A “Minimum Viable” 3 Lines of Defence Model for an EMI Startup
Why this matters at all
An EMI operates in a world where mistakes are expensive: AML, fraud, card risk, customer complaints, sanctions, incidents, data leaks, outages, safeguarding, and reconciliation failures.
The three lines of defence are not “for show”. They exist so that:
- it’s clear who owns the risk, who controls it, and who verifies it;
- controls don’t depend on “one smart person”;
- decisions can be explained and evidenced (not “we had a feeling”).
“Minimum viable” means: minimum roles, minimum documents, maximum clarity.
The concept in 20 seconds
- 1st line: Business and operations. They create risk and manage it every day.
- 2nd line: Compliance and risk. They set the rules, monitor adherence, and provide methodology.
- 3rd line: Internal audit (or an equivalent). They independently verify that the system actually works.
The Minimum 3LoD Model for an EMI Startup
1st line of defence: “We build the product and don’t break the law”
Who this is in a startup: product, operations, support, payments ops, onboarding, finance, and sometimes engineering (if they manage changes and access).
Their responsibilities (no excuses):
- KYC/onboarding according to the rules (not “sales mood”)
- transaction limits and rules
- alert handling (fraud/AML) per procedure
- safeguarding, funds movement and reconciliations (if applicable)
- executing incident and complaints procedures
- proper recordkeeping (why we approved, rejected, blocked)
Minimum 1st line artifacts (must exist):
- 5–10 SOPs / “how we do it” instructions, e.g.:
- onboarding & KYC steps
- handling alerts (AML/fraud)
- high-risk customer escalation
- chargebacks/disputes (if cards)
- complaints handling
- incident first response
- One-page RACI (who does, who approves, who is consulted, who is informed)
- 3–5 key metrics (KPI/KRI) with owners, e.g.:
- share of manual reviews
- alert response time
- alerts backlog
- rejection/closure rate due to risk reasons
- incidents/complaints
Core principle: the 1st line can’t say “compliance should have done it”. Compliance does not run your business.
2nd line of defence: “We set the rules and monitor that they’re followed”
Who this is in a startup: Head of Compliance / MLRO (often combined), Risk Officer (sometimes the same person early on), and parts of DPO/InfoSec by function.
What they do:
- policies and standards: AML/CTF, risk appetite, sanctions, PEP, EDD, fraud, complaints
- risk assessment methodology (product/customers/geography/channels)
- compliance monitoring: sampling checks, reporting to management
- staff training (yes, even if you’re 7 people)
- outsourcing oversight: what’s outsourced, how it’s controlled, SLAs, what happens on failure
Minimum viable 2nd line pack:
- Risk Appetite Statement: what we will not do, where the limits are
- Risk Assessment (table): product risks, customers, geographies, channels, mitigations
- AML/CTF Policy + short procedures (CDD/EDD/SAR/sanctions)
- Compliance Monitoring Plan (quarterly): what we test, how often, what samples
- Outsourcing register + basic vendor due diligence (yes, even if it’s “just SaaS”)
- One-page monthly compliance/risk report for CEO/Board:
- alerts, blocks, SARs (if any), complaints, incidents, problematic vendors, key changes
Core principle: the 2nd line shouldn’t “operate instead of the business”. Their job is to make rules simple and testable.
3rd line of defence: “Independent check: does it actually work?”
Who this is in a startup: a full internal audit function usually doesn’t exist. That’s fine, as long as you’re not pretending to be a 2,000-person bank.
Minimum viable substitute for internal audit:
- outsourced internal audit (1–2 reviews per year), or
- board-level review + independent external review (e.g., a consultant) on a plan
What the 3rd line checks first (MVP pack):
- AML/KYC: case quality, rationale, and evidence
- transaction monitoring: settings, escalation, closure discipline
- safeguarding/reconciliations (if applicable)
- access & change management: who can change rules/limits/blacklists
- outsourcing: vendor oversight and exit plan viability
- complaints & incidents: traceability and correctness of actions
3rd line artifacts:
- Annual audit plan (6–10 topics)
- Review report (issue, risk, priority, owner, due date)
- Follow-up: verification that critical items were closed
Core principle: the 3rd line must be independent. Not “I checked myself and gave myself an A+”.
