The Four Lines of Defence model shows how organisations manage risk and compliance by clearly setting out who is responsible at each level.

The first line is the business itself. Teams carry out day-to-day activities and are responsible for managing their own risks. This includes customer onboarding, AML activity, KYC and CDD checks, and carrying out regular reviews as part of normal operations.

The second and third lines provide oversight and assurance. The second line supports and challenges the first line through quality assurance reviews, approving enhanced due diligence, and managing escalations.

The third line provides independent assurance through compliance monitoring, audit testing, governance reviews, and identifying opportunities to improve processes.

The fourth line sits outside the organisation and includes regulators, such as the FCA and SRA, who set regulatory requirements and enforce compliance across the financial and public sector.