THE THREE LINES OF DEFENCE

by: Eliot Charles Heilpern

The rapid rise in technology, and the greater need for additional interoperability and adherence to risk, are now becoming the dominant themes and characteristics in both domestic and international banking, especially with the proliferation of technology and industry participants, such as Fintechs, Challenger Banks, and all manner of independent Payment Providers. Here in the UK, and further afield, there are now more exacting legislative and regulatory requirements, with the advent of Open Banking leading to Open Finance, and many new industry entrants in the market. All have disintermediated the traditional UK Clearing Banks, the well-established Financial Institutions, and other known industry participants.


However, one area that is still very much present in all aspects of the industry’s operational working processes, and will never disappear, is RISK! Apart from Client Risk, there is also now greater Operational Risk as new services are established across new infrastructures. These infrastructures require more sophisticated interoperability for the purpose of offering seamless payments to the “end-user.” As such, greater and more operational systemic connectivity encourages an accompanying increase in risk, despite the various API applications and enhanced security available to support this interoperability. Consequently, strict Risk Management and strong financial discipline, as opposed to “risk aversion” and “over-caution,” are still the order of the day and will continue to be so.

The well-known THREE LINES OF DEFENCE are now more prevalent than ever, and as Corporate Bankers, Personal Bankers, Credit and Operational personnel, we are all familiar with this methodology, are we not? Well, we should be!
However, just in case these key criteria have inadvertently slipped from our minds, I have listed them below:
  1. First Line of Defence. This consists of the bank’s Client Relationship Officer as the initial risk owner, supported by the institution’s operational management.
  2. Second Line of Defence. This consists of the bank’s Risk Control, Credit, and Compliance departments, which have a limited independence, given they report directly and primarily into the bank’s senior management.
  3. Third Line of Defence. This consists of the bank’s internal Audit Department, which maintains greater independence than those in the Second Line of Defence. This area reports all activity (good, bad, and doubtful) according to agreed bank and FI risk policy, regulatory policy, and internal institutional “risk register,” to the relevant industry governing regulatory authority.
There is a “Fourth Line of Defence” which I call the “Psychological Line of Defence,” and it is simply this:

  • If the employee or employer does not feel comfortable about any single transaction, or a particular series of transactions emanating from a customer’s behavior, always err on the side of caution and report the perceived issue.
  • By highlighting any personal concern, the individual employee is demonstrating professional compliance and attention to detail in his or her role, given that the perceived issue often may not have been noticed, nor caught in the previous lines of defence. Hence, “perception” becomes the “reality” here.

What can we learn from this “Psychological Line of Defence?” We learn that there is an individual employee’s moral duty to behave in such a way that ensures the financial institution and staff always “do the right thing.” By “doing the right thing,” one has ensured that:
  • No financial loss has been suffered by the institution, nor its reputation damaged, even if, by flagging the issue, all was found to be well within the compliance, risk policy, and due diligence legal and regulatory requirements of the institution itself.
  • As such, no loss has been incurred, despite an actual breach. However, the issue was caught and reported to the relevant internal authorities. With the speed of developments in the digital asset, tokenisation, and Crypto/Fiat areas, risk is just as predatory, if not more so! Technology, Smart Contracts, and “on and off Ramp” transactional activity all deem to offer a safer and less risky environment. But with connectivity, geographical reachability, and interoperability still key requirements for all cross-border payments and settlement, human error still abounds.

    Eliot Charles Heilpern
    Parthenon Communications
eliot@parthenoncommunications.com,  www.parthenoncommunications.com 


Empty space, drag to resize

PSP Angels Management Limited

Sunset Gardens 102, Exegerseos
Larnaca, 7560
Cyprus

Empty space, drag to resize
info@solteszinstitute.com

Copyright © 2026