The “four lines of defence model” for financial institutions (BIS, January, 4th 2016)


(also available in Italian)

Executive summary (note 1)

Since the Global Financial Crisis of 2007-09, the design and implementation of internal control systems has attracted serious academic and professional attention.
Much research on the effectiveness and characteristics of internal audit functions has been conducted under the sponsorship of the Institute of Internal Auditors Research Foundation (IIARF) and published in academic and professional journals.
Despite these efforts, there has been little systematic analysis of how the design of an internal control system affects the efficiency and effectiveness of corporate governance processes, especially at financial institutions such as banks and insurance companies.
The "three lines of defence model" has been used traditionally to model the interaction between corporate governance and internal control systems.
We consider the existing three-lines-of-defence model could be substantially enhanced by giving it a specific focus on the regulation of banks and insurance companies.
We address this deficiency and attempt to ascertain the extent to which these financial institutions - due to their idiosyncratic features and specific regulatory requirements - need a more effective internal control model.
Although our study relates to financial institutions in general, our detailed analysis focuses on banking institutions.
In order to account for the specific governance features of banks and insurance companies, we outline a "four lines of defence" model that endows supervisors and external auditors, who are formally outside the organisation, with a specific role in the organisational structure of the internal control system.
Building upon the concept of a "triangular" relationship between internal auditors, supervisors and external auditors, we examine closely the interactions between them.
By establishing a four-lines-of-defence model, we believe that new responsibilities and relationships between internal auditors, supervisors and external auditors will enhance control systems. That said however, we also highlight the risk that new problems could be caused by inadequate information flows among those actors.


1) The authors would like to thank the reviewers for the valuable comments and suggestions they received which helped improve the accuracy and validity of the investigation: Prof Robert Melville from CASS Business School, Prof Wilco Oostwounder from the University of Utrecht; and Juan Carlos Crisanto, Stefan Hohl and Raihan Zamil from the Financial Stability Institute of the Bank for International Settlements.


Executive summary
1. Introduction: the Global Financial Crisis, corporate governance and the three-lines-ofdefence model
2. Outline of the three-lines-of-defence model
3. Weaknesses and past failures of three-lines-of-defence model
4. The concept of the “four lines of defence” model in financial institutions
5. Relationship between functions of the third and fourth line of defence
5.1 Relationship between external auditors and supervisors
5.2 Relationship between internal auditors and supervisors
5.3 Relationship between internal auditors and external auditors
5.4 Transition from the three lines to the four lines of defence: the quest to design an effective
model for financial institutions
6. Conclusion


  • Isabella Arndorfer, Bank for International Settlements, Andrea Minto, Utrecht University, Occasional Paper No 11, «The “four lines of defence model” for financial institutions - Taking the three-lines-of-defence model further to reflect specific governance features of regulated financial institutions», December 2015 (pdf, 487 K, 29 pp.)