Who is responsible for compliance with GDPR, PSD2 and AML?

December 12, 2018

New regulations bring new opportunities and new risks to businesses.

For many of us who work in the finance industry, GDPR [1], AML / CFT [2] and PSD2 [3] are examples of buzz words that we have heard a lot about in 2018 and we want to hear more about in 2019. These are rules which came into force in 2018, and most financial companies have already implemented, or are in the process of establishing their own projects to implement.

New regulations bring new opportunities and new risks to businesses. Risks of failure to comply with the laws (compliant risks) is often placed the most emphasis on when the laws change. With PSD2 and GDPR, there may appear to be other risks (and opportunities) that are placed as much emphasis on in the preparation work of the businesses. For example, many believe that PSD2 is a game changer for banks where other types of players will sail up as strong competitors in a market that has so far been reserved to the banks.

In addition to compliant risks, the new regulations imply other important risks and opportunities such as market risks (new players), business and strategic risks (new products, collaborators) and a number of operational risks (for example, related to the protection and disclosure of information) which in turn can create reputation risk. In addition, there are risks associated with the banks’ implementation of the preparations (costs, delays, lack of resources, expertise, etc.).

Businesses must identify, analyze, define and address both the risks and opportunities associated with the new regulations. Risks and opportunities must be seen in context and it is important that both are taken into account at an early stage in the preparation work.

With new regulations, discussions about who will be responsible for the preparation work are often discussed. It is not uncommon for risk owners, legal or compliance to be given a lot of responsibility when implementing new regulations. Often, and perhaps especially relevant now, the new regulations meet more or less of the business. GDPR is a very good example of this. Several risk owners are directly affected by the new rules and it is not given who will take the main responsibility to make the necessary preparations.

The three lines of defense model was created following the global financial crisis to provide a coherent and coordinated approach to manage business risks at both strategic, tactical and operational levels. Both the COSO [4] framework, supervisory authorities and the IIA [5] often show this model as good practice.


[1] The General Data Protection Regulation

[2] Anti Money Laundering / Counter Financing of Terrorism

[3] Revised Payment Services Directive

[4] The Committee of Sponsoring Organizations

[5] The Institute of Internal Auditors

The principle behind the model is clear distribution of responsibilities and roles, seen in a comprehensive perspective, where the board and management have key roles in business management. Precisely because it is important to have a comprehensive perspective for these new regulations, including to see all risks and opportunities in context, this model is appropriate to ensure when roles and responsibilities are defined.

The main principles of the model are that the first line is executive and operational functions that will generate revenue. They should assess their own risks and whether they have sufficient controls in place. The first line is risky and responsible for compliance with the laws and guidelines at any time, including ensuring that the necessary preparation / changes are made by new or amended rules.

The second line is a monitoring support function for the first line, which through advice, independent controls and own risk assessments will help identify and report unwanted risk and thereby contribute to a better goal achievement. First and second line reviews make important input to management when important decisions are to be discussed and taken.

The third line is the extended arm of the board into the business and is intended to provide the board with assurance that the business has sufficient control. The third line will also assess the work of the other member. Third-line assessments will be important input to the board when important decisions are to be discussed and taken.

PSDII, GDPR and AML are good examples of regulations that create risks and opportunities beyond compliance risks. The various regulations generate important discussions at different levels of business and should be seen in conjunction as there are many synergies. The regulatory framework also provides framework for business and guidelines for strategic choices. This should be included in important assessments related to, for example, business models, digital investments and competence raising to mention something.

We are experiencing a fast-paced financial industry, and it is important strategic decisions to be taken in the banks in the future. The board and management – ultimately responsible – should seek a decision base of the best possible quality and relevance, as well as appropriate and successful project work. Clear distribution of responsibilities and responsibilities will help to ensure this.

The board and management have the main responsibility for compliance with new laws and regulations, but in practice there is a team work in which each employee is responsible for performing his part of compliance and his part of risk management. The “Three lines of Defense” model can be useful to clarify how the role distribution should be.

Written by Maria Haug Edvardsen 

Related news