If you are building a regulated fintech, understanding the three lines of defense in compliance is essential.
Regulators, sponsor banks, and enterprise partners want to see more than good intentions. They want a governance structure that clearly defines who is doing the work, who is overseeing it, and who is independently checking that the oversight is effective. That structure is commonly known as the three lines of defense model.
For large financial institutions, this model is standard, but for fintechs, it can feel out of reach. Most early-stage companies do not have separate teams for operations, compliance oversight, and internal audit. Unfortunately, this doesn’t make the framework optional. It just means that fintechs need a practical way to apply it.
This guide explains the three lines of defense framework, why it matters for fintechs, and how regulated companies can build a more credible compliance program without hiring a bank-sized team requiring a massive budget.
What are the three lines of defense in compliance?
The three lines of defense is a governance model used to structure accountability in risk management and compliance. It was popularized by the Institute of Internal Auditors (IIA), which refreshed it in July 2020 and renamed it the “Three Lines Model” to emphasize governance and value creation, not protection alone. Most practitioners still refer to it as the three lines of defense.
At a high level:
- The first line of defense owns day-to-day business operations
- The second line of defense provides independent compliance oversight
- The third line of defense provides audit and assurance
This model helps organizations create separation of duties and reduce the risk that important compliance issues go unnoticed.
First line of defense
The first line of defense in compliance is the business itself. These are the business units and operational management closest to customers, products, and day-to-day operations.
In a fintech, the first line may include:
- founders
- operations leads
- account managers
- product owners
- compliance managers embedded in the business
The first line has primary responsibility for managing risk as risk owners, including managing operational risks through daily activities. This clear accountability helps avoid a “not my job” mentality while they follow policies, execute controls, and operate within the company’s compliance framework.
Second line of defense
The second line of defense includes compliance functions and risk management activities. This group is responsible for monitoring, testing, advising, and helping the business stay aligned with regulatory expectations through effective communication.
Examples of second-line activities include:
- compliance monitoring
- control testing
- issue escalation
- policy oversight
- governance reporting
- advisory support on regulatory questions
These teams also help set risk management frameworks, policy expectations, control frameworks, and internal controls across key processes.
This is often the most overlooked layer in fintechs. Many companies assume they have compliance covered because someone is “handling it,” when they have not actually created an independent second line. In practice, first and second line functions are often poorly defined, even though the second line works to ensure compliance by monitoring adherence to applicable laws and regulations.
Third line of defense
The third line of defense is the audit team. Its role is to independently assess whether the compliance program and second-line oversight are functioning as intended.
This may include:
- internal audit
- external audit support
- independent assurance reviews
This assurance function may be delivered by the internal audit team or, where needed, external providers.
The third line does not run the compliance program. It exists to provide assurance by objectively evaluating the effectiveness of the first and second lines, including assessing whether they are fulfilling their responsibilities.
Why the three lines of defense matter
The purpose of the three lines of defense model is to create clear accountability and comprehensive oversight that support effective governance.
A core principle of compliance governance is simple: you cannot check your own work. If one person builds the process, performs the control, reviews the control, and approves the result, the system lacks independence. Even high performers operating in good faith cannot replace structural separation of duties. Multiple layers of checks and balances are critical to preventing financial loss and protecting organizational value.
That is why regulators and sponsor bank partners care so much about governance, independence, oversight, documentation, and escalation procedures. For banks, these expectations are codified directly. The Basel Committee on Banking Supervision built the three-lines structure into its 2011 principles for the sound management of operational risk and its 2015 corporate governance principles for banks. US regulators have adopted these principles, which is why sponsor banks pass the same expectations on to their fintech partners, and why strong design can improve efficiency as well as oversight.
Why fintechs struggle with the three lines of defense
Most fintechs do not start with a full compliance organization. They start with one or two people trying to do everything, and many struggle with implementing the model in practice, not just staffing it. That creates several common problems.
1. Compliance gets concentrated in one person. One person may be answering questions, reviewing materials, building templates, supporting sales, and handling partner requests.
2. The second line is missing. A company may have people doing compliance work, but no true independent oversight function.
3. Audit is treated as a future problem. Fintechs often delay thinking about audit until a sponsor bank, investor, or regulator asks for proof.
4. Governance is not defined early. Organizations often struggle to reconcile theory with practical implementation. Poorly defined oversight duties and weak communication can duplicate assurance efforts and blur accountability.
These gaps become more visible as the company grows, launches new products, or enters regulated partnerships.
How fintechs can apply the three lines of defense
The good news is that fintechs do not need to fully staff all three lines internally from day one. A more realistic approach is to define responsibilities clearly so fintechs can apply the model even when some support comes from outside the company and use external support where needed.
