Financial Crime World

Financial Crime Risk Management: A Three-Lines-of-Defense Approach

A new report from the [Regulatory Authority] highlights the importance of a robust three-lines-of-defense approach to financial crime risk management in banks. The guidelines emphasize the need for a compliance policy that is established, communicated, and observed by all three lines of defense.

Principle IV: Three Lines of Defense

The three lines of defense approach is widely accepted as the global standard for risk management. It consists of three layers of protection:

Line 1: Business Units

  • Responsibilities: Identify, assess, and control risks
  • Challenges: Competing priorities, such as earning revenue and retaining customers

Line 2: Independent Oversight and Quality Assurance

  • Functions: CO and MLRO (Money Laundering Reporting Officer)
  • Reporting line: Outside the business line
  • Performance assessments: Undertaken by individuals or groups outside the business line

Line 3: Audit Function

  • Role: Evaluate the effectiveness of risk management and controls
  • Responsibilities: Discharge to the audit committee of the Board or a similar oversight body

External Auditors

External auditors also play a crucial role in evaluating internal controls and procedures during the course of their financial audits. Licensees should ensure that the scope of the audit is adequate to address the licensee’s risks, and that the assigned auditors have the requisite expertise and experience.

Principle V: Board Oversight

The Board should regularly ensure that the licensee’s financial crime risk management regime is commensurate with regulatory and industry standards, as well as its own risk profile and appetite. The Board should oversee current and potential risks, and the arrangements for their sound management, often via reports from the second and third lines of defense.

Principle VI: Business Acceptance

Part II of the FTRA emphasizes the licensees’ legal obligation to verify client identities. The new CDD (Customer Due Diligence) and account opening guidelines annexed to the CBOB AML/CFT Guidelines describe the requirement of using independent source documents, in addition to customer attestations, to fulfill these legal mandates.

Principle VII: Ongoing Monitoring

The majority of customers are not financial criminals, and a licensee’s risk management systems should be risk-based and not pose a significant inconvenience to law-abiding customers. The principle of proportionality to the risk assessment of the client/product/jurisdiction will yield varying levels of compliance requirements.

Conclusion

In conclusion, a robust three-lines-of-defense approach is crucial for effective financial crime risk management in banks. By establishing a compliance policy, employing independent oversight and quality assurance, evaluating internal controls and procedures, and providing ongoing monitoring, licensees can mitigate the risks associated with financial crime and maintain public trust.