Members of our global risk consulting team including John Coley (head of risk consulting), Lisa Lee Lewis (head of advisory), Sven Stumbauer (senior advisor) and Tom Lord (senior consultant) attended and presented at the 1LoD Summit on 21 November 2019.

The conference brought together around 250 senior members of the financial services community, with panels focussed on key areas such as governance, culture, controls, conduct risk, surveillance and financial crime. Significant time was spent discussing and exploring opportunities for improving the efficiency and effectiveness of controls across the three lines of defence.

In this blog post we share some of the key themes coming out of the sessions our team participated in and our key takeaways.

Money laundering risk in the first line of defence and the challenges in creating a first line of defence control function

During a lively roundtable discussion, the key themes centered around how risk assessments play an important part in having effective first line of defence controls, and the challenges in managing money laundering risks and spotting red flags within the first line of defence function. It is important that relevant risk assessments are appropriately tailored to the product type, services, assets offered by each front line department, with bespoke descriptions and examples of red flag scenarios adequately described in procedures and clearly presented to front line staff during training sessions. Appropriate check and challenge by front line control managers also play an important role in managing money laundering risk effectively. Additionally, firms have continued to focus on accountability and individual responsibility and are keen to understand how these areas can, in practice, help manage risk in the first line of defence.

Further discussion revolved around how to build an effective first line of defence control function and operationally implement the “1.5 function” within a complex organisation. From our experience, current challenges included:

  • The first line of defence either shifting its responsibility to the second line of defence entirely and rendering the first line solely a front office function with almost no day-to-day front office control oversight; or the first and second lines both duplicating efforts in assessing, measuring and monitoring risks, leading to a duplication of efforts, or even worse disparate results.
  • These shortcomings could be avoided by having clearly defined roles and responsibilities at the outset, and updated as required, especially during the revision of a firm’s risk, compliance and control frameworks. Importantly, monitoring and enhancing the way each line of defence interacts with each other will create business value by eliminating duplication, closing gaps and creating a strong first line of defence that truly owns its risk and manages day to day risk management activities. This more focused alignment between the first and second lines of defence also allows scarce resources in the second line of defense to focus on higher risk items and emerging risks as they pertain to the particular financial institution, before having the capacity to progress onto reviewing moderate and lower risk items.


During the panel session there was a wide ranging debate on how supervision is executed in practice and also how this can work across different lines of defence. It was clear that both panellists and the audience expected the first line to be properly involved and also responsible for an appropriate level of supervision. And panellists added that regulators are unlikely to be prescriptive around this.

Clarity around roles and delineation of responsibilities is important, as is the quality and meaningfulness of supervision. Firms should be clear on outcomes they are seeking to achieve, and focus on monitoring processes that ultimately are likely to be meaningful. This means firms must understand the inherent risks of their products and services and focus on where poor outcomes and potential “harms” can and may occur. This will also help enable them to use data effectively and calibrate supervision processes accordingly.

Critically, with the wider roll out of new regulatory rules such as the Senior Managers & Certification Regime (SM&CR) in the UK, robust supervisory processes support the reasonable steps that Senior Managers will need to evidence. Firms should also think about how they review their supervision processes post-implementation of SM&CR to help ensure they are both effective and efficient.

Our regulatory risk consulting practice advises clients across the full spectrum of compliance, governance, and risk management matters, working in partnership with the firm’s lawyers to deliver holistic, comprehensive and business-focused advice.

More information on the practice can be found here. If you would like more information, please get in touch with a member of the team.