Three Lines of Defense Model

The Three Lines of Defense model is a governance framework that assigns risk and compliance accountability across three tiers: frontline business units, dedicated risk and compliance functions, and internal audit. It clarifies who owns what responsibilities and prevents gaps in oversight that could allow misconduct or hidden risks to fester.

Origins in banking

The model emerged from banking regulation following high-profile failures. When Lehman Brothers collapsed in 2008 and major banks faced enforcement actions for mortgage-backed securities fraud, regulators recognised a pattern: risk management functions were either missing, underfunded, toothless, or actively overruled by profit-driven business units. The concept of separate “lines of defence” became codified in guidance from the Basel Committee on Banking Supervision and later adopted by frameworks like the Committee of Sponsoring Organisations (COSO) and the Institute of Internal Auditors (IIA).

Banks were not the only target. The model now shapes governance at insurance companies, asset managers, healthcare systems, and any large firm where distributed operations demand clarity about who polices whom.

The first line: business units

The first line consists of the operational business units themselves—traders, lending officers, insurance underwriters, product managers, sales teams. These units own day-to-day risk management: they set prices, underwrite clients, execute trades, and make hiring decisions. They are responsible for identifying risks inherent in their own activities and controlling them before escalation.

First-line controls include customer due diligence (knowing who you are doing business with), transaction monitoring (reviewing individual deals for red flags), position limits (caps on how much a trader can risk), and policy compliance (ensuring staff follow the firm’s procedures). The first line is closest to the action and can react quickly. But it is also where conflicts of interest live: a salesperson who knows a client will lose the deal if underwriting gets too strict has an incentive to classify risk optimistically.

The second line: risk and compliance functions

The second line is the firm’s dedicated risk management and compliance apparatus—the Chief Risk Officer (CRO), the compliance department, the legal team, the anti-money-laundering programme. These functions work parallel to business, not inside it. They set standards, monitor adherence, escalate violations, and provide independent challenge to business decisions.

The second line does not execute transactions. Instead, it reviews them. A compliance officer might flag that a client relationship breaches anti-corruption rules. A risk manager might reduce the size of a trade below the trader’s requested limit. The second line has authority to say no—or at least to escalate. The authority to override them normally rests with the board or the Chief Executive Officer.

Effectiveness of the second line depends on its independence and teeth. If the compliance officer reports to the business unit’s P&L owner rather than the Chief Executive Officer, she has a weak incentive to enforce standards. If her findings are ignored with no board awareness, the line becomes symbolic. Best practice places the CRO and Chief Compliance Officer on the executive committee and gives them direct access to the board’s risk committee.

The third line: internal audit

Internal audit is the independent assessment function: auditors review whether the first and second lines are actually doing what they claim. They do not manage risk or run compliance; they verify that the systems designed to do so are working.

An internal audit might find that a business unit is processing customer complaints so slowly that violations are missed. Or that the second-line risk team is monitoring the wrong metrics. Or that a control procedure is so cumbersome that staff have stopped using it. Internal audit reports directly to the audit committee of the board (not to management), which gives it authority to surface problems without fear of retaliation.

Audit’s power lies in independence and frequency. A rigorous internal audit programme can detect things management wishes to hide. A weak one—understaffed, infrequent, reporting through management—is largely ornamental.

Ambiguity and overlap in practice

The model is cleaner in principle than in practice. Boundaries blur. Does a business unit’s risk team belong to the first line or the second? What if the same person approves a transaction and monitors it for compliance—is that dual ownership or a missing control? Does the Chief Financial Officer (who reports P&L) or the Chief Risk Officer (who does not) have final say on a controversial deal?

Large firms add sub-layers: risk committees within business units, compliance liaisons embedded in operations, a separate anti-fraud team. Smaller firms compress the model into fewer roles. The IIA issued an updated framework in 2020 acknowledging this spectrum, but the core idea persists: checks should be distributed so that no single person or function can hide misconduct.

Why it matters for enforcement

Regulators and prosecutors now routinely assess the three-lines structure when examining enforcement. A bank that took bribes but had no functioning compliance function faces harsher penalties than one where the second line flagged misconduct and management ignored it. The presence of a control layer—even if breached—demonstrates good-faith governance.

For individuals accused of wrongdoing, the structure becomes important too. An employee who reported misconduct to the compliance officer and was ignored has a different position than one who acted alone. A manager who overrode the risk function’s objections must answer for that decision.

See also