For much of the past two decades, governance in wealth management and retail banking has been built on a shared intellectual foundation.
For those firms that adopted it, the COSO framework provided the structure for internal control and risk management. At the same time, the Three Lines of Defence translated those principles into a practical operating model.
Together, they offered something regulators, boards, and executives could understand: clarity on who owns risk, who oversees it, and who provides assurance.
That model has not disappeared. But it is under strain.
Across both wealth management and retail banking, AI, automation and advanced analytics are increasingly shaping decisions that matter.
Clients are risk-rated by models rather than manual assessments. Automated tools influence suitability. Fraud detection, affordability checks and transaction monitoring operate continuously, often without human intervention. These changes are not cosmetic. They go to the heart of how risk is taken, controlled and evidenced.
The question firms now face is not whether COSO and the Three Lines of Defence are still relevant. It is whether they are being applied with sufficient depth to govern a fundamentally different operating reality.
Why COSO still matters – a practitioner’s view
From a regulatory and governance perspective, COSO has endured not because it is theoretically elegant, but because it is operationally resilient.
COSO is one of the few frameworks that successfully connects Board-level intent to front-line decision-making, while remaining sufficiently flexible to accommodate different business models across retail banking and wealth management.
At its core, COSO articulates five interdependent components: governance and culture, risk assessment, control activities, information and communication, and monitoring. For practitioners, the value of COSO lies in how these components reinforce one another. Weaknesses in any one area ultimately manifest as a control failure, customer harm or regulatory intervention.
The FCA’s modern supervisory approach maps closely to this structure. Consumer Duty demands demonstrable linkage between governance decisions, product design, distribution, servicing and customer outcomes.
Financial crime supervision increasingly assesses whether risk assessment is dynamic, controls are adequate in practice, and monitoring identifies emerging harm early. COSO provides the scaffolding for this linkage.
What has changed materially is the operating environment. AI, automation and advanced analytics compress decision-making timelines, increase scale and introduce new categories of risk – particularly around explainability, bias and accountability. These changes do not weaken.
COSO’s relevance; they expose whether it has ever been applied with sufficient rigour.
The three lines of defence: from structural clarity to operational reality
As a governance model, the Three Lines of Defence has often been over-simplified. In practice, it was never intended to be a static organisational diagram. Its purpose is to establish clarity of responsibility, independence of oversight and integrity of assurance.
In retail banking and wealth management, the first line has traditionally been defined by human decision-makers – product owners, credit committees, advisers and portfolio managers.
At the time of writing, those decisions are increasingly shaped, augmented or executed by models. Creditworthiness, vulnerability indicators, client risk scoring, portfolio construction and transaction monitoring are all now materially influenced by automated logic.
From an operational standpoint, this creates a critical governance requirement: automated decisions must be held to the same level of accountability as human judgment. When firms treat AI as neutral infrastructure, risk ownership drifts to technology teams, creating a gap between regulatory accountability and operational control.
Mature firms address this by explicitly incorporating AI-enabled decisioning into first-line accountability. Business owners remain responsible for model outcomes, documented assumptions, tolerances and escalation thresholds. This aligns directly with SMCR expectations around reasonable steps and decision ownership.
The second line under pressure: from policy assurance to effectiveness challenge
From a second-line perspective, AI fundamentally alters the nature of oversight. Traditional compliance models – built around periodic review, sampling and policy adherence – struggle in environments where decisions are continuous, adaptive and data-driven.
In both wealth management and retail banking, the FCA has made clear that a framework alone is insufficient. Supervisory focus has shifted decisively towards effectiveness. Under Consumer Duty, firms are expected to anticipate foreseeable harm. In financial crime, regulators increasingly examine whether controls prevent, detect and mitigate risk at scale.
Operationally, this requires second-line teams to develop a deeper understanding of how models behave over time. This does not mean turning Compliance into a technology function. It does mean strengthening pre-implementation challenge, interrogating model assumptions, testing outcomes and monitoring drift.
In practice, leading firms are evolving their second line to include thematic outcome testing, model governance reviews, and data quality challenges. This is a direct application of COSO’s risk assessment and monitoring principles, adapted to a digital operating model.
Financial crime and conduct: converging risk domains in practice
One of the most material governance implications of AI is the accelerating convergence of financial crime and conduct risk.
In retail banking, automated affordability, fraud detection and vulnerability identification directly influence both crime prevention and customer outcomes. In wealth management, client risk scoring affects AML controls, suitability assessments, service models and ultimately client trust.
From a regulatory standpoint, the FCA does not distinguish between model-driven harm and human-driven harm. The question is whether foreseeable risk was identified, mitigated and monitored. COSO’s integrated approach to objectives, risk assessment and controls provides a practical framework for governing this convergence.
Firms that continue to operate separate governance tracks for financial crime and conduct increasingly find themselves defending artificial distinctions rather than demonstrable outcomes.
The third line’s quiet shift: auditing systems, not just decisions
Internal Audit’s role is also evolving in response to AI-enabled operating models. Traditional audit approaches – focused on file sampling and procedural adherence – offer limited assurance when risk is embedded within systems rather than individual decisions.
From an assurance perspective, the focus is shifting upstream. Effective third-line functions are examining model governance, data lineage, approval processes, override frameworks and escalation mechanisms. The objective is to assure the integrity of the control environment, not simply its outputs.
This approach aligns closely with COSO’s emphasis on monitoring the system of internal control and with regulatory expectations around senior management accountability.
An evolution, not a rejection
There is a temptation, when faced with technological change, to assume that established frameworks must be replaced. In governance, that instinct is rarely helpful.
The FCA has only recently assumed responsibility for regulating AI in UK financial services. Its regulatory approach is principles-based and focused on outcomes. The FCA wants to give firms the flexibility to adapt to technological change and market developments, rather than creating detailed, prescriptive rules. Whilst there is no plan for the FCA to introduce additional AI regulations, the regulator will rely on existing frameworks that help mitigate many of the risks associated with AI.
COSO and the Three Lines of Defence are not obsolete. They remain the most coherent articulation of how responsibility, oversight and assurance should operate in regulated firms. What AI demands is a more disciplined and honest application of those principles.
For wealth firms and retail banks, this means re-grounding governance in reality. Recognising that models make decisions. Accepting that accountability cannot be outsourced to technology. Ensuring that risk frameworks evolve alongside operating models.
This is not a rejection of COSO. It is its evolution into a living framework, capable of governing modern financial services.
Firms that embrace that evolution will be better placed to innovate safely, demonstrate regulatory credibility and, ultimately, deliver better outcomes for customers. Those that do not may discover that their governance failed not because the framework was wrong, but because it was applied too narrowly.
–
Author: Ian Stott, Head of Financial Services at Konexo