Compliance Architecture in Corporate Finance

What compliance layers are — concept and boundary

Each compliance layer is a discrete obligation attached at a specific point in the operation, with its own trigger, its own evidence, and its own failure mode. A layered view captures three properties that a flat list of rules loses. The layers attach at different points — some at counterparty onboarding, some across the transaction flow, some only on a detected event — and they run in a dependency order, so a screening result is only as sound as the identity established beneath it. A gap in one layer degrades those around it. The stack resolves into three tiers — an obligation tier that fixes what applies and to whom, an operational tier that acts on parties and transactions, and an assurance tier that evidences and owns the result.

Above the stack sits governance. A governance framework is the broader structure of authority, decision rights, and accountability across the finance function — who can commit the entity, and where the ownership of risk sits. Compliance is one dimension within that framework, concerned with conformance to external legal and regulatory obligation and with the assurance that the obligation is met. Placing compliance correctly inside governance sets reporting lines and the independence of the function. A compliance function that reports into the business it monitors cannot test that business credibly, and the governance framework is what establishes the separation under which the compliance layers operate.

A control is an operating mechanism — a preventive or detective measure such as segregation of duties, a four-eyes approval, or a system-enforced limit — and it marks the boundary beside the stack. Compliance names the obligation the mechanism is built to satisfy, together with the assurance that it does. A single control often serves several ends at once. A four-eyes approval on outbound payments prevents fraud, enforces internal authorization policy, and supplies a compliance control over disbursement in the same step. The obligation is what the regulator imposes; the control is one of several mechanisms an entity may use to meet it; one entity can satisfy an obligation through controls that differ from another’s, and a control can run flawlessly while the obligation behind it goes unmet. The operational mechanics of these controls form their own subject, and within the compliance stack they sit as the layer beneath the obligations — the means by which each layer is operated.

Holding the whole stack together is obliged-entity status. Law designates certain entities as bound — “obliged entities” in EU terminology, “covered financial institutions” and other defined persons under the US regime — and imposes the stack on them as a condition of operating. Status varies across an operation, and the intensity of each layer scales with the entity’s classification and its assessed risk, so two firms running an identical transaction can owe materially different obligations on it. This first layer is the perimeter, and it fixes four things every layer above it depends on: whether an entity is directly regulated, how far the obligations reach non-financial parties indirectly, how the perimeter cuts through a corporate group, and how intensely each layer applies to a given counterparty.

The obligation layer — regulatory perimeter and obliged-entity status

Before any other layer operates, the obligation layer settles which legal regimes bind the entity and what status it holds under each. The answers fix the perimeter — the boundary of who is bound and how far the obligations reach — and they size every layer above. An identity check, a screening run, a monitoring rule, a filed report each take their content from a designation made here. A wrong designation mis-sizes the whole stack above. The program is then built for obligations the entity does not carry, or blind to ones it does.

Obliged-entity status is a legal designation that a firm’s own self-description cannot override. Under the EU regime, the stack falls on “obliged entities” — credit and financial institutions, plus an enumerated set of non-financial businesses and professions — and the AMLR fixes that definition uniformly across all twenty-seven member states, closing the national variation that once let activity migrate to the lightest-touch jurisdiction. Every crypto-asset service provider authorised under MiCA is an obliged entity under the AMLR, and the prior €1,000 threshold for occasional crypto transactions is gone. The US regime runs on a defined and repeatedly expanded category of “financial institution” under the Bank Secrecy Act — banks, money services businesses, broker-dealers, and others — administered by FinCEN. So a firm’s framing carries no weight. A payments startup that regards itself as a technology company becomes an obliged entity the moment its activity meets the definition of a money services business or a crypto-asset service provider, and the full stack attaches whether or not the firm has recognised it.

Direct and indirect reach divide the perimeter. A regulated financial institution carries the entire stack itself, running the program and filing its own reports under direct supervision. A non-financial corporate is generally outside obliged-entity status and owes no suspicious-activity filing of its own, yet it is reached on two sides. Its banking partners apply identity, screening, and monitoring to it as their customer, so the corporate meets the layers from the outside as conditions on its access to the financial system. Its own governance framework typically imposes equivalent internal controls regardless of statutory obligation. In banking-as-a-service arrangements, the seam between direct and indirect reach is where accountability concentrates. The licensed bank remains the obliged entity and keeps regulatory accountability for the program, while the fintech partner operates large parts of it in practice. The live question there is who operates each layer and under what contractual and supervisory allocation, and a defect in the partner’s operation is the bank’s regulatory exposure.

