Three Lines of Defense and MLRO Role

Three Lines of Defense and MLRO Role

The three lines of defense model (Institute of Internal Auditors framework, widely adopted by the Basel Committee and FFIEC) allocates AFC accountability so no single function both creates and polices its own risk. CAMS tests it because most governance scenarios turn on who should act and who should be independent.

A frequent trap: an item describes the compliance team performing its own "independent" audit. That violates the third-line principle — testing must be done by a party with no responsibility for the function being tested.

The BSA/AML Officer and the MLRO

The US designates a BSA/AML Officer; many other jurisdictions (UK, EU, Singapore, Hong Kong) designate a Money Laundering Reporting Officer (MLRO). The roles overlap. For the exam, the officer must have:

• Authority — the seniority to compel remediation across business lines.
• Autonomy — independence from the revenue-generating first line.
• Resources — adequate staff, budget, and technology.
• Access — a direct reporting line to the board or a board committee, so business pressure cannot bury an issue.

In the UK, the MLRO is the nominated officer who receives internal suspicion reports and decides whether to file a Suspicious Activity Report (SAR) with the National Crime Agency. In the US, the comparable filing is the Suspicious Activity Report to FinCEN, due within 30 calendar days of detection (extendable to 60 if no suspect is identified).

Confidentiality and tipping-off

Once a SAR/STR is filed, the MLRO must guard against tipping off — disclosing to the customer (or anyone outside the need-to-know circle) that a report has been or may be made. Tipping off is a criminal offense in many jurisdictions. A CAMS scenario where a relationship manager wants to "warn a good client" that their account is under review is testing this: the correct answer protects filing confidentiality.

Scenario workflow

When you read a governance item, ask:

• Which line owns this action? (If it asks who does independent testing, the answer is the third line.)
• Does the MLRO have the authority and independence to escalate?
• Would the proposed communication breach tipping-off or need-to-know limits?

The best answer assigns the action to the correct line, preserves the officer's independence, and keeps suspicious-activity information confidential. Options that collapse two lines into one — for example, letting the business unit grade its own controls as the final assurance — are distractors.

Worked example

An internal alert flags a corporate customer routing funds through a newly added intermediary in a high-risk jurisdiction. Map the roles: the relationship manager (first line) raises the internal report; the AFC analyst (second line) investigates, gathers transaction evidence, and the MLRO decides whether to file a SAR. The decision to file rests with the second-line MLRO, not with the business that earns revenue from the client. Once filed, no one tells the customer. Internal audit (third line) later checks that the alert was handled within policy timelines.

Confusing who files (compliance/MLRO, not the business) is a frequent exam error.

Officer liability and accountability

Under the US AMLA of 2020 and longstanding enforcement practice, a BSA/AML Officer can face personal regulatory action for willful program failures, which is why the role demands real authority rather than a nominal title. Some institutions appoint deputy MLROs to ensure coverage; the chain of responsibility must still be documented.

The model only works if independence is preserved at each layer. A program where compliance reports to the head of the business line it polices, or where audit reports to compliance rather than the audit committee, fails the independence test that underpins the whole framework — and that structural defect is exactly what governance scenarios are designed to surface.

SAR/STR timelines the MLRO must know

Filing deadlines are frequently tested. In the US, a Suspicious Activity Report (SAR) is due to FinCEN within 30 calendar days of the date the institution detects facts that may form the basis for filing; the deadline may extend to 60 days if no suspect has been identified. Currency Transaction Reports (CTRs) are required for cash transactions exceeding $10,000 in a single business day, filed within 15 days. The MLRO owns the SAR decision and the institution must continue monitoring the account after filing (a "continuing-activity" SAR may be filed periodically, commonly every 90 days, if suspicious activity persists).

Across other regimes the equivalent Suspicious Transaction Report (STR) goes to the national Financial Intelligence Unit (FIU). Knowing who files (the MLRO, not the business), to whom (FinCEN/FIU, not law enforcement directly in most cases), and by when separates a strong candidate from a guesser. The thread running through this section: accountability is assigned, independence is protected, and confidentiality is preserved at every step.