For example:
- First line: business or product leaders own execution
- Second line: fractional compliance support provides oversight and monitoring
- Third line: internal audit or external audit provides independent review
This is how a fintech team can stand up a mature, defensible governance structure on a lean budget. The OCC’s 2024 Third-Party Risk Management: A Guide for Community Banks makes a related point that matters here. A bank can engage an external party to help run aspects of its risk management, yet it cannot offload its underlying responsibility. Some financial institutions use external providers within a four lines model for added effectiveness, reflecting the active role regulators and external auditors can play in oversight. The Financial Stability Institute proposed a four lines model in December 2015. The same logic applies to a fintech using fractional support: outside resources can carry the work, while accountability and role clarity stay with the company.
What matters is whether the structure is clear and defensible, regardless of whether each line sits inside or outside the company.
There is one caveat worth naming. Some examiners may be uncomfortable if the same outside firm helps build the program and also serves as audit. That can sometimes be addressed by showing real independence in personnel and structure. In other cases, companies may need a separate audit resource. The right answer depends on the regulatory context and the expectations of the parties involved, with the goal of balancing day-to-day operations with compliance as the company grows.
Separation of duties in compliance
One of the most important concepts in the three lines of defense model is separation of duties across internal controls.
Separation of duties means:
- the person doing the work should not be the only one reviewing it
- the compliance advisor should not always be the final assurance function
- audit should maintain enough independence to evaluate the system credibly
This separation also makes the second and third lines more credible when reviewing the same control environment. For fintechs, separation of duties often requires thoughtful design. A small team can still create independence if roles are defined carefully and outside resources are used appropriately.
Governance, board oversight, and compliance management
A strong compliance management system is not only about testing controls. It also requires oversight from senior management and the board over controls, reporting, and compliance management.
Depending on the company, that may include:
- assigning a compliance leader
- assigning a BSA/AML officer where applicable
- creating leadership or board-level reporting
- documenting trends and escalations
- establishing a committee or oversight cadence
- maintaining policies and governance records
Where the company is large enough, the audit committee is often the governance body for escalation and oversight.
The three lines of defense are part of a broader governance model. Frameworks like COSO’s internal control guidance applied across the three lines of defense describe what a strong control environment looks like, while the three lines model defines how key stakeholders receive reporting and oversight. You can learn more about where this model sits within your broader compliance framework by reading our post on the 12 Pillars of a Compliance Management System.
How the three lines of defense support sponsor bank readiness
For fintechs working with sponsor banks, the three lines of defense are especially important. The 2023 Interagency Guidance on Third-Party Relationships from the OCC, Federal Reserve, and FDIC sets the expectations banks apply to their fintech partners.
Banks often want to understand:
- who owns compliance execution
- who performs oversight
- how issues are identified
- how independent review is handled
- how the company governs sound risk management practices across products and programs
If a fintech can show that it performs its own oversight, identifies issues proactively, and has a defined governance structure, it is in a much stronger position. Sponsor banks also want a fintech to identify emerging risks and maintain continuous monitoring, not just react after the fact. That sharper focus on proactive oversight improves partner confidence. The strongest posture is to do your own work first, surface your own issues, and demonstrate a system for addressing them. That builds trust far better than waiting for a partner to find weaknesses on your behalf.
Not every compliance question is black and white
It is also important to recognize that not every regulatory issue has a simple answer.
Some compliance requirements are straightforward and repeatable. Others involve interpretation, judgment, and product-specific decisions. That is where experience matters most. The three lines of defense framework creates the structure that enables judgement to be applied responsibly.
Best practices for building a three lines of defense model
If you are building a compliance program at a fintech, these are good places to begin, with the goal of continuous improvement in risk management and compliance rather than a one-time setup:
- define who owns first-line execution
- identify who will provide second-line oversight
- establish how audit or independent review will work
- document escalation paths
- create regular reporting for leadership so monitoring supports continuous improvement over time
- map responsibilities by product and program, including where similar risk appears across products or programs
- avoid having the same person design, execute, and validate the same control
These steps help build a more credible risk and compliance governance model over time.
Final takeaway
The three lines of defense in compliance are not just for large banks. They are a practical framework for any regulated company that needs to show accountability, independence, and oversight.
Fintechs do not need perfect structure on day one. They do need a clear answer to a few important questions:
- Who is doing the work?
- Who is overseeing it?
- Who is independently checking it?
That is the foundation of a scalable compliance program. The real goal is to build a framework strong enough to grow into a bank-grade program, with fractional support making that achievable even with a lean team and budget.
Ready to design and build a governance program your sponsor bank will love? Schedule a free consultation with our team of compliance professionals, auditors, and former regulators with decades of experience in emerging risks and financial products.