For sanctions exposure, the perimeter widens past the AML one, so the obligation layer carries at least two overlapping boundaries. AML obligations — due diligence, monitoring, reporting — bind obliged entities. Sanctions bind a far broader population. OFAC measures reach any US person, any US-dollar transaction, and any activity with a US nexus, and they apply on a strict-liability basis, so an entity violates by transacting with a blocked party even with no knowledge of the breach. EU restrictive measures bind comparably across persons subject to EU jurisdiction. A corporate treasury running no AML program at all still carries a hard, unforgiving sanctions obligation on every payment it originates, and the screening layer below operates that obligation regardless of the entity’s AML status.

Within the perimeter, obligation scales as a gradient. Each layer’s intensity tracks the entity’s classification and the risk assessed at customer and product level, then at channel and jurisdiction level, so two firms running an identical transaction — or one firm onboarding two customers with the same nominal profile — can owe materially different obligations once risk is factored in. Risk assessment is the mechanism that calibrates the stack, which is why both regimes are pushing it toward the foundation. The EU framework is risk-based throughout, and FinCEN’s April 2026 proposed rule would make a documented enterprise risk assessment a standalone obligation aligned to the national AML/CFT priorities — at proposal stage, with comments open through June 2026, and not yet in force.

Inside corporate groups, the perimeter cuts past the regulated entity’s own legal boundary. The EU regime requires obliged entities to apply group-wide AML/CFT policies and procedures across branches and majority-owned subsidiaries, including those established in third countries, and US consolidated-program expectations run in the same direction. A single regulated subsidiary therefore pulls group-level obligations onto affiliates that would fall outside scope on their own. This lands hardest in multi-entity organisations, where the compliance perimeter and the legal-entity map do not coincide.

Two obligations inside this layer are routinely collapsed, though they bind different parties and only one of them changed. The CDD Rule requires a US financial institution to identify and verify the beneficial owners of its legal-entity customers at account opening — any individual owning twenty-five percent or more, plus one individual exercising control — and it has done so since May 2018. The Corporate Transparency Act added a separate obligation on entities themselves to file beneficial-ownership information into a FinCEN registry. Since the interim final rule effective 26 March 2025, that registry obligation reaches only foreign companies registered to do business in the United States; US-formed entities and US persons are exempt, and the rule remains in force. The narrowing hit the registry alone. A US bank must still collect beneficial ownership from its legal-entity customers at onboarding even though most of those customers now file nothing with FinCEN. The EU keeps both mechanisms live and tighter, holding beneficial ownership in central registers under AMLD6 alongside the AMLR’s customer-level due-diligence obligation, both turning on the same twenty-five percent threshold.

The operational layers — compliance at the points of activity

Where the obligation tier becomes action is the operational tier. These layers act on real counterparties and real transactions, ordered by where they attach to a transaction’s movement — identity and screening at entry, monitoring across the flow, reporting on a detected event. Each layer is a gate or a sensor with a defined trigger and a defined output, and each output feeds the next: identity supplies the parties screening checks and the profile monitoring scores, and monitoring supplies the detections reporting discloses. Every one of those actions also leaves a record — a cleared party, a dispositioned alert, a filed report — and that record is the raw material the assurance tier must later test and stand behind.

Identity and due diligence (KYC / CDD / KYB, beneficial ownership)

At the entry gate, before a relationship is allowed to transact, this layer establishes and verifies who a counterparty is and who ultimately stands behind it. For a natural-person customer the work is identity verification — the customer identification program in US terms. For a legal-entity customer it extends to know-your-business, identifying the entity and then looking through it to the natural persons who own or control it. Both regimes fix the look-through at the same point — any individual holding twenty-five percent or more, plus an individual exercising control — under the AMLR at customer level in the EU and under the CDD Rule in the US since May 2018. The beneficial-ownership data produced here does not stay in this layer. It is the input the screening layer needs to apply ownership-based sanctions tests, which makes an unidentified beneficial owner an unscreened one as well.

