The three lines of defence, or are we just testing the same thing?

Written By Stefania Cirignano
For our latest risk assessment insights, visit Complyse
 
Image of woman's eye. Title reads "Risk assessment reframed - Three lines of defence, or are we just testing the same thing?

Most financial institutions operate some form of the three lines of defence model. Fewer are clear on what each line is actually meant to examine.

The idea is simple. The first line operates the controls. The second line provides oversight and challenge. The third line provides independent assurance.

In theory, the model creates a clear division of responsibilities. Each line examines the financial crime framework from a different perspective. In practice, however, the distinction can become less clear.

When assurance becomes repetitive

When financial crime programmes are reviewed closely, a familiar pattern often emerges. First-line monitoring reviews controls. Compliance monitoring reviews similar areas. Internal audit revisits many of the same themes. Supervisors may examine those areas again through thematic work or supervisory engagement. The result can feel like a great deal of assurance activity, but with an uncomfortable question beneath the surface. Are the three lines examining different aspects of the framework, or simply repeating the same testing?

Why the model starts to drift

That question becomes more visible in practice. I can recognise it from experience, particularly trying to get KYC remediation files signed off across multiple stakeholders, where progress can feel less like a process and more like competing priorities. In my recent blog on transaction monitoring, I explored what happens when a control framework expands without a clear architecture guiding it. The same issue arises here.

If the architecture of risk is not clearly defined, it becomes difficult to define what each line of defence should actually be examining. When that happens, the three lines gravitate toward what is most visible: control testing. The result is overlapping reviews, duplicated testing and, at times, competing interpretations of the same issues. In many organisations these distinctions exist on paper. In practice, however, they can be harder to sustain.

The issue is not the existence of three lines. It arises when all three focus on the same layer of the framework. A clearer answer begins by stepping back from the three lines themselves and looking at the underlying architecture of financial crime risk.

Reframing the three lines of defence

In a well-structured financial crime framework, external intelligence informs the organisation’s understanding of risk. That understanding is expressed through the BWRA, which identifies the exposure drivers that shape risk and the risk events through which financial crime might manifest. Controls are then designed to prevent or detect those risk events. Monitoring activity generates insights about how those controls perform, which in turn should refine the organisation’s understanding of risk. Seen in this way, financial crime programmes operate as a cycle: intelligence informs risk understanding, risk understanding informs controls, and control outcomes generate further intelligence.

If that architecture is clear, the role of each line becomes easier to distinguish.

The first line focuses on control operation. Its role is to ensure that controls are functioning in practice through monitoring, investigation and escalation. The question it answers is straightforward: are the controls working?

The second line focuses on control design. It examines whether controls are aligned to the firm’s risks. Do monitoring scenarios correspond to the organisation’s risk events? Are thresholds calibrated to the firm’s exposure? Are there risks not adequately covered? The question it answers is: are we controlling the right things?

The third line focuses on framework integrity. Its role is not to test controls again, but to assess whether the framework is capable of identifying and managing the firm’s risks. That includes the BWRA methodology, the articulation of risk events and whether monitoring outcomes feed back into the risk assessment. The question it answers is broader: does the system itself make sense?

When the three lines operate in this way, assurance becomes complementary rather than repetitive.

The organising role of the BWRA

The BWRA should therefore do more than identify financial crime risks. It should provide the structure that clarifies what each line is responsible for examining. By articulating exposure drivers, risk events and the controls relied upon to mitigate them, the BWRA provides a framework against which assurance activity can be organised — not just what is tested, but why. Otherwise institutions risk operating a three-lines model that appears robust in form but less clear in substance. Multiple functions focus on the same domain of control testing, while the broader architecture receives less attention.

When the architecture is unclear, assurance becomes activity rather than insight.

Most frameworks have all three lines. Far fewer are clear on what each is actually meant to examine. The three lines of defence model was never intended to produce three versions of the same test. Its value lies in examining different dimensions of the system. When each line is anchored to a different layer of the risk architecture, the result is a stable and intelligible assurance framework.

The question is not whether the three lines are working. It is whether they are working together, and on the right parts of the system.

Stefania Cirignano
Next

What the FCA’s latest priorities mean for the consumer finance market in 2026