AFC Team Structure and Responsibilities

The Three Lines Of Defense

The three lines of defense model is the backbone of how CAMS expects an anti-financial-crime (AFC) program to be organized, and exam items frequently ask which line owns a task.

A common trap: internal audit (3LOD) must not own or run the monitoring program it audits, doing so destroys its independence. Likewise, the front office cannot be the sole judge of whether its own customer is suspicious.

The Designated Compliance Officer / MLRO

A mandatory pillar of any program is a designated BSA/AML compliance officer (called the money-laundering reporting officer, or MLRO, in many jurisdictions). The role requires three things examiners check: sufficient authority to enforce controls and escalate to the board, independence from revenue-generating pressure, and adequate resources (staff, budget, systems). The compliance officer reports the program's status to the board and senior management.

In the US, the SAR filing decision rests with the institution through the compliance function, and the MLRO concept localizes this elsewhere. The CAMS-correct view is that the person filing must be empowered to do so without front-office veto.

Core AFC Functions

A mature team typically separates these functions to preserve segregation of duties:

• KYC / onboarding and periodic review - collect and verify customer and beneficial-ownership data, assign risk rating.
• Transaction monitoring and investigations - generate alerts, triage, investigate, and recommend SAR/no-SAR.
• Sanctions and watchlist screening - real-time and batch screening against OFAC and other lists, alert adjudication.
• Regulatory reporting - SAR/STR and currency-transaction reporting (CTR), with the MLRO holding final filing authority.
• Quality assurance and quality control - sample-test investigations and decisions for consistency.

Worked Scenario

An analyst who onboarded a customer is later assigned to investigate that same customer's monitoring alert and clears it as no-SAR. This breaches segregation of duties: the person with an interest in a clean onboarding decided the suspicion question. The fix is to route the investigation to an independent investigator, and the SAR decision to the MLRO function.

Common Traps

• Assigning SAR filing authority to the front office, which has a commercial incentive not to file.
• Letting internal audit design or operate the controls it reviews.
• Under-resourcing the compliance officer so the program exists on paper only, a frequent enforcement finding.

For the exam, match the task to the correct line and confirm that detection, decision, and assurance stay in separate hands.

Why The Three Lines Must Stay Separate

The whole point of the model is to prevent any single function from both creating and judging its own risk. The first line is closest to the customer and therefore best placed to detect and apply controls in the moment, but it also carries the commercial incentive that can bias a suspicion decision, which is why the second line owns independent monitoring and the SAR decision. The second line sets policy and challenges the first line, but it operates controls and so cannot objectively assure itself; that is the third line's job. If you collapse these, you reintroduce exactly the conflict the model exists to remove.

Enforcement cases repeatedly cite institutions where compliance reported into a business head, or where audit had helped build the monitoring rules it was later asked to validate. CAMS distractors are usually built around one of these collapses, so when a scenario describes a reporting line or a task assignment, your first check is whether independence between detection, decision, and assurance is preserved.

Sizing And Resourcing The Function

A recurring enforcement finding is a program that is well designed on paper but starved of staff, so alerts pile into a backlog and investigations are rushed. CAMS expects the compliance officer to assess resourcing against the institution's risk profile, not against a fixed headcount ratio: a small bank in low-risk products needs less than a global bank in correspondent banking and trade finance. Indicators that resourcing is inadequate include growing alert and case backlogs, missed regulatory filing deadlines, declining investigation quality on quality-assurance sampling, and an inability to complete periodic reviews on schedule.

The exam-correct response to under-resourcing is to escalate it to senior management and the board as a risk issue with data, because the board's duty to provide adequate resources is only meaningful if it is informed of the shortfall.

Mapping A Task To Its Owner

The single most common item type in this area gives you a task and four candidate owners. A reliable method is to ask three questions in order: Is this task detecting or creating the risk, deciding on it, or assuring that the process works? Detecting and applying controls at the point of customer contact is first line; deciding on suspicion, setting policy, and filing reports is second line; assuring effectiveness is third line. Filing a SAR belongs to the compliance or MLRO function, never the relationship manager.

Approving a high-risk customer belongs to a committee with the authority defined in its terms of reference, not to an individual analyst. Validating that monitoring rules detect what they should belongs to model validation or internal audit, not to the team that built the rules. When you can place a task on this detection-decision-assurance spectrum, the distractors usually expose themselves as the answers that put a task in the wrong line or that let one person both perform and judge their own work. Practicing this mapping until it is automatic is the highest-yield preparation for the operating-model questions on the exam.