Intensity is risk-based. Standard due diligence is the baseline; enhanced due diligence attaches to higher-risk relationships — politically exposed persons, customers in high-risk third countries, opaque ownership structures — adding depth and senior sign-off; simplified measures apply where assessed risk is low. The classification is set against the customer risk profile, which then becomes the calibration input for monitoring downstream. Due diligence continues past onboarding as well, refreshed on a risk-driven schedule and re-run on trigger events, and the EU framework lets obliged entities update existing customers on a risk basis over a defined period. A stale profile quietly mis-calibrates every layer that reads from it.

Sanctions and watchlist screening

Screening sits on a different legal basis from AML due diligence and binds a wider population. Every counterparty is run against the OFAC SDN List and the applicable sanctions and watchlists at onboarding, and OFAC measures reach any US person and any US-dollar transaction on a strict-liability standard — one positive match is a hard stop, whatever the intent behind the transaction.

Names alone miss the indirect cases, which is where ownership work comes in. The OFAC 50 Percent Rule treats any entity owned fifty percent or more, in aggregate, by one or more blocked persons as itself blocked even when it appears on no list, turning screening into beneficial-ownership tracing and tying it back to the identity layer beneath. The EU and UK reach the same evasion through a control standard that can bite below fifty percent where a sanctioned person exercises significant influence, so one ownership chain can resolve to a blocked counterparty under one regime and a permitted one under the other.

A confirmed match blocks the property and freezes the transaction. Absent an applicable authorisation it cannot complete, and in some cases it must be rejected outright.

The lists move under the book. Designations are added and removed continuously, and comprehensive sanctions can lift entirely, as US sanctions on Syria did in mid-2025, so the existing book is re-screened against the current state of the lists as a standing requirement. Politically-exposed-person screening rides this same surface and feeds back into the due-diligence layer as an enhanced-diligence trigger.

Transaction monitoring and detection

Monitoring watches activity over time for patterns that contradict the story the onboarding profile told. It sits at no single gate; it runs across the flow, scoring transactions and behaviour against the customer risk profile and against typologies of known illicit activity, and it raises alerts for investigation. Both regimes require it — ongoing monitoring is an explicit obligation under the AMLR and a program requirement under the US regime. The internal mechanics — how scenarios and thresholds are designed, how alerts are tuned to manage false-positive volume, how cases are triaged and dispositioned — belong to Transaction Monitoring Principles.

As a layer, monitoring is defined by its dependencies. It inherits the quality of the identity layer, so a wrong or stale profile produces unreliable scoring. And it depends on the reporting layer for effect, because a detection never escalated into a disclosure ends as an entry in an alert queue.

Reporting and disclosure (SAR / STR, CTR, FIU interaction)

This is the one operational layer whose output leaves the entity and reaches the state. A suspicious activity report goes to FinCEN, the US financial intelligence unit; in the EU a suspicious transaction report goes to the national FIU, with AMLD6 structuring those units and the AMLR placing the reporting obligation on obliged entities.

Cash crossing ten thousand dollars triggers a currency transaction report in the US, independent of any suspicion and required whether or not anything looks wrong. That threshold filing does not stand in for a suspicion filing on the same transaction, and one entity can owe both.

An investigator who has filed, or is preparing to file, faces a constraint the other operational layers do not impose. The entity may not disclose the filing, or its preparation, to the customer or to any third party — the prohibition on tipping off. The risk is concrete and lands before the report is even complete. A clarifying call to the customer during preparation can itself constitute an unlawful disclosure, so the layer can generate liability at the exact moment an investigator most wants to ask a question.

The assurance layers — control, testing, and accountability

A program can run the obligation and operational tiers in full and still be found deficient, because both regimes judge the program itself — a firm can fail that judgment even when every transaction was handled correctly, when it cannot evidence that the controls existed, show that someone independent tested them, or name who answers when they break. Both frameworks build the assurance tier in as a structured set of program components — the five components of OFAC’s Framework for Compliance Commitments (management commitment, risk assessment, internal controls, testing and auditing, training) and the BSA program elements long called the “pillars” — and both organise it along three lines of defence, with the operational layers in the first line, the compliance function owning and overseeing them in the second, and independent testing or internal audit verifying them in the third. Independence is what gives the tier its force; assurance that reports into the activity it assures has none. What the tier delivers is the condition the rest of the stack cannot supply for itself: operational layers that are auditable, testable, and owned.

