Let’s look into Estonia: why even sub-Threshold fund manager’s need the 3rd line of defence for AML purposes

Financial institutions must have “Three Lines of Defence” in their organisation. This does not apply only to banks and large investment firms, but also to fund managers and smaller financial institutions. In Estonia, also the fund managers operating under the simplified regime must have an organisational structure that consist of the 3 lines of defence.

What is the “three lines” in the context of anti-money laundering (AML)?

1. The first line of defence is the front-line employees and management. They are conducting customer-facing activities. First line is responsible for detecting, preventing, and mitigating money laundering risks.
2. The second line of defence is comprised of AML compliance function. This includes the money laundering reporting officer (MLRO or the contact person for the local FIU). The second line provides oversight, guidance, and support to the first line of defence.
3. The third line of defence is internal audit, which provides independent assurance of the effectiveness of the AML program. Internal auditor also assesses the quality of the activities of the first and second line of defence.

Each of these lines of defence plays a critical role in ensuring that an organization’s AML program is effective, efficient, and compliant with regulatory requirements. In today’s world of tightening regulations, internal auditing as the third line of defence is important to ensure compliance with AML regulations.

The requirements for a third line of defence for AML purposes may vary depending on the regulatory framework in which a financial institution operates. In Estonia the requirements are also different depending on whether you are a fully licensed financial institution or operating under a “simplified” regime.

If you are a venture capital or private equity firm considered as a sub-threshold AIFM, then you are supervised by the Estonian Financial Intelligence Unit (FIU). This means that the FIU’s guidelines apply to your activity. The FIU has in 2022 issued a guideline “Management of risks relating to money laundering and terrorist financing and application of due diligence to obliged entities supervised by the Financial Intelligence Unit”. According to the guideline, the entity’s under FIU’s supervision must ensure separation of functions between the organisation’s three lines of defence. Therefore, even a small fund manager without a full license needs to have an internal audit control function that assesses the effectiveness of the AML program at least on an annual basis.

So, if you still haven’t included the 3^rd line of defence in your organisational structure, we advise you to review your activity in this context. Depending on the size and complexity of your business, the 3^rd line of defence may be an audit conducted by a service provider once a year. Internal audits would typically have two levels: 1)  an assessment of the policies and procedures in place; 2) a review of the implementation of the company’s policies and procedures by the first line of defence.

If you need help in evaluating whether you are obliged to onboard a 3rd line of defence, give as a call. We can also help with the annual 3rd line of defence audit if you need one. Talk to our experts at MITI.