Appearance
Testing and Ongoing Monitoring, Documentation, Explainability, and Independent Review
This page covers the four areas where FINMA looks for evidence that governance is actually working: tests and ongoing monitoring (§2.4), documentation (§2.5), explainability (§2.6), and independent review (§2.7). It maps the org requirements ORF-441 (documentation standards) and ORF-446 (the independent-review function), and the app requirements MRF-408, MRF-409, MRF-410, and MRF-411.
These four areas are where most of the evidence overlap with existing ISO 42001, EU AI Act, and NIST AI RMF programmes lives — testing results, model documentation, explainability artefacts, and independent-validation reports.
Primary source
FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, 18 December 2024. This page draws on §2.4 (Tests and ongoing monitoring), §2.5 (Documentation), §2.6 (Explainability), and §2.7 (Independent review), with proportionality from §1. Official PDF.
The four areas at a glance
| Requirement | Area | What FINMA assessed | Exclusive control | Gated? |
|---|---|---|---|---|
MRF-408 | Tests and ongoing monitoring (§2.4) | Whether tests, expert-set expectations, thresholds, drift monitoring, and analysis of overridden outputs are scheduled and defined in advance | MCF-643 | No |
ORF-441 | Documentation (§2.5) | Whether institution-wide documentation standards (content, form, retention, availability) exist so decentralised development still yields consistent, recipient-oriented documentation | — (reuses OCF-47) | No |
MRF-409 | Documentation (§2.5) | Whether material applications are documented across purpose, data, model, testing, and fallback, with the risk categorisation justified and reviewed | — (reuses shared controls) | Material applications only |
MRF-410 | Explainability (§2.6) | Whether results can be understood, explained, and reproduced, with depth rising where decisions must be justified to a defined audience | — (reuses MCF-40, MCF-41) | Depth gated by audience trigger |
MRF-411 | Independent review (§2.7) | Whether material applications receive an objective, informed, unbiased review by reviewers distinct from development, fed back into development | — (reuses MCF-237, MCF-61) | Material applications only |
ORF-446 | Independent review (§2.7) | Whether development and independent review are kept structurally separate and the entire model-development process is reviewed by qualified personnel | OCF-358 | No |
Tests and ongoing monitoring (§2.4)
FINMA observed weaknesses in how institutions selected performance indicators and how they tested and monitored applications over time. Its own words set the bar: "FINMA assessed whether the supervised institutions schedule tests to ensure the data quality and functionality of the AI applications, which include checks for accuracy, robustness and stability and, if necessary, bias."
All of §2.4 maps to MRF-408. FINMA assessed whether institutions:
- schedule tests for data quality and functionality — accuracy, robustness and stability, and bias where relevant;
- have domain experts set predefined questions, expectations, and performance indicators in advance;
- define thresholds and validation methods for output correctness;
- monitor input-data drift;
- analyse cases where output was ignored or overridden; and
- give prior thought to recognising and handling exceptions, with a defined fallback.
The guidance sketches a test taxonomy (§2.4, footnote 8): tests where the correct result is known and the application is checked against it (backtesting, out-of-sample testing); constructed tests for borderline or edge-case behaviour (sensitivity analyses, stress testing); tests with incorrect input data (adversarial testing); tests against additional, possibly simpler benchmark models; and tests that probe application limits and check results for repeatability.
The one FINMA-exclusive app control lives here. MCF-643 ("Analyze overridden and ignored AI outputs") captures and periodically analyses the cases where users ignore, override, or correct an application's output — a direct signal of model weakness — and requires exception-recognition and fallback to be defined in advance. It is not reused, because the nearest existing control targets agentic-oversight metrics rather than general manual-override analysis.
Documentation (§2.5)
Some institutions lacked centralised documentation requirements, and existing documentation was sometimes not detailed enough or not oriented to its recipient. FINMA split its expectation across an org standard and a per-application duty.
