With the SEC whistleblower program setting new records in 2020 and with a renewed focus on whistleblowers as a result of the AML Act of 2020 (AMLA), it’s important to recall the story of Martin Woods, who The Guardian describes as “one of the most important whistleblowers of our time.” Woods, a senior AML officer, uncovered how his bank stood at the center of one of the world’s biggest money laundering operations, failing to apply the necessary AML controls on ~$378 billion in transfers from the accounts of Mexican exchange houses. A sum equivalent to 1/3 of Mexico’s gross national product!  Woods, distinguished from his colleagues by his law enforcement background and instincts, saw red flags and immediately noticed deficiencies in the bank’s KYC data. The deficiencies ultimately led to a breakdown in the bank's controls. While this story might feel like a déjà vu, it occurred over a decade ago at Wachovia Bank, and in the time since, similar stories have played out with some of the more recent scandals.

So, what do all of these scandals have in common?  

When one line of defense fails, all lines fail.  In recent months, the news has been saturated with articles about calls for regulatory reform, new forms of oversight and even criminal prosecutions.  As we reflect on the fact that the biggest money laundering scandal in history happened in 2018, it is essential that the importance of internal reform is not overlooked as the focus turns to external reforms.

A 2016 PWC report highlighted various problems with the three lines of defense model and noted that each line has a unique set of issues that prevent optimal performance. For sales teams – “the first line” - a lack of accountability, unclear understanding of their role, and the wrong tone from the top hinder their ability to be the first line of defense. While compliance teams - “the second line” - deal with siloed departments, poor coordination, and a failure to use technology and data more effectively. But most importantly, the second line is burdened with performing first line functions, and as a result, is unable to review and challenge the first line’s risk assessments, which Sigma has observed during numerous Certified Rating assessments. For audit teams – “the third line” - the main issue appears to be outdated data management and analytics.

And with improvements in technology, innovation and new regulation, the three lines of defense model will continue to grow in complexity.  The time is ripe for companies to rethink risk management culture from the inside – by empowering the three lines to make sure they don’t lose sight of what they are actually ‘defending' - the public interest.