The Three Lines of Defense and Where Audit Sits

Let's build the three lines of defense properly, because the exam tests where each AML function belongs. Picture three layers, each one further from the day-to-day business than the last. The first line owns and manages risk; it's the front office, the relationship managers, operations, the people onboarding customers and processing payments.

The second line provides oversight; that's the compliance and AML function setting policy, running the monitoring program, and advising the business. The third line provides independent assurance; that's internal audit, testing whether the first and second lines actually work. The Institute of Internal Auditors updated this into its Three Lines Model in twenty-twenty, but the core logic is unchanged: independence grows as you move outward.

The exam loves to hand you an activity and ask which line owns it. So practice the sort. A relationship manager collecting beneficial-ownership information at onboarding?

First line; they own the customer. The AML team writing the customer due-diligence standard and tuning the transaction-monitoring thresholds? Second line; that's oversight and operation of the control.

The person who later samples files to see whether onboarding actually collected that information, and whether the thresholds are reasonable? Third line; that's audit. Here's the trap: investigating an alert is a control activity, usually first or second line.

Auditing the quality of those investigations is third line. Same subject, different line, because the auditor tests the work rather than performing it.

Why does the separation matter so much? Because assurance is only worth something if it's independent. If you helped write the policy, you can't objectively test whether the policy works; that's the self-review threat, and it quietly destroys the value of the audit.

The FFIEC BSA slash AML Examination Manual states the rule directly: independent testing should be conducted by parties not involved in the functions being tested. The Basel Committee's guidance on the internal audit function in banks says the same in different words, that internal audit must be independent of the activities it audits. When you read an exam scenario, ask: did the tester have a hand in what they're now testing?

If yes, the independence is compromised, and that's usually the answer the exam wants.

A frequent point of confusion, and therefore a frequent distractor, is the line between second-line monitoring and third-line audit. Compliance does test controls; it runs quality assurance, transaction testing, and ongoing monitoring. But that work is embedded oversight, performed by the function that owns the program.

Audit is separate, periodic, and independent of that program. So when a question describes a compliance quality-assurance team reviewing alert dispositions, that's second line, not the independent audit, even though it looks like testing. The independent test is the one performed by people outside the program entirely, reporting up a different chain.

Keep that distinction sharp.

It's worth pausing on why regulators care so much about this structure. The independent test isn't a nice gesture an institution offers; it's a regulatory expectation. The FFIEC BSA slash AML Examination Manual treats independent testing as one of the program's required pillars, and the Basel Committee expects every bank to maintain an internal audit function independent of the activities it audits.

Examiners read the third line as a signal: a credible, well-resourced, independent audit function suggests a program that catches its own problems, while a weak or captured third line invites scrutiny of the entire program. Regulators also expect the scope and frequency of independent testing to be commensurate with the institution's risk profile, so a higher-risk institution needs deeper, more frequent audit coverage. In short, the strength of your third line shapes how regulators judge everything in front of it.

So, to recap. Three lines of defense: the first owns the risk, the second oversees it, the third independently assures it. You can sort almost any AML activity by asking who performs it and whether they're testing their own work.

And the reason audit sits at the third line is independence, which is exactly what makes its conclusions credible to the board and to regulators. In the next lecture, we'll go one level deeper into that independence: what objectivity really requires, and the conflicts of interest that can quietly compromise the third line. Then go test yourself on this material before moving on.