ORF-441 — documentation standards (org). The institution maintains institution-wide documentation standards — content, form, retention, and availability — so that decentralised development still yields consistent, detailed, recipient-oriented documentation. It reuses OCF-47.
MRF-409 — documentation of material applications (app). For material applications, FINMA assessed whether documentation covers purpose, data selection and preparation, model selection, performance measures, assumptions, limitations, testing and controls, and fallback; whether data sources and quality checks (integrity, correctness, appropriateness, relevance, bias, stability) are presented; how robustness, reliability, and traceability are ensured; and whether the risk categorisation is justified and reviewed. This requirement carries an explicit Applicability section: it applies only where the application is classified as material, and the scoping evidence is the risk-classification record from MRF-407. It reuses shared documentation controls and needs no FINMA-exclusive control.
Explainability (§2.6)
FINMA observed that AI results often cannot be understood, explained, or reproduced — and therefore cannot be critically assessed. Its expectation is proportionate rather than a blanket demand for interpretability.
MRF-410 — explainability of AI applications. The institution maintains explainability sufficient to understand the drivers of an application and its behaviour under different conditions, so the plausibility and robustness of results can be judged. Depth rises where decisions must be justified to a defined audience — investors, clients, employees, the supervisory authority, or the audit firm. There is no formal Applicability section, but that "justification owed to a defined audience" trigger is what gates how much explainability a given application needs. It reuses MCF-40 and MCF-41.
Independent review (§2.7)
FINMA did not always see a clear line between development and independent review, and found that only a few institutions had qualified personnel review the entire model-development process. The guidance is precise about what a review should produce: "For material applications, FINMA assessed whether the independent review included the submission of an objective, informed and unbiased opinion on the appropriateness and reliability of a process for a particular application and whether the results of the independent review were taken into account in the development of the application."
Modulos splits this across the org function and the per-application execution.
ORF-446 — independent review of AI models (org). The institution keeps development and independent review structurally separate, and has qualified personnel independently review the entire model-development process to identify and reduce model risk. It establishes the review function and its independence org-wide, and carries the FINMA-exclusive control OCF-358 ("Independently review the AI model development process") — not reused, because existing audit-objectivity controls are generic rather than specific to model development.
MRF-411 — independent review of material applications (app). For material applications, the institution obtains an objective, informed, unbiased opinion on process appropriateness and reliability from reviewers distinct from development, and feeds the results back into development. This carries an explicit Applicability section: it applies only to applications assessed as material — non-material applications are out of scope, though lighter review may still be proportionate — and the scoping evidence is the materiality and risk classification in the AI inventory. It reuses MCF-237 and MCF-61. The org requirement builds the function; the app requirement runs it per material application.
Cross-framework mapping (preview)
Preview
These four areas are where reuse is heaviest, at a high level only:
- ISO/IEC 42001 — testing, documentation, and independent-validation records correspond to the operational-control, performance-evaluation, and internal-audit clauses.
- EU AI Act — technical documentation, logging, and post-market monitoring expectations overlap at the control level with FINMA's documentation, testing, and monitoring areas.
- NIST AI RMF — the Measure and Manage functions align with FINMA's testing, monitoring, and review areas.
These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.
Related pages
FINMA AI Governance overview
Framework structure, scope, proportionality, and the OFF-22 / MFF-22 split
Governance, inventory, and data quality
The three foundational areas these evidentiary duties build on — ORF-439/440/442/443/444/445, MRF-407/412
Operationalizing in Modulos
The OFF-22 / MFF-22 rollout sequence, control split, and evidence model
Source attribution
The authoritative source is FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority. This page draws on §2.4 (Tests and ongoing monitoring), §2.5 (Documentation), §2.6 (Explainability), and §2.7 (Independent review), with the proportionality principle from §1. Requirement and control codes are Modulos template identifiers, not FINMA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 applies FINMA's existing supervisory framework to AI and creates no new obligations; institutions remain fully responsible for their own compliance. Verify against the current published edition and consult qualified advisers.