top of page
    Search

    Three Lines of Defense Explained: What Estonian CASPs Need to Know for MiCA Licensing

    • Writer: Pavel Kotkin
      Pavel Kotkin
    • Apr 16
    • 5 min read
    Three Lines of Defense model discussion

    For Crypto-Asset Service Providers (CASPs) seeking authorization under the EU Markets in Crypto-Assets (MiCA) Regulation, demonstrating a strong, transparent, and structured risk management and compliance framework is essential.


    In Estonia, the Financial Supervision Authority (Finantsinspektsioon) expects entities to operate in full compliance with the Money Laundering and Terrorist Financing Prevention Act (RahaPTS) and adhere to relevant regulatory guidance, including the application of the Three Lines of Defense model.


    This model ensures:

    • clear separation between operational execution and risk oversight,

    • independent compliance and risk management functions,

    • and objective assurance through internal audit.


    This summary provides Estonian-based CASPs with a practical overview of how to implement the Three Lines of Defense model in alignment with RahaPTS §17, the Finantsinspektsioon’s AML/CFT guidance, and the EBA guidelines on compliance management and outsourcing. These components are not only critical for meeting MiCA licensing requirements but also for building sustainable operations and long-term regulatory trust.


    1. Governance Framework and General Principles


    The organizational structure of obligated entities must reflect the Three Lines of Defense (3LoD) model, aligned with the nature, scope, and complexity of the entity’s operations and services. This framework ensures robust risk governance and effective anti-money laundering and counter-terrorism financing (AML/CFT) controls.


    The model's objective is to provide a functionally segregated yet interconnected system for identifying, managing, and mitigating financial crime risks.

    The entity must:

    • Assess risk exposure comprehensively across business lines.

    • Establish legally and operationally binding procedures to prevent and manage conflicts of interest.

    • Ensure that compensation structures do not compromise risk management integrity.

    • Evaluate the interests of all stakeholders (e.g., employees, owners, clients) in terms of their alignment or conflict with AML/CFT obligations.

    • Justify any deviations from the 3LoD model within the bounds of proportionality and regulatory compliance.


    In particular, IT systems and staff allocation must be proportionate to the complexity of risks and services. Organizational structures must remain transparent, clearly documented, and not unnecessarily complex, allowing for effective internal reporting and accountability across all levels.


    2. First Line of Defense – Operational Risk Ownership


    The first line of defense (1LoD) includes all operational units that own and manage risks as part of their daily duties. They are directly responsible for applying customer due diligence (CDD) measures and ongoing monitoring of business relationships. This includes:

    • Understanding client business models and associated risk factors (sector, geography, transaction patterns).

    • Detecting anomalous or high-risk activities (e.g., transactions lacking economic rationale).

    • Escalating red flags to independent second-line functions for further evaluation.


    The Board must ensure 1LoD has adequate human and technical resources, particularly for high-risk clients or high-value transactions. Front-line staff must not be involved in the detailed analysis of risks they initially detect to maintain objectivity and comply with the functional separation principle.


    3. Second Line of Defense – Risk Oversight and Compliance


    The second line of defense (2LoD) encompasses the compliance and risk management functions. These units do not own risks but oversee risk-taking activities and ensure regulatory compliance. Core responsibilities include:

    • Interpreting regulatory changes and assessing their impact on internal policies and procedures.

    • Supporting 1LoD in identifying risk exposure and implementing appropriate risk controls.

    • Maintaining independence from business operations, especially when carrying out AML/CFT compliance tasks.


    A designated AML/CFT Compliance Officer (FIU contact person in Estonia) should be appointed where appropriate, meeting specific requirements for competence, integrity, and independence. Key responsibilities include:

    • Developing AML/CFT risk assessment frameworks and ensuring alignment with EBA guidelines.

    • Advising management on high-risk client onboarding and maintaining documentation on divergent decisions.

    • Supervising training programs and assessing their effectiveness.

    • Monitoring the implementation of AML/CFT policies and escalating deficiencies to executive management and, if required, to supervisory authorities.