Internal controls and independent testing

When a control fires, it also leaves a record. A system-enforced screening block, a four-eyes release on a disbursement, a reconciliation that matches what settled against what was instructed — each does two jobs at once, operating a layer and emitting the artifact that proves the layer operated. A screening block that fires and logs is both the enforcement of the sanctions obligation and the record an examiner reads to confirm enforcement happened. Both regimes require obliged entities to maintain internal policies, controls, and procedures proportionate to the nature and size of the business, the formal demand that the layers above run on designed, evidenced mechanisms. The design of those mechanisms is the subject of Internal Financial Controls; the assurance tier consumes what they emit.

To count for anything, verification has to be independent. A control in the first line cannot certify itself, so internal audit — or a function reporting outside the business — checks each control against its design and its assessed risk.

What testing produces is a finding — a gap, its owner, and a remediation tracked to closure. Independent testing is itself an obligation, a named pillar of the US program and a component of the OFAC framework, so its absence is a deficiency in its own right however well the underlying controls run. An untested program is, for assurance purposes, unproven.

Program governance and accountability

Two named roles anchor this layer. Both regimes require a qualified individual to own the program — a BSA/AML compliance officer in the US, and under the AMLR a compliance officer alongside a compliance manager who sits on the management body. Placing the role at management level gives the second line standing to challenge the first, and the compliance owner draws that authority and independence from the governance framework. Ultimate accountability sits with the board or senior management; “management commitment” leads OFAC’s five components precisely because a program the leadership neither owns nor resources decays into documentation no one enforces.

Risk assessment is the input that drives the layer and calibrates the stack. An enterprise-level read of where the entity’s laundering, terrorist-financing, and sanctions risks concentrate sets the intensity of due diligence, the scope of screening, and the design of monitoring beneath it; built without it, a program is sized to a generic threat instead of the entity’s real exposure. Its standing is rising on both sides. The EU framework is risk-based throughout, and FinCEN’s April 2026 proposed rule would recast the US program around a single standard of an effective, risk-based AML/CFT program, replacing the enumerated “pillars” model and making a documented enterprise risk assessment, aligned to the national AML/CFT priorities, a standalone obligation. That proposal is at comment stage through June 2026 and is not in force; the pillars model remains operative. In an examination, this layer is read off a specific set of records: the named compliance officer on file, the board minute approving the current risk assessment, the risk assessment itself, and the remediation log where each finding carries an owner and a closure date.

Mapping the layers to the transaction lifecycle

The operational layers are easiest to place against the transaction they govern. A corporate or institutional transaction moves through a lifecycle — a counterparty is established, a payment is initiated, it is processed and settled, and it is recorded — and each compliance layer attaches at a specific stage of that movement, as a gate that can stop the transaction or a sensor that observes it. The mechanics of that lifecycle as an operational sequence are the subject of the Business Transaction Process. Compliance binds to it at specific points, and the point of attachment decides what each layer can prevent and what it can only catch after the fact.

At entry, before a counterparty transacts at all, the identity and due-diligence layer stands as a gate. No verified identity and beneficial ownership, no relationship. Screening forms a second gate at the same point, checking the counterparty against sanctions and watchlists before onboarding completes, and a confirmed match here stops the relationship from forming. Entry is the strongest position in the lifecycle. A layer that blocks here removes the exposure altogether.

At the flow stage, once the relationship exists and transactions are initiated and processed, two layers act in different modes. Screening repeats per transaction at defined control points — a cross-border payment is re-checked against the lists at release, on top of the onboarding check — and it stays a hard gate, where a positive match holds or blocks the specific payment. Monitoring works as a sensor here. It observes transactions as they flow, scores them against the customer profile and known typologies, and raises alerts, in the ordinary case without stopping the payment. The operational difference is sharp. Screening can hold a transaction in flight, and monitoring generally cannot, which is why monitoring takes effect only through the layer downstream of it.

At exit and after, the reporting layer fires on what the flow stage surfaces. A confirmed monitoring alert becomes a suspicious-activity filing to the FIU; a cash transaction over the threshold becomes a currency report with no suspicion required. This is where the lifecycle hands intelligence to the state, and where the tipping-off constraint binds and cuts off the normal flow of information back to the reported counterparty.

