Three Lines of Defense: The Governance Model Regulated Crypto Firms Already Need
Regulators across the EU, UK, US, Singapore, Hong Kong, Japan, the UAE and beyond are no longer asking whether a cryptoasset firm has a compliance policy. They are asking boards to evidence the controls behind it, and they are attaching personal liability to the individuals named in those controls. The governance model that satisfies that scrutiny already exists: it is the three-lines-of-defense framework that every well-run bank, broker-dealer and asset manager has operated for years.
Why the "Crypto Is Different" Argument Falls Short
A recurring position in the cryptoasset industry holds that blockchain-native business models are too novel, too fast-moving, or too structurally unusual to fit inside traditional financial governance frameworks. The practical experience of building and running financial crime compliance functions at regulated cryptoasset firms tells a different story.
The argument lacks nuance. Speed of operation is a real variable, but it is a reason to implement governance more precisely, not to abandon it. Institutional clients, including banks, asset managers and payment infrastructure providers, are entering digital assets at scale. The cryptoasset firms that win their business will be the ones whose governance structure is legible to a bank's risk committee, an external auditor, or a supervising regulator.
What Regulators Are Actually Asking
Supervisory expectations have shifted materially. Token listings, sanctions exposure, counterparty risk and treasury management are now board-level agenda items, not operational ones. Failures in any of these areas increasingly surface as personal liability for named individuals, not institutional inconvenience. That shift makes structured, documented governance a commercial necessity, not just a compliance exercise.
The Three Lines of Defense: How They Apply to Crypto
The framework allocates responsibility across three distinct layers. Collapsing them, even partially, is where most cryptoasset governance failures begin.
First Line: The Business
The first line covers everyone who operates the firm's revenue-generating activities: order book and OTC trading desks, product and listing teams, and customer-facing roles such as relationship managers. They are the first point of exposure to risk and are responsible for identifying and mitigating it before it enters the firm. That requires adequate training, clear escalation paths, and day-to-day ownership of the controls they operate.
Second Line: Risk and Compliance
The second line sets the firm-wide risk framework, monitors performance against it, and maintains the independent view of risk that the first line cannot provide about itself. In practice this layer may be structured as a single function or broken into thematic teams covering AML, sanctions, fraud, and conduct, depending on the firm's size and complexity.
Two roles sit explicitly in the second line and carry specific regulatory weight: the Money Laundering Reporting Officer (MLRO) and the Compliance Officer. Their responsibilities are distinct, and the distinction matters more at cryptoasset firms than it is often given credit for.
Third Line: Internal and External Audit
The third line provides independent assurance that the first two lines are functioning as designed. In many jurisdictions, the obligation to maintain an independent audit function is written directly into Money Laundering Regulations or general prudential rules. It is not optional, and it cannot be staffed by people who also sit in the functions they are reviewing.
The Structural Failure: Collapsing the Lines
The temptation at newer cryptoasset firms is to compress the separation between lines. Sometimes the first and second lines merge into a single team that both runs an activity and oversees it. Sometimes compliance ends up owning decisions that should belong to the business, which removes accountability from the people generating the risk.
Why Compression Produces Predictable Outcomes
Both scenarios produce the same result. There is no longer an independent function challenging the business, because the team that should be challenging it is either embedded in it or running it. A framework designed to catch problems through two separate reviews collapses into one, and a single bad call is enough for risk to pass through the firm unchecked.
Larger firms sometimes deploy local compliance leads embedded within business units. That is a recognized model, but it still requires a separate compliance line that is independent from the commercial reporting line. Embedding without independence is not second-line governance; it is first-line governance with a compliance job title.
MLRO and Compliance Officer: Why the Distinction Matters
Both roles sit in the second line and report to the board through the Audit, Risk and Compliance Committee (ARCC) or a dedicated financial crimes committee that feeds into the ARCC. Neither reports to commercial leadership. That reporting line is a mandatory regulatory requirement under the majority of AML regimes globally, including across APAC, EMEA and the Middle East.
MLRO Responsibilities and Personal Liability
The MLRO owns AML, counter-terrorist financing (CTF), counter-proliferation financing (CPF) and illicit funds obligations, including Know Your Customer (KYC) and Know Your Business (KYB) programs. Personal liability for these obligations sits with the MLRO under local AML law in most jurisdictions. The role is ordinarily a controlled function requiring regulatory approval and a fitness-and-propriety assessment that covers both character and the substantive experience needed to discharge the function. Regulators in the Middle East and APAC are increasingly formalizing the split between the MLRO and Compliance Officer roles in their licensing requirements, though in smaller firms a single individual may hold both positions without conflict.
