Continuing on the first and second articles in the series, Thistle Initiatives’ Michael Knight-Robson now looks at monitoring and testing the framework in the second line of defence.
The majority of firms with a well-designed three lines of defence model can demonstrate that they conduct financial crime monitoring and testing in the second line of defence (2LOD). However, in my experience, not many can clearly articulate how they have developed a monitoring and testing programme which is aligned to their risk profile.
A 2LOD financial crime quality assurance, monitoring and testing framework should not exist simply to evidence oversight. Its purpose is to provide independent, risk-based insight into whether the firm’s financial crime compliance framework is genuinely operating as intended, and whether senior management’s view of residual risk is realistic. Done correctly, it becomes one of the most powerful mechanisms in the financial crime compliance governance structure. Done poorly, it becomes a repetitive exercise that duplicates first-line quality control and generates reporting that is simply descriptive and not diagnostic.
The Purpose of 2LOD Financial Crime Monitoring and Testing
The second line exists to provide independent oversight and challenge. In the context of financial crime compliance, that oversight must go beyond confirming that procedures are being followed. The real purpose of 2LOD monitoring and testing is:
- Assessing whether key financial crime controls are appropriately designed to mitigate the firm’s inherent risks. A control may be diligently executed but fundamentally misaligned to the risk it is intended to manage.
- Evaluating whether those controls operate effectively in practice. This involves testing real files, real alerts, real escalations and real outcomes, and not just theoretical compliance.
- Translating testing outcomes into a clear view of residual risk. Senior management and the Board do not need operational detail - they require confidence that the firm understands whether its highest financial crime risks are genuinely being mitigated.
Unlike first-line quality control (1LOD QC), which is often transaction-focused and corrective in nature, 2LOD assurance operates at a systemic level. The objective is not to catch individual errors for remediation, but to determine whether the control framework as a whole is reliable. Therefore, whereas 1LOD QC must ensure that individual controls are conducted accurately and to a high standard, the 2LOD QA function must ensure that collectively controls are effective and manage risk.
Designing a Risk-Based Monitoring and Testing Programme
A credible 2LOD monitoring programme must be demonstrably risk-based. This is not just a regulatory expectation, but a logistical necessity to ensure resources (which are generally constrained) are effectively managed. Monitoring and testing that is not aligned to risk is inefficient, and consequently not aligned to the FCA’s expectations.
The starting point should always be the firm’s financial crime business-wide risk assessment (BWRA). The BWRA identifies inherent risk exposures across products, customer types, transactions, delivery channels and geographies. It also outlines the key mitigating controls and the firm’s assessment of residual risk.
A well-designed monitoring plan is explicitly informed by the BWRA. For each material financial crime risk, the programme should identify:
- The key controls relied upon to mitigate their risks
- The level of inherent risk exposure
- The assumed strength of the control environment
These elements should then inform the frequency and depth of testing required. Where inherent risk is high, monitoring intensity must increase. Where risk is lower and controls are demonstrably mature, testing should be less frequent and less in-depth from a volume perspective, but of course never absent.
For example, a firm with significant cross-border payment activity and exposure to higher-risk jurisdictions. Its inherent sanctions risk is likely elevated. In such a case, monthly testing of sanctions screening effectiveness may be appropriate, including alert quality assessment. Further to this, the firm may want to consider a quarterly assessment of the effectiveness of the tool through threshold calibration, false negative analysis and utilising synthetic data to test whether the tool is providing accurate results. Or, if monitoring identifies elevated error rates in a particular area, for example, enhanced due diligence weaknesses, subsequent testing cycles should increase both sample size and frequency until confidence in control effectiveness is restored.
The critical point is that frequency and volume of testing must be justified by risk. A financial crime compliance monitoring plan that applies equal testing cycles across all areas, regardless of risk exposure, could be exposed to regulatory scrutiny. However, in saying that, increasingly we are seeing a small number of firms moving to a 100% QA monitoring and testing programme, where all controls are tested weekly or monthly. This may sound excessive, however, with effective automation tools able to identify compliance with policies and procedures, this can provide firms with ultimate assurance that controls are effective or that control gaps are being identified swiftly, to remove the risk of weaknesses becoming systemic. Firms will need to conduct a sensible cost-benefit analysis to develop/onboard such a tool, and the resources needed to ensure it remains effective.
Thematic Reviews to Compliment Regular Monitoring and Testing
A strong and mature 2LOD financial crime compliance monitoring programme differentiates between regular monitoring and thematic reviews. Regular monitoring is structured, scheduled and predictable. It provides ongoing assurance across key controls and ensures that no material risk area is left untested for extended periods. It is essential for maintaining baseline oversight. Regular monitoring applies consistent methodologies and sampling approaches, allowing the 2LOD to track error rates, identify deterioration or improvement in control performance, and assess whether remediation actions are genuinely effective. It forms the backbone of baseline oversight. Without it, assurance becomes reactive and fragmented.
However, regular monitoring and testing have natural limitations. By design, it is scoped at the start of the year, cyclical and often control-specific. It answers the question: “Is this control operating effectively at this point in time?” However, it does not always answer the broader question: “Is our overall approach to this risk coherent, consistent and aligned to our stated risk appetite?” This is where thematic reviews play a critical role.
