Log In | Subscribe | | |

The Three Lines of Defence

It has become fashionable to talk of "The Three Lines of Defence" in relation to money laundering, terrorist financing, etc. Is it just more more quasi-militaristic buzzwords, so loved by Americans, and a pretence of intellect or is there genuine merit here?

The so-called "Three Lines of Defence" are and always have been the essence of money laundering risk management, control and compliance. The only merit in giving it a title is that perhaps non-practitioners, such as main boards, might, if they are tricked by the use of the term or impressed by its quasi-militaristic stance, at last realise that this stuff is serious and should form a part of the core management of any business, not only those in the financial and more broadly regulated sector.

Having said that, what do the terms mean? It's at this point that it will be realised that the only new thing is that someone has added a buzzword and that the bandwagoneers that follow buzzwords rather than substance have pushed it to the fore - and there it will stay until another one comes along. And, oddly, the militaristic terminology is not misplaced although it is taken from forms of combat that are now, to all intents and purposes, consigned to history.

Think of the serried ranks of cannon fodder with cavalry behind and senior officers directing from the rear. That's three lines of defence. And it's a fair representation of how financial crime risk management and compliance is arranged.

In any financial crime risk management system, the first line of defence is the cannon fodder: their job, at least so far as many companies see it, is to stand up and be counted and, in an increasingly automated world, not to do much else. But that is not how it should be: the first line of defence is where the customer and the institution come, literally, eyeball to eyeball. It is there that personalities can be assessed, as well as visual and other cues. The front office and other "customer-facing functions" consists of both sales and administration staff and it is there that Know Your Customer has the greatest chance of success. The failure of companies to ensure that all, absolutely all, staff who have any contact with customers are trained to identify anomalies between the information provided and personal observation as well as wider knowledge (i.e. intelligence, in the sense of information that is connected but, in the absence of other information, of unknown or little relevance or value) is one of the biggest reasons for failure of money laundering risk management and control not only within businesses but within society as a whole.

The second line of defence is a company's back office. These are the departments that receive, often from a wide range of disparate sources, information that, when collated and analysed, may produce sufficient for a finding that there are suspicious circumstances. Some try to codify a list of relevant departments that make up the second line of defence. That is a mistake. it's everyone that has an executive function and is not in the front line or within the third line, about which more in a moment.

So, while some say that personnel departments, operations, IT, legal and compliance are in the second line, that's unduly restrictive.

The third line is those who exercise command and control and their enforcers. The enforcers are internal audit. There was, some years ago, a move by internal auditors to move their role to that of internal consultants. That, thankfully, did not gain a great deal of traction. Had it done so, especially in areas where criminal responsibility arises for some but not all of those involved in the design and implementation of systems, would have created a clear and obvious conflict of interest.

The currency of the term is irritating: the fact that it takes a buzzword to make the industry pay attention to the essential truths that have been in place for a quarter of a century or so demonstrates the mind-boggling failure of the industry to come to terms with its function and purpose.

To criticise the term is to shoot the messenger. It's those who need a pseudo-professional, pretend-intellectual, phrase before they began to pay attention to the basics that need a kick up the behind.

Nigel Morris-Co...