    The officer must be based in the jurisdiction of operation unless equivalency in control and oversight is demonstrable. Compliance reporting is required at least quarterly and should include regulatory updates, incident statistics, resource adequacy assessments, and recommendations for risk mitigation or service suspension where necessary.


    4. Third Line of Defense – Independent Internal Audit


    The third line of defense (3LoD) is an independent internal audit function tasked with assessing the effectiveness of the overall internal control system, including AML/CFT measures. The internal audit function must:

    • Be structurally and functionally independent from operational and compliance units.

    • Have unrestricted access to all information and systems necessary for audits.

    • Avoid involvement in the development or execution of the functions it audits (to eliminate self-review threats).


    Audit scope includes:

    • Verifying whether risk management frameworks are suitable and aligned with legal obligations and strategic objectives.

    • Evaluating the adequacy and implementation of internal controls across all three lines.

    • Reporting critical deficiencies to the board and regulatory authorities.


    The audit methodology must be risk-based and proportionate, reflecting the entity’s size and operational complexity. Where internal audit is outsourced, the entity remains accountable for ensuring the provider meets regulatory and competency standards.


    5. Supporting Measures: Continuity, Training, and Communication


    Business Continuity: Entities must ensure the operational resilience of systems used for AML/CFT. Plans should include backup processes and procedures for incident escalation. All significant operational and reputational incidents must be promptly reported to the Financial Supervisory Authority (FSA).


    Training Requirements:

    • Comprehensive AML/CFT training must be provided to all staff, including outsourced functions.

    • Training should focus on the entity’s specific risk appetite, identified risk factors, and legal obligations.

    • Programs must be periodically reviewed and adjusted for relevance, with their effectiveness subject to evaluation.


    Contact Person Role: A designated contact person for the Estonian Financial Intelligence Unit (FIU) must be appointed (usually part of the 2LoD). This role involves:

    • Collecting and analyzing suspicious activity reports.

    • Communicating directly with FIU.

    • Participating in executive discussions when AML risks necessitate high-level awareness or intervention.

    This person must possess the required education, experience, and reputation, and be located in Estonia unless otherwise justified and approved.


    Conclusion - why the Three Lines of Defense model matters?

    The guidance outlines a sophisticated risk and compliance management governance model through the Three Lines of Defense framework. It places strong emphasis on:

    • Independence and accountability across control functions.

    • A clear segregation of duties.

    • Proportionality based on risk exposure.

    • Regulatory transparency and responsiveness.



    🧩 Detailed Responsibilities per Line


    First Line – Risk Ownership

    • Conduct due diligence (CDD/KYC).

    • Monitor business relationships.

    • Identify and escalate red flags.

    • Know client profiles and transaction patterns.


    Second Line – Risk Oversight

    • Enforce AML/CFT policies.

    • Oversee regulatory compliance.

    • Analyze escalated risks from the 1st line.

    • Train staff and advise senior management.

    • Prepare quarterly and ad hoc risk reports.


    Third Line – Independent Assurance

    • Audit the effectiveness of the 1st and 2nd lines.

    • Ensure regulatory and internal compliance.

    • Providing assurance to the Board & Regulators.

    • Cannot perform operational or compliance tasks.


    🔄 Connections Between the Lines

    • 1st → 2nd Line: Suspicious transactions are escalated for analysis and potential reporting.

    • 2nd → 3rd Line: Compliance frameworks and risk controls are evaluated through internal audits.

    • 3rd → Board: Reports on systemic issues, effectiveness of internal controls, and needed improvements.

    • Board → All Lines: Sets tone, defines risk appetite, ensures resources, and holds all lines accountable.


    diagram illustrating the Three Lines of Defense model
    A diagram illustrating the Three Lines of Defense model for risk management, highlighting roles and responsibilities across operational management, risk oversight, compliance, and internal audit, under the oversight of the board and executive management.

    Entities must integrate these principles into their daily operations to uphold the integrity of the financial system and meet the supervisory expectations under Estonia’s AML/CFT legal framework and EU-wide regulatory standards.

    bottom of page