Checks on second line of defence for financial crime

insight featured image
With the FCA continuing to spot vulnerabilities in firms' three lines of defence model for financial crime risk, Alison Kopra and Tom Townson take a closer look at the second line of defence – from common pitfalls to practical steps on compliance.

The three lines of defence (3LOD) model has become a staple scope area in FCA visits and subsequent s166 skilled person reviews focusing on financial crime. Second line financial crime teams face a number of compliance challenges as a result.

What is the second line of defence?

The second line incorporates the chief AML/CFT officer – typically the money laundering reporting officer (MLRO), CF11 under the Senior Managers and Certification Regime – and the compliance and risk functions. It traditionally owns the financial crime framework and policies, monitors compliance with policies, and advises the business on how to implement controls.

In recent years, 3LOD models in larger and more mature firms have evolved to have two distinct strands within the second line:

1 Advisory – owning the policies, framework and advising on controls

2 Assurance – providing an independent review of control effectiveness through oversight, monitoring and quality assurance activities

So what are some of the common challenges that are likely to attract the FCA’s attention during a visit?

Learn more about how our Financial Crime services can help you
Learn more about how our Financial Crime services can help you
Visit our Financial Crime page

Common pitfalls in the second line of defence

1 Blurring of first and second lines

With the evolution of advisory and assurance strands, the first and second lines can become blurred. This is a particular risk where second line advisory teams may be taking a degree of responsibility more for driving financial crime change initiatives, or are over-relied on by first line operational teams who may lack the experience to confidently apply financial crime policies on a day-to-day basis. Where the lines become blurred, the second line’s independence can be eroded, reducing their capacity to provide independent challenge or oversight.

To protect against this, clearly documented financial crime roles and responsibilities that are understood at all levels of the organisation are a must. Risk ownership must sit within the business which is creating the risks. In practice this should be evident from the design and operation of a multitude of first line activities including - procedures, control testing, sponsorship of change initiatives, reporting lines through to business unit heads, and relevant committee structures.

The requirement for specialist expertise can also mean some operational processes, such as transaction monitoring alert review, are performed by second line teams. While this can be appropriate and effective, the FCA expects the potential for conflict of interest to be explicitly managed and mitigated, with an independent team performing oversight of those activities.

2 Second line of defence is reactive rather than strategic in nature

The FCA will look for the money laundering reporting officer (MLRO) and second line financial crime risk and compliance teams to be strategic and proactive in their approach to financial crime risk. If the function is too often 'fighting fires' and reacting to incidents, near misses, technology defects or simply lagging behind the growth and activities of the business, financial crime risk management may not be sufficiently embedded throughout the firm.

Signs of a reactive financial crime risk function:

  • Rushing through piecemeal policy updates when regulations change or in response to implementation problems where there was no prior consultation with the business
  • Frequently delaying or curtailing regular assurance testing due to diversion of resources to test newly identified control failings and root cause analysis
  • Perpetually extending long-term objectives in order to shift second line resource to the latest emerging issue
  • Committees receiving insufficient or inappropriate management information to support meaningful risk-based decision making, or frequent requests to change or add to the data points provided

How do you demonstrate a strategic and proactive second line financial crime risk function? Firms should ensure they monitor and prepare in advance for regulatory change, manage policy updates according to a planned schedule and provide training alongside updates to ensure new policies are understood.

The second line function should be consulted early on and throughout new business initiatives – such as new products or countries of operation – to identify financial crime risks early and ensure appropriate mitigating measures are put in place.

Finally, invest in the quality of financial crime management information that is reported at different committee levels to ensure it is appropriate and tailored to the audience. This is invaluable in helping a firm achieve a more strategic approach – helping to identify emerging financial crime risks early on and informing decision making from the board down.

3 Overstretched resource capacity and capability

Should the FCA come calling, firms can expect the capacity and capability of financial crime personnel across all three lines of defence to be scrutinised. Particular attention will be paid to the second line of defence and the MLRO’s available resources.

Second line teams can become overstretched from factors such as the concentration of specialist expertise, or significant increases in financial crime change or remediation activity. Advisory teams, in particular, often find themselves with an ever-increasing remit. MLROs need to regularly reassess and review resource levels around expected workloads and the specific key financial crime risk areas for the firm. There should be evidence of actions taken to address pinch points – such as obtaining temporary internal or external resources, or additional recruitment needs – and to keep financial crimes risk management on track.

The FCA expects financial crime oversight and assurance activity, both regular testing and thematic reviews, to be right-sized to the firm’s risks – not the size of the available team. Where planned assurance activity is postponed, firms should document the rationale for this and its impact on the residual financial crime risk profile of the firm.

4 Challenges facing the MLRO

The MLRO’s experience and capacity is also an issue for scrutiny. Where an MLRO also wears other hats, such as chief compliance or risk officer, it's likely they'll have to show that their MLRO time is sufficient for the activities and risk profile of the firm. First-time MLROs, or those promoted from within a firm, may expect greater scrutiny of their independence from senior management, and their ability to both provide and stand up to challenge right up to board level.

MLROs who face persistent challenges from the business – to the extent that they feel the firm is not managing its financial crime risks appropriately – need to consider their own regulatory obligations when determining their next steps. Board-level training and education can help and may be tailored to the MLRO's specific challenges. Sometimes, having an external party deliver a message can help it sink in when previously parties have been unreceptive. In the interim MLROs should fully document and minute all their requests and recommendations, along with management decisions.

To talk to someone about improving your 3LOD model for managing financial crime risk, or to prepare for an FCA or skilled person visit, get in touch.