CLARITY - our library of practical, frank compliance information for regulated businesses

The Business Prevention Department

Most compliance professionals have heard it at least once. Muttered after a meeting, typed into a group chat, occasionally said to your face if the speaker is feeling brave: “Compliance is just the Business Prevention Department.”

In most cases, it is a misdiagnosis. The cliché that proves the exception.

When a business starts to see its compliance function as an obstacle rather than a resource, the instinct is to conclude that compliance is being too rigid, too risk-averse, too focused on process at the expense of commercial reality.

Sometimes that is true. More often, something else is going on.

Compliance has accumulated operational responsibilities it was never meant to have. It is doing the business’s job as well as its own, and it is doing neither particularly well as a result.

The three lines of defence model exists precisely to stop this from happening. It is not a new idea, and it is not complicated. But it is consistently misapplied, and the consequences tend to slow the business down in ways that are entirely avoidable.

The model is straightforward.

The first line is the business: the people who own and operate the day-to-day processes, including the controls embedded in those processes. Client onboarding, transaction monitoring, document collection, sanctions screening. These are business activities, and the controls around them belong to the business.

The second line is compliance and risk oversight: the function that sets the framework, designs the standards, monitors whether the first line is doing its job, and challenges where it is not.

The third line is independent assurance, typically internal audit, which periodically tests whether the whole structure is working.

Three distinct roles. Three distinct sets of responsibilities. Separate, by design.

Where it goes wrong is almost always the same story. The business is busy; a client needs to be onboarded and the relationship manager has not quite got around to completing the checklist. Compliance steps in because it’s quicker and because the deal will not close otherwise – despite our reputation, compliance folk have a pretty healthy appreciation for commerciality. The next time it happens, nobody blinks. Within a year, compliance is routinely collecting CDD documentation, chasing missing information, completing forms, and processing requests that should never have crossed its desk.

The first line has effectively outsourced its controls to the second line. And the second line, swamped with operational tasks it should not be doing, no longer has the time or the independence to provide genuine oversight of the first line. The framework looks intact on paper. In practice, the architecture has collapsed.
This is one of the most common control framework problems in regulated firms of every size, and it is particularly acute in smaller businesses where the compliance resource is a single individual wearing several hats.

The FSA’s supervisory focus has sharpened considerably in recent years and the direction of travel from the broader international context is clear: it is no longer sufficient to demonstrate that a framework exists. Firms are expected to show that it functions. That means being able to explain, for any given risk, what the first line does to manage it, what the second line does to oversee that management, and how findings and failures escalate to the people with the authority to act on them.

A useful test is to pick a single high-risk process, client onboarding being the obvious choice, and trace it through the model. Who collects the CDD? Who designed the standards for what good CDD looks like? Who checks whether those standards are being met? Who sees the results and decides what to do about patterns of failure? If the honest answer to more than one of those questions is the same person or the same team, the lines are blurred.

The fix is not always structural. It does not necessarily require hiring, reorganising, or commissioning a formal audit. It starts with clarity about who owns what, and with the willingness to hold that line even when it is inconvenient. The MLRO or Head of Compliance should be in a position to say, clearly and without apology, that collecting client documents is not their job. Management needs to be equipped and expected to do it themselves.

Getting the lines right also produces a better compliance function. A second line that is genuinely free to oversee and challenge is more useful to the board and more credible with the Regulator than one that is buried in operational tasks it should never have taken on.

The next time someone mutters about the Business Prevention Department, it is worth asking a different question: not whether compliance is being obstructive, but whether compliance has been set up to fail.

A few questions worth sitting with: For your highest-risk processes, can you clearly explain what each line does? Are any critical controls effectively owned by the wrong team? When an issue is identified, do you know whether it is a first line failure, a second line gap, or both? If your compliance officer left tomorrow, would first line controls continue to operate?

If any of those feel uncomfortable, the framework probably needs some attention. The good news is that getting it right is less complicated than it looks.