Insightful Blog with tips for your law firm

 

Beal Cooper Compliance Ltd

3. June 2026

The Three Lines of Defence Model for Law Firms

I’ve heard the three lines of defence model mentioned a few times recently, and then I heard reference to it in the context of regulation by the FCA.

Given the possible move to the FCA as the AML supervisor for law firms, I did some research. After looking into it, I believe it is a useful concept for law firms to follow when reviewing compliance as a whole; it’s not only useful for AML reviews.

The model is about managing risk and compliance, providing accountability, and considering effectiveness.

It comes back to the warning I've given before, about not just having beautiful policies. It’s essential that the day to day operations reflect them. A policy doesn’t have to be beautiful to be effective. It should be a well-used document that people understand and check when they have something out of the ordinary.

There are three separate layers to the model:

Ownership and management of risks: In a law firm, this includes partners, directors, fee earners and operational staff. They are responsible for identifying, assessing and managing risks in their day-to-day work. This includes everything from client onboarding and AML checks to supervision, confidentiality and file management.

Specialist risk management: Their role is to support, monitor and challenge the first line of defence. They help develop policies and procedures, provide training and guidance, and monitor whether controls are operating effectively. They do not own the risks themselves. This could be those in a compliance role, or a compliance team.

Independent audit: This involves someone independent reviewing whether the firm's risk management and compliance arrangements are actually working in practice, and reporting their findings to leadership.

As someone who carries out independent anti-money laundering audits under Regulation 21 of the Money Laundering Regulations, I realised it’s the process I have been following in any event, as part of my audits. However, what struck me is how it really can make a difference to all parts of regulatory compliance.

I do see firms that can evidence the first two lines of defence well. They have at least one invested leader and at least one separate compliance role holder. Where things often fall down for these firms is making sure the processes are working effectively and that everyone is working as expected. Other firms have very blurred lines between the first and second lines of defence, which makes it a lot more challenging.

The third line of the defence should pick up on any concerns or improvements to be made to the first two lines of defence, but also whether compliance is working for everyone at the firm.

One of the things I help law firms with is a compliance gap-analysis and this can be an important first step in ensuring the 3 lines of defence model works. I also offer the more specialised Regulation 21 Audits. If and when supervision of AML for law firms changes, it’ll be great for those firms already used to working in this way to demonstrate that to the FCA.

Get in touch if you’d like to know more.

Back

Click here for our Privacy Policy

© Copyright 2026 Beal Cooper Compliance Ltd. All rights reserved.

Beal Cooper Compliance Ltd is registered in England and Wales.  Company number: 16232081  

VAT Registration Number: 488962417

Registered address: 2 The Old School, Broomside Lane, DH1 2QW.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.