The Three Lines of Defence
Barclays operates a Three Lines of Defence model that structures AML responsibilities across the entire organisation. Every employee falls within this framework.
Business Units
Customer-facing staff and operations teams. Identify, verify, monitor, and escalate.
Risk & Compliance
Financial crime compliance teams. Policy, oversight, SAR management, and training.
Internal Audit
Independent assurance. Tests controls, checks policy compliance, reports to the Board.
Customer-Facing Staff — First Line
Relationship Managers & Branch Staff
Customer-facing employees form the first line of defence. Their responsibilities include:
- Identify: Recognise potential red flags during customer interactions — unusual requests, inconsistent information, reluctance to provide documentation
- Verify: Conduct Customer Due Diligence (CDD) at onboarding and throughout the relationship. Verify identity documents, confirm beneficial ownership, understand the business purpose
- Report: Escalate any suspicion to the MLRO immediately. Under s.330 POCA, failure to report is a criminal offence carrying up to 5 years’ imprisonment
Insufficient checks at onboarding allowed GBP 46.8 million to flow through accounts that should never have been opened on the terms they were. Front-line diligence is the first barrier.
Operations Teams — First Line
Transaction Monitoring & Controls
Operations staff responsible for payment processing and transaction monitoring have a critical role:
- Monitor: Review and act on alerts generated by automated transaction monitoring systems
- Investigate: Conduct initial triage of alerts — separating false positives from genuine concerns
- Escalate: Pass confirmed or uncertain alerts to compliance or the MLRO
- Maintain controls: Ensure payment screening, sanctions checks, and automated controls function correctly
Compliance Teams — Second Line
Financial Crime Compliance
Compliance teams form the second line of defence, providing oversight and challenge:
- Policy: Develop and maintain AML policies — Barclays has one group-wide Financial Crime Policy supported by eleven standards
- Oversight: Monitor first-line compliance and provide challenge
- Reporting: Manage the SAR filing process through the MLRO and maintain regulatory returns
- Training: Design and deliver AML training programmes for all staff
- Risk assessment: Conduct and maintain the firm-wide AML/CTF risk assessment
Senior Management — Governance
Board, ExCo & Senior Managers
Senior management bears ultimate accountability under the Senior Managers and Certification Regime (SM&CR):
- Governance: Set the firm’s risk appetite for financial crime and ensure it is embedded across the organisation
- Resource allocation: Ensure compliance, the MLRO, and monitoring systems have adequate resources
- Culture: Foster a culture where AML compliance is a priority, not a burden
- Accountability: Designated Senior Managers are personally accountable. If AML failures occur due to inadequate governance, individuals face personal regulatory action
In January 2025, Barclays elevated financial crime to a principal risk within the ERMF — a direct response to heightened regulatory expectations and enforcement activity.
All Staff — Universal Obligations
Every Employee
Regardless of role, every employee has baseline AML obligations:
- Awareness: Understand the basics of money laundering and how it manifests in banking
- Training: Complete mandatory AML training (at least annually) and stay current with policy updates
- Vigilance: Remain alert to anything unusual, even outside your direct responsibilities
- Reporting: If you see something, report it. The obligation under s.330 POCA applies to all persons in the regulated sector, regardless of seniority or function
Match the Role to the Responsibility
Select a role on the left, then select its matching AML responsibility on the right. Complete all 8 pairs to unlock the next section.