How to build this with a 6–20 person team
Minimum roles (no unnecessary circus)
- CEO/COO: owner of operational risks (1st line)
- Head of Compliance / MLRO: 2nd line (can be combined early on)
- Risk owners by area (part-time): onboarding, payments ops, cards, support
- External audit/review: 3rd line (twice a year is enough to start)
The most practical document: a one-page 3LoD table
| Process | 1st line does (business/operations) | 2nd line sets/monitors (compliance/risk) | 3rd line verifies (audit/independent review) |
|---|---|---|---|
| Onboarding (KYC/CDD/EDD) | Runs the checklist, makes decisions, collects evidence (screenshots/logs/documents), escalates high-risk cases | Sets the policy/rules and risk criteria, performs sample quality checks of cases, trains staff | Samples cases, checks decision quality and supporting evidence, looks for systemic issues |
| Alerts (AML/Fraud/Sanctions) | Processes alerts, escalates when needed, closes cases with rationale, manages the backlog | Sets rules/thresholds/scenarios, monitors backlog and SLAs, checks correctness of closures | Reviews closure quality (reason codes, evidence), adequacy of escalations, completeness of logs/audit trails |
| Vendors / Outsourcing | Executes SLAs, manages vendor communication, logs incidents/outages, initiates changes/replacements | Performs due diligence, maintains outsourcing register, conducts risk assessment, defines control requirements, sets exit plan | Audits critical vendors/contracts, checks outsourcing oversight and whether the exit plan is workable |
| Incidents (IT/ops/security) | Responds, contains, restores, records the timeline, produces an initial report | Defines the process and classification, notification/escalation requirements, trains staff, monitors execution | Reviews post-mortems, checks procedure compliance and quality of corrective actions |
| Complaints (customer complaints) | Receives/processes complaints, responds on time, records outcome and root cause, adjusts the process | Sets rules and timelines, monitors trends/repeating causes, triggers improvements | Checks deadline compliance, completeness of complaint records, correctness of classification and responses |
Top 5 mistakes that turn “3 lines” into a joke
- Compliance “owns” the risk instead of the business.
- No evidence: decisions are made, but nothing is traceable.
- Outsourcing without oversight: “they’re a famous provider”.
- No metrics: nobody sees where the system leaks.
- “Internal audit” = the same person who wrote the policy.
Mini checklist: “We’re ready for minimum 3LoD”
- Process owners exist (onboarding, monitoring, complaints, incidents)
- 5–10 short SOPs exist and are actually used
- Risk assessment and risk appetite exist (not 80 pages)
- A monitoring plan exists (what we check monthly)
- Independent review exists at least 1–2 times per year
- Any customer/transaction decision can be supported with evidence
Conclusion
Minimum viable 3LoD for an EMI startup is not “corporate religion”. It’s the smallest set of roles and rules that lets you:
- scale operations,
- avoid drowning in alerts and chaos,
- survive regulator/partner/audit questions without panic.
If you want it ultra-simple:
1st line does. 2nd line explains how and monitors. 3rd line checks the checkers.
GET A ČNB-READY GAP CHECK AND A CLEAR FIX LIST
START EMI PRE-CHECK
FAQ: Minimum “3 Lines of Defence” (3LoD) for an EMI Startup
Do we need separate departments like a bank?
No. In a startup, 3LoD is about role separation, not headcount. The 2nd line is often combined (Compliance + Risk), and the 3rd line can be an external review 1–2 times per year.
Who should “own” the risk: compliance or the business?
The business (1st line). Compliance sets boundaries and monitors adherence. If the 1st line says “compliance is to blame”, you don’t have 3 lines, you have theatre.
What matters most at the start if time is limited?
Three things that actually save you:
- one-page RACI (who does/approves/escalates),
- 5–10 short SOPs (onboarding, alerts, complaints, incidents, vendors),
- evidence: logs, decisions, reasons, “why”.
We don’t have internal audit. Is that critical?
Not critical if you honestly cover the 3rd line with an alternative: an external audit/independent review on a plan, or a board-level review with a formal report and follow-up. What is critical is “audit” done by the same person who wrote the policy and then praised themselves.
How often do we need the 3rd line in a minimal version?
For most early-stage EMI startups: 1–2 themed reviews per year (AML/KYC, alerts/monitoring, outsourcing, incidents), plus follow-up on critical findings. Better small and regular than “once every three years, but 80 pages”.
Which KRIs make 3LoD real rather than ceremonial?
Minimum set: alert backlog (total + overdue), average response time for alerts/incidents, share of high-risk customers and EDD completion, complaint trends (top 3 reasons), incidents at critical vendors and SLA performance.
What usually breaks the “agent/partner” model from a 3LoD perspective?
The illusion that “the partner will handle everything”. They may hold the licence, but you still need: operational execution (1st line), control/reporting (2nd line), and independent checks (3rd line). Otherwise the partner will simply restrict or terminate you.
Which processes are almost always reviewed first?
Four evergreen topics: onboarding (KYC/EDD) and decision quality, transaction monitoring/alerts closure discipline, outsourcing/vendor oversight, incidents & complaints (response and learnings).