Settlement finality sets a hard deadline across all three positions. Once a transaction reaches finality on its settlement rail, it is irrevocable, so any preventive layer — screening above all — has to clear before that moment or lose the power to stop anything. A sanctions hit found after finality no longer blocks; it becomes a blocked-funds and reporting problem with the exposure already realised. The rail fixes that deadline, and the compliance function cannot move it. Every preventive control runs against the clock to settlement finality, and whatever cannot clear before it is detective by construction.

The stack under EU and US regimes

The layer model is constant. Its instantiation is not. The same seven layers carry different legal bases, different thresholds, and — most consequentially — different supervisory architectures across the European Union and the United States. An operation exposed to both runs a single stack, and that stack has to satisfy the stricter instantiation at each layer. That makes the divergences operational. Where the two regimes diverge, the binding obligation is whichever one reaches further.

European Union — single rulebook and central authority

The EU’s defining move is harmonisation. Its 2024 package swaps a patchwork of nationally transposed directives for a directly applicable rulebook plus a central authority. The Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) sets the obligation, due-diligence, screening, monitoring, and reporting layers as one set of rules applying identically across all twenty-seven member states, with no national transposition, and it applies from 10 July 2027. The Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640) carries the institutional side that does require transposition — the powers of national supervisors and financial intelligence units, plus beneficial-ownership registers and cross-border cooperation — by the same 10 July 2027 date, with certain beneficial-ownership register provisions due earlier. Supervision is two-tier. The Anti-Money Laundering Authority (AMLA, Regulation (EU) 2024/1620) is headquartered in Frankfurt and has been operational since 1 July 2025. It coordinates the system and sets its technical standards. It will also directly supervise a selected population of the highest-risk entities, beginning its selection in 2026, while national supervisors keep authority over everyone else and the FIUs stay national. The European Banking Authority held the AML mandate through the transition and is handing direct supervision to AMLA, and much of the detailed layer content is still being written, in the technical standards AMLA is issuing through 2026.

On the sanctions layer the EU applies a control-based test for ownership. A restrictive measure can reach an entity below fifty percent ownership where a designated person exercises control or significant influence, a wider and more judgement-dependent net than a fixed ownership percentage. EU restrictive measures bind persons subject to EU jurisdiction and run through member-state competent authorities, with no single sanctions agency.

United States — the BSA program model and OFAC sanctions

The US instantiation is older and statute-anchored, built around the program more than a single rulebook. The Bank Secrecy Act is the foundational statute; FinCEN administers it and serves as the national financial intelligence unit. The AML Act of 2020 modernised the regime, adding countering the financing of terrorism explicitly, mandating national AML/CFT priorities, and creating the beneficial-ownership registry. The obligation layer runs on a defined and repeatedly expanded category of “financial institution,” and the program is structured as the “pillars” — designated compliance officer, internal policies and controls, training, independent testing, and the customer-due-diligence pillar added in 2018. FinCEN’s April 2026 proposed rule would replace that enumerated structure with a single standard of an effective, risk-based AML/CFT program and elevate enterprise risk assessment to a standalone obligation. The proposal is open for comment through June 2026 and is not in force, and the pillars model stays operative.

Two US-specific points reshape the layers. On identity, the CDD Rule’s onboarding obligation on financial institutions stays fully in force at the twenty-five percent beneficial-ownership threshold, while the separate Corporate Transparency Act registry obligation was narrowed by the interim final rule effective 26 March 2025 to reach only foreign companies registered to do business in the US, leaving US-formed entities and US persons exempt. On sanctions, OFAC administers the program through the SDN List on a strict-liability civil standard, and the 50 Percent Rule blocks any entity owned fifty percent or more in aggregate by blocked persons even when unlisted. That ownership test is deliberately mechanical, and it is the structural counterpart to the EU’s control test.

The same layer, two instantiations

Three layers carry most of the divergence, and laid side by side they show which obligation binds.

