising risk management among day-to-day tasks.

The responsibility for completing the assigned risk management duties lies with the individual member of staff – but the requirement to ensure clear policies, training, guidance and support can be seen to fit into the compliance, HR, IT, and training functions, as well as being part of every manager’s role. For this reason, it’s important to see the 3LOD as a cross-functional operation rather than a siloed activity, and to ensure clear communication and definition of roles in risk management to avoid ambiguity.

Second line of defence

The second line of defence includes the officer in charge of AML/CFT, the compliance function, and other connected experts such as HR teams involved in training and IT to supply technological solutions to support banking risk management. In short, the second line of defence is responsible for AML risks.

What is the second line of defence (2LOD)?

The second line of defence includes risk management and compliance expert teams. While this line of defence may look quite different from one organisation to another, it is important to note that this model requires a cross-functional group of people who act together to manage and mitigate risk.

At heart, the second line of defence exists to ensure the first line of defence is able to consistently and effectively complete the tasks required of them regarding risk management. As part of this, it is crucial that members of these compliance expert teams are able to share and educate first line of defence staff on risk appetite as well as risk management.

There needs to be a collaborative discussion to allow expectation setting and the overarching policies must be coherent to ensure the first and second line of defence work towards the same goals.

Second line of defence in banking risk management

2LOD teams are typically responsible for creating the processes and policies used by the 1LOD team members, and may also play a role in managing the implementation of these policies. Controls created by the second line of defence should be measured regularly and with a mind to taking action in a timely fashion.

As business models evolve and the technical environment changes, it is important to ensure the technical competence of all members of the 2LOD to continually improve and refine risk management approaches. Getting to know tools from innovative providers like Salv can also help second line of defence to remain ahead of the evolving technical and regulatory environment, without increasing the burden of their duties. Salv provides a core compliance toolset that includes PEP and sanctions screening, customer and transaction monitoring, and customer risk scoring - all crucial tools in the drive to reduce and prevent fraud, money laundering and other illegal activities.

Third line of defence

The third line of defence in banking is internal audit. This includes the end-to-end measurement of the effectiveness of risk management tools, processes and practices, including following up audit outcomes to ensure compliance and improvement.

What is the third line of defence (3LOD)?

The third line of defence in banking risk management is seen to be internal audit, which is tasked with the auditing the suitability of the organisation’s AML/CFT policies and procedures, the effectiveness of their implementation by staff members, the effectiveness of both manual and automatic compliance oversight and quality control, and how well the staff involved in risk management measures are trained.

Third line of defence in banking risk management

Exactly how the third line of defence works will depend on the individual organisation. Audit process and frequency can be determined by the risk profile of the organisation, and the tools being used can also be tailor-made to suit the specific case. External auditors may also be used to audit some or all an organisation’s risk management approaches, again with tools and processes which suit the specific situation.

Collaboration can also be strengthened across organisations, using tools such as Salv Bridge. Salv Bridge is a platform for collaborative investigations which allows teams across multiple institutions to join forces in a network of trusted institutions, to detect and investigate fraud, share information on bad actors, and recover funds.

Key benefits of implementing an effective 3LOD

The FSA’s report – Enhancing frameworks in the standardised approach to operational risk – highlights that an effective 3LOD approach has several key benefits, including:

  • Better awareness of operational risk from all team members, regardless of level or function.
  • Cultural shifts away from blame, and towards being able to spot and improve issues without fear of punishment.
  • Improved mechanisms to challenge throughout all levels of the organisation to ensure that improvements are made quickly.

Of course, these benefits are far-reaching and can contribute to better business performance as a whole, while also improving risk culture and compliance.

Strengthening three lines of defence in banking

In its latest report, the UK’s standard-setter for banks, Financial Markets Standards Board (FMSB), called for firms to strengthen the widely adopted Three Lines of Defence (3LOD) framework, to keep up with the fast-changing times. These recommendations are broad-reaching, and include:

  • Tools and processes covering AML/CFT and risk management should be company-wide and complete. Monitoring, analytics and measurement can be used to keep on top of risk and compliance issues.
  • Clear policies should be in place for near misses and failures, to allow businesses to grow and learn. Policies in place must be properly followed, and clear escalation methods must exist for policy failures.
  • Board awareness and understanding of risk is important for effective implementation of the three lines of defence model.

Three lines of defence FAQ

1. Which line of defence owns the AML risk?

‍In most cases, the second line of defence handles AML risks. They also ensure that the first line of defence includes compliance practices and regulations in their daily work. In smaller companies, the responsibility for AML compliance risk might fall on the first line of defence. Ultimate accountability for the effective implementation of the 3LOD model lies at board level.

2. What else can be done to strengthen three lines of defence in banking?

In addition, the Three Lines of Defence report from PwC focuses on compliance risk management practices for insurers, with a reference to banks and investment firms. The report highlights in particular the importance of organisational integration, collaboration and increased transparency.

Integration. Compliance must be fully embedded into daily operations in order to be effective. All individuals must have clearly defined responsibilities when it comes to risk management and mitigation, for all lines of defence to work together as a single mechanism.

Collaboration. Compliance risk management is a collaborative process that brings together various control functions within the organisation, including the creation of ‘centres of competence’. Collaboration with other control functions can be formalised using service level agreements (SLAs), which reduce ambiguity and can help stop duplication or gaps.

Transparency. To allow and promote integration and collaboration data must be shared transparently across all control functions. Sharing of both quantitative and qualitative data allows the creation of dashboards which allow all involved to view ongoing, clear, and early indicators of potential compliance deficiencies. Learn more about how to measure compliance goals here.


The three lines of defence model is crucial as a lens through which to assess the risk management tools, processes, and practices in the banking sector. However, it is not enough on its own and is not intended to be a panacea. Ultimately, the 3LOD model has some drawbacks, and will only ever be as strong as the holistic risk culture built in a business.

It is essential that organisations continue to evolve the tools and approaches to risk they use, to fit the evolving technological and regulatory environment. Solutions such as Salv can help. Salv provides a core compliance toolset that includes PEP and sanctions screening, customer and transaction monitoring, and customer risk scoring. With Salv Bridge, fincrime teams across multiple institutions initiate collaborative investigations, detect and investigate fraud in real time, thus improving the success of the recovery of funds by up to 80%.

Book a demo and find out how you can improve the recovery of funds – ahead of the PSR’s mandatory reimbursement 2024.

Investigate and solve fraud, and increase recovery rates up to 80% with Salv Bridge

Learn more
bridge product mockup
×
ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.