Monitoring and Testing

Monitoring and testing are two distinct compliance functions that work together to verify your controls are operating as designed and to surface problems before examiners do.

Despite often being referenced as a single phrase, they serve different purposes, operate at different cadences, and are typically owned by different lines of defense. Examiners expect to see both clearly defined and independently documented within your Compliance Management System.

Testing is the periodic, hands-on review of individual transactions, files, or controls conducted by your first line of defense. It’s where issues are discovered for the first time. A defensible testing function includes a documented plan, a clear sample selection methodology, defined periodicity tied to risk, and written results that capture what was reviewed, what was found, and what action was taken.

Monitoring is the higher-level, less frequent review of testing outputs, exception trends, and patterns over time, typically owned by the second line of defense or a compliance advisory function. Where testing asks “Is this control working right now?” monitoring asks “Are we seeing patterns that suggest something is breaking?” A defensible monitoring function produces its own reports, tracks trends across review periods, and feeds findings back into risk assessments, training, and policy updates.

For banks, fintechs, and crypto companies, the distinction matters because it maps directly to the three lines of defense model regulators evaluate. When the two are blurred into a single undifferentiated activity, examiners lose visibility into whether your program has the structural independence and documentation rigor they expect.