Layer	European Union	United States
Obligation / perimeter	AMLR-defined “obliged entities,” uniform across 27 states; all MiCA-authorised CASPs in scope	BSA-defined “financial institution,” expanded by rule; MSBs, broker-dealers, banks
Identity / beneficial ownership	AMLR customer due diligence + AMLD6 central registers; 25% threshold	CDD Rule at onboarding (25%, in force); CTA registry narrowed to foreign companies since 26 Mar 2025
Sanctions screening	Control test — can bite below 50% where control/influence exists	OFAC 50 Percent Rule — mechanical ownership test; strict liability
Monitoring	Ongoing monitoring required under AMLR	Program requirement; suspicious-activity detection
Reporting	STR to national FIU (AMLD6-structured)	SAR to FinCEN; CTR above $10,000
Supervision	Two-tier: AMLA (central, high-risk entities) + national supervisors	FinCEN + functional regulators; examination-driven
Program governance	AMLR: compliance officer + compliance manager on management body	“Pillars” model; proposed single effective-program standard (Apr 2026, not in force)

No operation can pick one regime as its baseline, because neither is uniformly stricter. The EU’s control test catches ownership structures the US 50 Percent Rule lets through, while the US strict-liability standard punishes sanctions breaches the EU might weigh more leniently on intent. In practice a firm exposed to both runs its ownership tracing to the EU control standard, so that an entity controlled below fifty percent is still caught, and runs its sanctions screening and blocking to the US strict-liability and OFAC exposure wherever a US person or US-dollar leg is present. The two obligations operate at the same time, on the same counterparty, through the same onboarding and payment checks.

Layer dependencies and failure propagation

The layers are assessed as a system because they fail as one. A defect rarely stays where it starts; it travels the dependency chain and surfaces, often, several layers from its cause. Consider how the chain is wired — identity feeds screening and monitoring, monitoring feeds reporting, and the assurance tier sits over all of them, so an error introduced low in the stack is inherited by everything above it. This is why both regimes test program effectiveness over the presence of individual controls. Parts can all be present and the program still fail.

Take a beneficial owner who is never identified at onboarding. That single gap propagates upward. The screening layer cannot test the party against the 50 Percent Rule, the monitoring layer scores the relationship against a baseline that was wrong from the start, and the suspicious activity that should have been caught is never filed. An examiner who finds the missing filing is looking at a symptom whose origin sits several layers upstream — the beneficial-ownership check that never ran, and that check is where the remediation belongs. Stale identity data runs the same path more quietly — a profile accurate at onboarding and never refreshed de-calibrates monitoring against a customer whose behaviour has drifted from the record.

Screening breaks along a different axis, tied to the freshness of the lists more than to the identity beneath it. Designations change continuously, so a layer that checks at onboarding and never re-runs is right on the day it runs and steadily wrong after, as parties cleared once become listed while no one revisits them. After settlement finality, the timing failure is terminal. A match confirmed once the settled transaction is irrevocable can no longer block it, and what should have been a stopped payment is now a blocked-funds and reporting problem with the exposure already taken. The layer was present and operated at the wrong point in the lifecycle, so the remediation is a re-screening cadence and a pre-finality control gate at the rail, ahead of irrevocability.

Couple monitoring and reporting and the failure runs in both directions. Strip the reporting path and monitoring produces detections that die in an alert queue — surveillance that sees the activity and discloses none of it, which to a regulator looks identical to no monitoring at all. Run monitoring with bad thresholds and the reverse appears — alert volume past the capacity to investigate, defensive over-filing, genuine intelligence buried while filing counts climb. When the FIU signal degrades, the symptom sits at the reporting layer while the failed control point is the monitoring calibration one layer below, and the fix is to tune the scenarios that throw the volume.

By the time any of this reaches an examiner, the assurance tier has already failed at its one job — catching the propagation first. Independent testing exists to find the unidentified owners, the stale profiles, the screening that never re-ran, and the detections that never became filings, before a regulator or an enforcement action does. Let the tier go weak or lose its independence and those faults sit undetected until they surface together. A compliance function reporting into the business it assures cannot raise the findings credibly, so the failure here is the loss of the one mechanism that would have caught every other layer’s failure while the remediation was still cheap.

Read every failure backward. A missed filing points down to the identity check that never captured the owner; blocked funds point to a screening gate that fired after finality; a degraded FIU signal points to monitoring thresholds a layer below; and an examination that surfaces all of them at once points to an assurance tier that stopped testing. The symptom names the layer to inspect next, one step down the dependency chain, and the remediation belongs at the control point where the chain first broke.