Compliance Officer Responsibilities
The Compliance Officer owns the broader compliance program: governance architecture, policies and procedures, market and conduct surveillance, controls testing, training, and regulatory reporting. In groups operating across multiple jurisdictions, a Chief Compliance Officer typically sits at group level, coordinating across regulated entities and managing key regulator relationships. The Chief Compliance Officer does not usually carry the personal AML liability that attaches to the local MLRO in each jurisdiction where regulated activity takes place. That liability stays with the local appointee.
This accountability structure is directly relevant to the way firms use digital asset accounting software and crypto bookkeeping software: the data those systems produce feeds the compliance reporting chain, and the chain has named owners at every level.
Risk Appetite: The Document That Makes Everything Else Operational
A documented risk appetite statement is what converts a governance framework from a structural diagram into an operational tool. It begins with the firm's overall posture across non-financial risk categories, including compliance, AML/CTF/CPF, technology and operational risk, and financial risk categories such as liquidity, market and credit.
Structure and Maintenance
Each category receives a position, typically expressed as zero tolerance, low tolerance, or medium tolerance with a defined buffer. Each position is tied to specific controls. The statement should be reviewed at minimum annually and on an ad hoc basis whenever a material change in the business or the regulatory environment alters the firm's risk profile.
When the risk appetite is documented and current, decisions made within it can move at speed. Decisions that fall outside it must be flagged, justified, or escalated before they proceed. Without that reference point, every judgment call is ad hoc, and the pace at which cryptoasset firms operate amplifies the consequences of a single misjudgment. Defined decision rights for material events, such as token listings and counterparty off-boarding, are a direct output of a functioning risk appetite statement.
Data-Led Decision Making and the Role of Analytics
Objective, data-led decision making is not a nice-to-have in this framework; it is the mechanism by which controls are operationalized consistently. On-chain controls need a structured data layer beneath them. That means selecting blockchain analytics providers through a rigorous process and ensuring the outputs they produce are defensible to regulators, auditors and counterparties alike.
Our coverage of blockchain analytics data quality due diligence sets out the questions firms should be asking before they rely on any provider's data in a compliance decision. The quality of that data directly affects the integrity of the second line's monitoring outputs and the third line's ability to provide meaningful assurance.
The same data discipline applies to crypto accounting software used for financial crime reporting. Systems that record wallet activity, transaction categorization and treasury movements feed directly into the compliance reporting that boards and regulators now scrutinize. Gaps in that record create gaps in evidential defensibility.
Board Reporting: Format and Cadence
Every regulated jurisdiction requires quarterly board meetings, and the format mirrors TradFi best practice. Meetings open with the CFO's commercial overview, then move into the quarterly compliance report. That report should cover the firm's compliance risk position against its stated appetite, any material events or threshold breaches in the period, and actions taken or pending. The board is not a passive recipient of that information; it is the accountable body for the risk posture the report describes.
Firms subject to the FCA's finalized UK crypto regulatory framework will recognize this cadence as consistent with what the FCA expects from authorized firms. Similar expectations are embedded in MiCA, MAS guidelines in Singapore, VARA requirements in the UAE, and the existing Bank Secrecy Act and FinCEN frameworks in the US.
Source: Elliptic
What is the three-lines-of-defense model in the context of cryptoasset firms?
It is the same governance framework used across traditional financial services. The first line covers business and operational teams that own risk at the point of activity. The second line covers risk and compliance functions that set the framework and monitor it independently. The third line is internal and external audit, providing independent assurance that the first two lines are functioning correctly.
Does the MLRO at a crypto firm carry personal liability?
Yes, in most jurisdictions. The MLRO role is typically a controlled function requiring regulatory approval. Personal liability for AML, CTF and CPF obligations attaches to the named individual, not to the firm as an institution. Regulators across APAC, EMEA and the Middle East are formalizing this further.
What is a risk appetite statement and why does it matter for crypto compliance?
A risk appetite statement documents the firm's defined tolerance for each category of risk, the controls that maintain that tolerance, and the thresholds that trigger escalation. Without it, decisions are made ad hoc. With it, the firm has a documented reference point that regulators, auditors and board members can all interrogate.
Can the MLRO and Compliance Officer be the same person at a crypto firm?
In smaller firms, yes, provided there is no conflict between the responsibilities. Regulators in the Middle East and APAC are increasingly formalizing the distinction in licensing requirements. In larger or multi-jurisdictional groups, separate appointees are the expected structure, with the local MLRO carrying AML liability in each regulated jurisdiction.
How does crypto accounting software connect to governance obligations?
Digital asset accounting software and crypto bookkeeping software generate the transaction records that underpin compliance reporting, board packs and audit trails. The integrity of that data directly affects the firm's ability to evidence controls to regulators and auditors. Gaps in the accounting record create gaps in the governance chain.
