Governance, Culture & the Three Lines of Defense *(OUTLINE + BULLET BODY)*

When a bank gets hit with a nine-figure AML penalty, the press blames "the compliance department." But read the consent order, and you'll almost always find the real failure higher up — a board that didn't ask hard questions, a culture that treated AML as a cost center, a sales team rewarded for growth and never for saying no. AML isn't one team's job. It's a system of accountability that runs from the teller to the boardroom. By the end of this lecture, you'll be able to name the three lines of defense and say exactly who owns the risk at each one.

- A governance model (popularized by the IIA and reflected in FFIEC and Basel guidance) that assigns AML responsibility across **three distinct, independent layers** so no single function both owns and checks the same risk. - **First line — the business / front line.** The customer-facing units that *own and manage* the risk they create: relationship managers, tellers, onboarding, operations. They perform CDD, file referrals, and execute controls day-to-day. **Risk is owned where it is created.** - **Second line — compliance and risk management.** Independent oversight: sets policy, designs the framework, monitors, advises, and challenges the first line. The **BSA/AML compliance officer** sits here, owning the program but **not** the customer relationships. - **Third line — internal audit / independent testing.** Provides **independent assurance** to the board that the first two lines are working. This is the AML program's **independent testing pillar** — it must be independent of the functions it reviews and report to the board/audit committee. - The cardinal rule: **lines must be independent of one another.** If compliance reports to the head of sales, or audit is done by the people who built the controls, the model collapses.

- The **board of directors** holds ultimate responsibility for the AML program: it must **approve** the program and policies, ensure adequate **resources and authority** for the compliance function, and receive regular reporting on AML risk and SAR/CTR activity (FFIEC BSA/AML Examination Manual — BSA/AML Compliance Program). - **Senior management** is responsible for **implementation** — ensuring the program operates effectively, that the compliance officer has the **stature, independence, and resources** to do the job, and that issues are escalated and remediated. - The **designated BSA/AML compliance officer** must be **qualified, have day-to-day authority, and direct access to the board** — not buried so deep in the org chart that bad news never reaches the top. - Accountability is **personal**: under AMLA 2020 and FinCEN enforcement practice, individual officers and directors can face liability for willful program failures. AML is a board-level obligation, not a delegated afterthought.

- **"Tone at the top"** = the demonstrated commitment of leadership to doing AML right, even when it costs revenue. It's set by **what leaders reward and tolerate**, not by the policy manual. - A **culture of compliance** is itself a control. FinCEN's guidance on promoting a culture of compliance lists concrete expectations: leadership actively supports the program; compliance is **not compromised by revenue interests**; information is **shared** across the organization; the program is adequately **resourced**; and leadership understands the program's purpose and its reporting. - Warning signs of a weak culture: incentive structures that reward growth but never escalation; compliance overruled by the business; chronic under-resourcing; "check-the-box" mentality. The exam loves the scenario where the **right answer is to escalate**, even against commercial pressure. - Culture connects directly to **whistleblowing and escalation**: staff must feel safe raising concerns. AMLA 2020 strengthened **AML whistleblower protections and awards** to reinforce exactly this.

- Sanctions screening (OFAC, UN, EU lists) is governed by the **same three-lines model**: the **first line** runs and clears screening alerts at onboarding and payment; the **second line** owns sanctions policy, list management, and tuning standards; the **third line** independently tests screening effectiveness and coverage. - Because **OFAC operates on strict liability** — a violation can occur without intent — screening governance demands clear ownership, documented escalation for potential matches, and a defined process to **block or reject** and report to OFAC. - Governance over screening also means owning **model/tool risk**: who approves match thresholds, who validates the filter, and who signs off when fuzzy-matching settings change. (We'll go deep on screening tuning in the next domain.)

So, the architecture. Three lines of defense: the business owns the risk it creates, compliance independently oversees and challenges, and internal audit gives the board independent assurance — each line independent of the next. The board approves the program and holds ultimate responsibility; senior management implements it and resources the compliance officer; and tone at the top decides whether any of it actually works, because a culture that punishes saying no will defeat the best-written policy on the shelf. Sanctions screening rides the same rails. Next, we cross into Domain 4 — Tools and Technologies — starting with the systems that do the watching: sanctions, PEP, and adverse-media screening, fuzzy matching, and the eternal battle between false positives and false negatives.