Thematic reviews are not simply larger samples or extended testing exercises. They are targeted, diagnostic deep-dives intended to explore systemic issues, emerging risks or areas of heightened regulatory interest. For example, four years ago, a significant number of firms would have (should have) conducted a deep-dive thematic review on the effectiveness of the sanctions screening systems and controls. Unlike cyclical testing, thematic reviews should not work in silos but instead assess how multiple controls interact in practice and whether risk management is consistent end-to-end. They go beyond testing of controls independently, but also include qualitative analysis, interviews with key stakeholders, governance assessment and root cause evaluation alongside file testing. Importantly, thematic reviews can also enable forward-looking assurance. While regular monitoring and testing is often retrospective, i.e. assessing historic effectiveness of CDD files and alert investigations, thematic reviews can evaluate whether control frameworks are sufficiently robust to manage anticipated growth or new products.
Together, regular monitoring, testing and thematic reviews create a balanced 2LOD assurance model. While cyclical testing provides breadth, stability and trend visibility. Thematic reviews can provide depth, insight and strategic challenge. A 2LOD function that relies solely on cyclical sampling risks missing systemic weaknesses. One that relies solely on thematic deep-dives risks losing comprehensive coverage.
A mature framework integrates both approaches in a coordinated manner, ensuring that the firm benefits from continuous baseline oversight while retaining the flexibility to investigate and challenge areas of heightened or evolving risk.
Reporting to Senior Management
Monitoring and testing only add value if it translates into meaningful reporting. In my experience, too often senior management is unaware of issues and risks arising in a firm’s financial crime compliance framework until the MLRO Report is presented. Senior management does not require granular findings; however, they do require clarity on control effectiveness, trend analysis, residual risk implications, and ultimately any remediation plans should gaps be consistently identified. Effective monthly reporting in the appropriate committee should therefore include:
- The overall effectiveness rating of key financial crime controls
- The severity and systemic nature of any identified weaknesses, with clear remediation timelines
- Trend analysis across reporting periods
- Overview and results of root cause analysis
- The impact on residual risk relative to a firm’s key performance indicators (KPIs) risk appetite
Utilising Monitoring and Testing Outcomes to Inform the Business-Wide Risk Assessment
As is too often seen in financial crime business-wide risk assessments, firms which do not appropriately assess the effectiveness of their control frameworks fail to inform their residual risk. Relying on design only (i.e., Yes – we complete CDD on all customers) fails to meet regulatory expectations. Consequently, firms must utilise the information sought from their monitoring and testing, rather than just the less regular internal audit reviews, to inform the effectiveness of their control environment in their financial crime business-wide risk assessment (BWRA). The BWRA often assumes a level of control effectiveness, but utilising the outcomes from the financial crime monitoring and testing programme provides the evidence to validate, or challenge, that assumption. For example, if testing identifies recurring weaknesses in transaction monitoring alert investigations, the control effectiveness rating in the BWRA should ultimately consider this. This perhaps sounds obvious, but from experience, not always done. This downgrade in assessment of effectiveness may increase residual risk, potentially bringing it closer to or beyond appetite thresholds, which, as highlighted above, needs to be clearly documented and escalated to senior management.
Avoiding Duplication with First-Line Quality Control
One of the most common structural weaknesses in 2LOD frameworks is duplication of first-line quality control activity. The first line typically performs quality control checks to ensure operational accuracy and immediate remediation prior to the completion, i.e. review of due diligence before the CDD file is signed off and approved. If 2LOD simply re-performs those checks at scale, it adds limited incremental value.
The distinction, therefore, must be clear. First line quality control is corrective and operational, and second line monitoring and testing is evaluative and systemic. Rather than replicating first-line sampling, 2LOD should analyse quality control outputs, assess error trends, challenge tolerance thresholds and test whether the QC framework itself is effective. Periodic “testing of the tester”, re-performing a subset of first-line QC reviews, can provide validation without duplication. The objective is oversight and independent challenge, not operational substitution.
Ensuring Monitoring and Testing Delivers Genuine Assurance
An effective 2LOD financial crime monitoring and testing framework should ultimately provide senior management with clear answers to four fundamental questions:
1. Where are our highest inherent financial crime risks?
2. Are the controls mitigating those risks genuinely effective?
3. Are the gaps occurring siloed or systemically?
4. Is our residual risk within appetite?
If the framework cannot answer those questions with evidence, it is unlikely to meet regulatory expectations. A robust 2LOD function does not simply report control breaches. It translates operational findings into strategic risk management to allow effective and efficient remediation where needed. It ensures that the firm’s perception of its financial crime risk exposure is grounded in tested reality rather than policy assumptions.
In an environment of increasing regulatory scrutiny, that distinction is critical.
Next week, I will be publishing how the 3LOD should be providing independent assurance on firms’ financial crime systems and controls, which provides value and not just repeating the same scope and delivery each time.
Meet the Expert
Michael Knight-Robson, Financial Crime Partner 
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.