Back to Blog
Governance

Three Lines of Defence: Getting It Right in Regulated Organisations

RB
Ryan BestStrategic Compliance & Investigative Consultant
7 min read
GovernanceComplianceRisk Management

The Three Lines of Defence model is cited in almost every governance framework I have reviewed across regulated industries. It appears in AML policies, in board reports, in regulatory submissions — from financial services and gaming to healthcare and legal. It is also, in my experience, misunderstood and misimplemented in the majority of regulated organisations, where the model is applied as a label rather than a structure.

This matters because regulators are increasingly evaluating the Three Lines not as a checkbox — "yes, we have it" — but as a functional governance question: does each line actually operate independently, with appropriate authority and resource, to provide the oversight the model promises?

What the Three Lines Model Is — and Isn't

The model originated in financial services — formalised by the Basel Committee and widely adopted by the FCA and Prudential Regulation Authority as a governance standard for banks and financial institutions. It has since been adopted across gaming, healthcare, legal, and corporate sectors as a universal framework for distributing accountability.

The logic is clear. Line 1 — operational management — owns and manages risk. The business units, customer-facing teams, and operational functions: these are Line 1. They are closest to the risks and responsible for the controls embedded in day-to-day activity. Line 2 — risk management and compliance — provides oversight and challenge. The MLRO, the compliance function, the risk management team: they set standards, monitor adherence, and provide independent challenge to Line 1. Line 3 — internal audit — provides independent assurance to the board and senior leadership that Lines 1 and 2 are working as intended.

The model is not a description of who does compliance. It is a governance structure that distributes accountability and ensures independent oversight at every level.

What it is not: a structure where compliance does the compliance work, calls it Line 2, and everyone else considers themselves covered. That is one compliance function doing everything, with a label attached that implies independence that doesn't exist.

Why Regulated Organisations Get Line 1 Wrong

Line 1 ownership is the most consistently underdeveloped element in regulated governance across every sector I work in. The reason is usually cultural: compliance is treated as a specialist function that handles "compliance things," and operational staff — whether they are relationship managers in a bank, account executives in an insurance firm, VIP hosts in a casino, or ward managers in a healthcare setting — see their role as delivery, not risk management.

This creates a structural gap. If your customer-facing team doesn't see itself as part of the risk management structure, the risks embedded in those relationships are not being managed by anyone in Line 1. They are being discovered later by compliance or audit, by which time the exposure has already materialised.

A well-designed Line 1 has risk ownership embedded in operational roles. Customer-facing managers have documented responsibilities for AML red flag escalation. Onboarding teams have CDD obligations built into their processes. Front-line staff have clear protocols for red flags specific to their sector. These responsibilities are trained, tested, and measured — not just listed in a policy document.

How Compliance and Audit Get Conflated

The most damaging failure mode I see across regulated environments is the conflation of Line 2 and Line 3 — most commonly in smaller organisations where a single compliance function performs both roles, or where internal audit reports to the same senior manager who owns compliance.

When the same team that runs the AML programme also audits it, you do not have independent assurance — you have self-review. This is precisely what the model is designed to prevent. A compliance function cannot provide meaningful assurance on the adequacy of the compliance function. You need someone else to do that: an independent internal audit function, an external auditor, or a third-party review.

In smaller regulated organisations, true independence at Line 3 may require using external resource — an independent compliance reviewer or specialist auditor conducting periodic reviews of AML, regulatory compliance, and governance frameworks. This is not a luxury; it is a basic governance requirement that regulators across financial services, gaming, and other sectors will ask about.

What a Properly Designed Model Looks Like

For a financial services firm: Line 1 is the business — relationship managers, trading desks, operations teams — with documented risk ownership. Line 2 is a compliance and risk function that is genuinely independent from the business it oversees, with direct board-level reporting. Line 3 is internal audit with an independent charter, reporting directly to the audit committee — not through the CFO or CEO.

For a gaming operator: Line 1 is the floor, cage, customer success, and marketing teams with documented AML and RG responsibilities. Line 2 is a compliance function headed by an MLRO with a direct reporting line to a board member — not through the operations director. Line 3 is internal audit with the technical capability to audit AML, responsible gambling, and data protection frameworks — not just financial controls.

For any regulated organisation: the structure is the same. The specific regulatory frameworks differ; the governance architecture does not.

Governance Committee Structures

The Three Lines model only works if there is a governance structure above it that receives and acts on what each line produces. In financial services, this is well-established: audit committees, risk committees, and remuneration committees are required by the FCA and PRA. In gaming, the equivalent structures are less consistently present — particularly in smaller operations. In corporate and healthcare settings, the governance infrastructure varies enormously.

At minimum, every regulated organisation needs:

- A board-level audit or risk committee that receives Line 3 reports and holds management accountable for findings - A management-level risk committee that reviews Line 2 reporting on compliance performance, regulatory risk, and emerging issues - An audit committee that approves the internal audit plan, reviews findings, and tracks management responses

These are not administrative bodies. They are the mechanism by which the board exercises oversight. If they meet infrequently, receive sanitised information, and don't challenge management — the Three Lines model is providing governance theatre, not governance.

Common Audit Findings on Three Lines Implementation

In my work reviewing governance frameworks and supporting regulatory inspections across financial services, gaming, and corporate environments, the most common audit findings related to Three Lines implementation are consistent across sectors:

Inadequate Line 1 ownership. Risk responsibilities not documented at an operational level, or documented but not tested or enforced. Compliance doing Line 1 work because operations won't.

Insufficient independence of Line 2. Compliance reporting to an operations or commercial director who controls its budget and performance reviews — making genuine challenge structurally difficult.

Line 3 resource limitations. An internal audit function that audits financial controls competently but has no expertise to audit AML, regulatory compliance, or data protection frameworks — creating significant unaudited risk.

Findings not tracked to resolution. Lines 2 and 3 produce findings that are acknowledged in meetings and not actioned. Without a mechanism to track management responses and escalate overdue items, the assurance value of the model collapses.

Board not receiving Line 3 output. Internal audit reports being filtered by management before reaching the audit committee, removing the independence the model depends on.

The Three Lines model, properly implemented, provides a robust governance architecture that genuinely distributes accountability and creates independent oversight. Improperly implemented, it creates the appearance of governance while leaving critical gaps — gaps that regulators across every sector are becoming increasingly skilled at identifying. If yours is the latter, that is a fixable problem. But it requires honest assessment of what you actually have, not what the org chart says you have.

About the Author

RB

Ryan Best

Strategic Compliance & Investigative Consultant

Strategic compliance and investigative consultant with 26 years of operational and executive experience across regulated industries. Ryan advises boards, operators and institutions on compliance architecture, financial crime risk, investigation strategy and corporate governance.