Inferensys

Glossary

Three Lines of Defense

A widely adopted governance model that separates operational management ownership of risk (First Line), independent risk and compliance oversight functions (Second Line), and objective internal audit assurance (Third Line).
Governance lead reviewing model governance framework on laptop, policy documents visible, executive office setup.
GOVERNANCE FRAMEWORK

What is Three Lines of Defense?

A foundational governance model that delineates risk management and control responsibilities across three distinct, independent functions to ensure comprehensive oversight and accountability.

The Three Lines of Defense model is a structured governance framework that separates operational risk ownership (First Line), independent oversight and compliance functions (Second Line), and objective internal audit assurance (Third Line). This segregation prevents conflicts of interest by ensuring the teams that build and deploy machine learning models are not the same teams that independently validate their safety and soundness.

In financial fraud detection, the First Line owns the model risk generated by their algorithms; the Second Line, typically a Model Risk Management (MRM) team, establishes policies and challenges model assumptions; the Third Line, Internal Audit, provides independent assurance to the board that the governance framework itself is effective and compliant with regulations like SR 11-7.

GOVERNANCE FRAMEWORK

The Three Lines of Defense

A foundational governance model that distributes risk management responsibilities across three distinct, independent functions to ensure comprehensive oversight of financial fraud detection models.

01

First Line: Operational Management

The business units and model owners who own and manage risk directly. In fraud detection, this includes the data science teams developing models and the fraud operations teams using them daily.

  • Responsible for implementing controls and executing risk procedures
  • Owns model performance monitoring and data drift detection
  • Must identify, assess, and report risks in real-time
  • Accountable for adhering to model documentation standards

Example: A fraud analytics lead who deploys a new anomaly detection model and monitors its Population Stability Index (PSI) weekly.

Day 1
Risk Ownership Begins
02

Second Line: Risk & Compliance Oversight

Independent functions that establish policies and challenge the First Line. This includes Model Risk Management (MRM) teams and compliance officers who validate that fraud models meet SR 11-7 standards.

  • Defines risk appetite, limits, and governance frameworks
  • Conducts independent model validation and concept drift analysis
  • Monitors for disparate impact and fair lending compliance
  • Oversees RegTech automation for regulatory reporting

Example: An MRM team performing an independent backtest of a transaction monitoring model against historical fraud outcomes.

Independent
Challenge Function
03

Third Line: Internal Audit

Provides objective assurance to the board and regulators that the first two lines are functioning effectively. Internal audit evaluates the design and operating effectiveness of the entire governance framework.

  • Assesses whether MRM policies comply with SR 11-7 and EU AI Act
  • Audits the completeness of model documentation and audit trails
  • Verifies that override monitoring and lineage tracking are operational
  • Reports directly to the audit committee, ensuring organizational independence

Example: An internal audit team reviewing whether vendor models underwent proper vendor model risk management due diligence.

Board-Level
Reporting Line
04

Segregation of Duties

The structural principle that no single individual or team can develop, validate, and audit a model without independent checks. This prevents conflicts of interest and ensures checks and balances.

  • Model developers (First Line) cannot validate their own models
  • Validators (Second Line) must be independent of profit centers
  • Internal audit (Third Line) must have unrestricted access to all records
  • Champion-challenger frameworks require separate oversight of test design

This separation is a core requirement under SR 11-7 and foundational to sound model governance.

05

Application in Fraud Detection

In financial fraud anomaly detection, the Three Lines model governs the entire model lifecycle:

  • First Line: Data scientists train models and fraud analysts review alerts via human-in-the-loop (HITL) workflows
  • Second Line: MRM validates SHAP values for explainability and tests for adversarial robustness
  • Third Line: Audit verifies that shadow deployment protocols were followed and model attestations are current

This layered defense ensures that a single model failure or oversight does not result in undetected financial crime or regulatory sanction.

06

Regulatory Expectations

Global regulators embed the Three Lines concept into binding guidance:

  • SR 11-7 (Federal Reserve): Mandates independent validation and ongoing monitoring
  • EU AI Act: Requires Fundamental Rights Impact Assessments (FRIA) and human oversight for high-risk AI systems
  • OCC Guidelines: Enforce strict segregation between model development and validation
  • Basel Committee: Advocates for independent risk control units with direct board access

Non-compliance can result in enforcement actions, capital add-ons, and restrictions on model use.

THREE LINES OF DEFENSE

Frequently Asked Questions

Clear answers to the most common questions about implementing and governing the Three Lines of Defense model for financial fraud detection systems.

The Three Lines of Defense (3LoD) model is a governance framework that separates risk management responsibilities into three distinct, independent functions to prevent conflicts of interest and ensure comprehensive oversight. The First Line consists of operational management and business units that own and manage risk directly—these are the fraud analysts and model developers who design detection rules and handle daily alerts. The Second Line provides independent risk oversight and compliance monitoring, establishing policies, challenging First Line decisions, and ensuring adherence to regulations like SR 11-7. The Third Line is internal audit, which provides objective, independent assurance to the board that the first two lines are functioning effectively. This layered structure ensures that no single group both creates and validates its own controls, creating a system of checks and balances essential for audited financial environments.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.